Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Wondershare NIGHTmare

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Wondershare NIGHTmare

Unread postby tincat » September 1st, 2017, 3:19 am

Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by jenni (01-09-2017 17:11:08)
Running from C:\Users\jenni\Desktop
Boot Mode: Normal

================== Search Registry: "Tweaking.com;Tweaking;Wondershare" ===========


===================== Search result for "Tweaking.com" ==========

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"SIGN.IE=057FC00 tweaking.com_registry_backup_setup.exe"="0x534143500100000000000000070000002800000000FC57004BD8580001000000000000000000000A00210000E63F486B2AA0D20100000000000000000500000010000000000000000000000000000000000000000200000028000000000000000000004000000000000000000000000000000000DC460000000000000100000001000000"


===================== Search result for "Tweaking" ==========

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"SIGN.IE=057FC00 tweaking.com_registry_backup_setup.exe"="0x534143500100000000000000070000002800000000FC57004BD8580001000000000000000000000A00210000E63F486B2AA0D20100000000000000000500000010000000000000000000000000000000000000000200000028000000000000000000004000000000000000000000000000000000DC460000000000000100000001000000"


===================== Search result for "Wondershare" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83045d03-658e-471c-ac48-edf4cb87f1a7}]
""="Wondershare.AppFrame.Client"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{004E4AAD-D59F-361E-AA3B-FAC643D99736}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0A90A8DA-5816-3B3B-A5C2-E0148B7B1638}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.AdvertisingLocation"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0A90A8DA-5816-3B3B-A5C2-E0148B7B1638}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{163BDFFC-F4D7-3B75-99C7-0647C1990F8A}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1A2BB261-997B-3CF9-B354-2930352742C5}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1F91FA23-E954-32D1-B843-8A49F008CFCA}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.DownloadTaskType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1F91FA23-E954-32D1-B843-8A49F008CFCA}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{263132E7-ED6F-347F-8810-B0DB87B47757}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppCommon.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{29EAD855-485A-3EA1-A30A-E77723B43C08}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{2FD94621-EDE2-3DBC-9A11-334430C9513A}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{31F3164F-710F-3E90-A4B3-4D93F6A858A1}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{380C1AA3-0B22-37F4-AFA1-8656380A1FD8}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4221A4B5-7008-3447-BA02-AAD6A1499DBA}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{479ADDA6-4547-3151-9952-56625163375B}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{546CC7C5-C808-330F-AF43-B0FF84F504A5}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5EE50D16-F01C-3E6A-BF29-9E5D7119A743}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6A22565E-37FB-3168-A1C5-726ADEA7B095}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.ThirdPartyLoginType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6A22565E-37FB-3168-A1C5-726ADEA7B095}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{766BD970-2E67-31FB-AC1C-17AD68FB59BA}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{7E8DA4C2-42CA-3924-9437-299FF00BCBB7}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9E9FC399-958F-395C-A658-44FF40FF82C9}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.UpdatePackageType"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9E9FC399-958F-395C-A658-44FF40FF82C9}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BD193C18-3628-382A-B7CA-7B50E8E0621A}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.DownloadErrorReason"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BD193C18-3628-382A-B7CA-7B50E8E0621A}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BDF7C4D0-65FF-394C-9067-A51719AC2AB5}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C04B5EE4-81E5-39E7-A637-09A0570AF1B0}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.DownloadTaskStep"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C04B5EE4-81E5-39E7-A637-09A0570AF1B0}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C9B789BF-6743-349D-A4A2-F097DC76A2D2}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{CB3BBA96-8C21-32E9-987A-55421A62135F}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppCommon.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{D09426AE-094F-3A6F-BC9C-0A89FCCFA52A}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppCommon.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF586E3F-AA4A-37BC-A7B5-829D790E170C}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF5D4A8C-B4BD-398A-A39C-211B13ACE275}\2.3.2.221]
"Class"="Wondershare.AppFramework.Services.AuthorizationStatus"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF5D4A8C-B4BD-398A-A39C-211B13ACE275}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{EA84A17B-8688-3001-AF12-BFA709140C53}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppCommon.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FEA3E5B8-0848-3EE4-94D4-45A78B2AB116}\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}\3.0\0\win32]
""="C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\Library\DriverInstaller\DriverInstall.tlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}\3.0\0\win64]
""="C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\Library\DriverInstaller\DriverInstall.tlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}\3.0\HELPDIR]
""="C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\Library\DriverInstaller"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{70347FA4-20ED-47F9-AEB8-FD01752EF3BC}\2.3\0\win32]
""="C:\Program Files (x86)\Wondershare\WAF\WsAppCommon.tlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{70347FA4-20ED-47F9-AEB8-FD01752EF3BC}\2.3\HELPDIR]
""="C:\Program Files (x86)\Wondershare\WAF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{899AB13F-F8E7-4A4E-9F04-C9802BC4E799}\2.3\0\win32]
""="C:\Program Files (x86)\Wondershare\WAF\WsAppService.tlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{899AB13F-F8E7-4A4E-9F04-C9802BC4E799}\2.3\HELPDIR]
""="C:\Program Files (x86)\Wondershare\WAF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6}\2.3]
""="Wondershare Passport"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6}\2.3\0\win32]
""="C:\Program Files (x86)\Wondershare\WAF\WsAppClient.tlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6}\2.3\HELPDIR]
""="C:\Program Files (x86)\Wondershare\WAF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare]
""="Wondershare Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare]
"URL Protocol"="C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppClient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare\DefaultIcon]
""="C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppClient.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare\shell\open\command]
""="C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppClient.exe "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare.AppFrame.Services.ProductionManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare.AppFramework.Services.DownloadServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare.AppFramework.Services.DownloadServices]
""="Wondershare.AppFramework.Services.DownloadServices"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A83044C7-F70B-4202-9D24-6D5A737B3BA1}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A83044C7-F70B-4202-9D24-6D5A737B3BA1}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2910E1C-0E52-48E4-81A2-016D596C869F}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2910E1C-0E52-48E4-81A2-016D596C869F}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppClient.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B5F703-4465-40FF-A09A-42D11AA29DA5}]
""="Wondershare.AppFramework.Services.DownloadServices"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B5F703-4465-40FF-A09A-42D11AA29DA5}\ProgId]
""="Wondershare.AppFramework.Services.DownloadServices"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF891359-5822-466D-999F-A7D7F5F92340}\ProgId]
""="Wondershare.AppFrame.Services.ProductionManager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F87E8A21-E0C6-4094-A85D-E10524011B29}\LocalServer32]
""="C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppClient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}]
"LocalizedString"="@C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}\InprocServer32]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}\InprocServer32\2.3.2.221]
"CodeBase"="file:///C:/Program Files (x86)/Wondershare/WAF/2.3.2.221/WsAppService.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\dr.fone toolkit for iOS]
"Id"="com.wondershare.drfoneios"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF]
"Id"="com.wondershare.waf"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF]
"InstallPath"="C:\Program Files (x86)\Wondershare\WAF"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF]
"InstallName"="C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppClient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF]
"Uninstallexe"="C:\Program Files (x86)\Wondershare\WAF\unins000.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF\Packages\com.wondershare.waf.updater]

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF\Packages\com.wondershare.waf.updater]
"Id"="com.wondershare.waf.updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF\Packages\com.wondershare.waf.updater]
"InstallPath"="C:\ProgramData\Wondershare\WAF\Update"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\WAF\Packages\com.wondershare.waf.updater]
"InstallName"="C:\ProgramData\Wondershare\WAF\Update\WsUpdateInstaller.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare\Wondershare Helper Compact]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService]
"ImagePath"="C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService]
"DisplayName"="Wondershare Application Framework Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService]
"Description"="Wondershare Application Framework Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst]
"ImagePath"="C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\Library\DriverInstaller\DriverInstall.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst]
"DisplayName"="Wondershare Driver Install Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst]
"Description"="Wondershare Driver Install Service"

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"7"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare\dr.fone toolkit for iOS\dr.fone toolkit for iOS.lnk
C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\DrFoneLoader.exe
"

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Users\jenni\Downloads\wondershare-drfone-for-ios-win.exe"="0x5341435001000000000000000700000028000000E0D14802DD19490201000000000000000000000A00210000E63F486B2AA0D201000000000000000002000000280000000000000000000000000000000000000000000000000000001C0F0800000000000100000001000000"

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\DrFoneLoader.exe"="0x5341435001000000000000000700000028000000906E00004AB0000001000000000000000000000AF5220000E78E163C2AA0D20100000000000000000200000028000000000000000000000000000000000000000000000000000000F2330300000000000200000002000000"

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\unins000.exe"="0x5341435001000000000000000700000028000000183F120084A5120003000000000000000000000A00210000E63F486B2AA0D20100000000000000000200000028000000000000000000000000000000000000000000000000000000D2260000000000000100000001000000"

[HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Wow6432Node\Wondershare]

====== End of Search ======
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm
Advertisement
Register to Remove

Re: Wondershare NIGHTmare

Unread postby tincat » September 1st, 2017, 3:23 am

Hi Gary,
WELL! :> THAT all appeared to go without a hitch, and in minutes as opposed to days ... I am VERY cautiously Elated :> Jenni
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby Gary R » September 1st, 2017, 5:09 am

OK, lets see if we can get rid of your incomplete Tweaking.com install, and your Wondershare now. There's quite a bit to remove, so I'm probably going to need you to run some scans for me afterwards, to make sure we got everything, but we'll deal with that once I get the results back from you for this "fix".

So ......

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank notepad file named fixlist.txt will open.
  • Copy and paste the following into it (don't include Code: Select all)....
Code: Select all
CreateRestorePoint:
(Wondershare) C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe
C:\Program Files (x86)\Wondershare
HKU\S-1-5-21-2282976789-625184829-3266694354-1001\...\MountPoints2: {1746fe97-6bf2-11e7-9b05-364b50b7ef2d} - "F:\AutoRun.exe"
R2 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe [459408 2017-02-10] (Wondershare)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
C:\Windows\System32\ibtsiva
S2 WsDrvInst; C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\Library\DriverInstaller\DriverInstall.exe [X]
2017-08-31 07:48 - 2017-08-31 07:51 - 000003306 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
2017-08-28 15:18 - 2017-08-28 15:21 - 000000000 ____D C:\Users\jenni\AppData\Roaming\Wondershare
2017-08-28 15:18 - 2017-01-12 11:45 - 000076384 _____ (hxxp://libusb-win32.sourceforge.net) C:\WINDOWS\SysWOW64\libusb0.dll
2017-08-28 15:18 - 2017-01-12 11:45 - 000052832 _____ (hxxp://libusb-win32.sourceforge.net) C:\WINDOWS\SysWOW64\Drivers\libusb0.sys
2017-08-28 15:17 - 2017-08-29 11:27 - 000000000 ____D C:\ProgramData\Wondershare
2017-08-28 15:17 - 2017-08-29 11:27 - 000000000 ____D C:\Program Files (x86)\Wondershare
CustomCLSID: HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\jenni\AppData\Local\Microsoft\OneDrive\17.3.6917.0607\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\jenni\AppData\Local\Microsoft\OneDrive\17.3.6917.0607\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\jenni\AppData\Local\Microsoft\OneDrive\17.3.6917.0607\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
C:\Users\jenni\Desktop\Tweaking_Tabsv2.ocx
C:\Users\jenni\Desktop\TweakingImgCtl.ocx
C:\Users\jenni\Desktop\TweakingRegistryBackup.exe
C:\Users\jenni\Desktop\files\Backup_Failed_Message.exe
C:\Users\jenni\Desktop\files\ManageACL_32.exe
C:\Users\jenni\Desktop\files\vss_pause.exe
C:\Users\jenni\Desktop\files\vss_start.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | SIGN.IE=057FC00 tweaking.com_registry_backup_setup.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC | 7
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Users\jenni\Downloads\wondershare-drfone-for-ios-win.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\DrFoneLoader.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\unins000.exe
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83045d03-658e-471c-ac48-edf4cb87f1a7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{004E4AAD-D59F-361E-AA3B-FAC643D99736}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0A90A8DA-5816-3B3B-A5C2-E0148B7B1638}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{163BDFFC-F4D7-3B75-99C7-0647C1990F8A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1A2BB261-997B-3CF9-B354-2930352742C5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1F91FA23-E954-32D1-B843-8A49F008CFCA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{263132E7-ED6F-347F-8810-B0DB87B47757}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{29EAD855-485A-3EA1-A30A-E77723B43C08}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{2FD94621-EDE2-3DBC-9A11-334430C9513A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{31F3164F-710F-3E90-A4B3-4D93F6A858A1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{380C1AA3-0B22-37F4-AFA1-8656380A1FD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4221A4B5-7008-3447-BA02-AAD6A1499DBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{479ADDA6-4547-3151-9952-56625163375B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{546CC7C5-C808-330F-AF43-B0FF84F504A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5EE50D16-F01C-3E6A-BF29-9E5D7119A743}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6A22565E-37FB-3168-A1C5-726ADEA7B095}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{766BD970-2E67-31FB-AC1C-17AD68FB59BA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{7E8DA4C2-42CA-3924-9437-299FF00BCBB7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9E9FC399-958F-395C-A658-44FF40FF82C9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BD193C18-3628-382A-B7CA-7B50E8E0621A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BDF7C4D0-65FF-394C-9067-A51719AC2AB5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C04B5EE4-81E5-39E7-A637-09A0570AF1B0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C9B789BF-6743-349D-A4A2-F097DC76A2D2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{CB3BBA96-8C21-32E9-987A-55421A62135F}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{D09426AE-094F-3A6F-BC9C-0A89FCCFA52A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF586E3F-AA4A-37BC-A7B5-829D790E170C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF5D4A8C-B4BD-398A-A39C-211B13ACE275}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{EA84A17B-8688-3001-AF12-BFA709140C53}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FEA3E5B8-0848-3EE4-94D4-45A78B2AB116}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{70347FA4-20ED-47F9-AEB8-FD01752EF3BC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{899AB13F-F8E7-4A4E-9F04-C9802BC4E799}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A83044C7-F70B-4202-9D24-6D5A737B3BA1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2910E1C-0E52-48E4-81A2-016D596C869F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B5F703-4465-40FF-A09A-42D11AA29DA5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF891359-5822-466D-999F-A7D7F5F92340}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F87E8A21-E0C6-4094-A85D-E10524011B29}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst]
[-HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Wow6432Node\Wondershare]
EmptyTemp:
cmd: ipconfig/flushdns

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Wondershare NIGHTmare

Unread postby tincat » September 1st, 2017, 4:50 pm

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by jenni (02-09-2017 06:40:33) Run:4
Running from C:\Users\jenni\Desktop
Loaded Profiles: jenni (Available Profiles: jenni)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
(Wondershare) C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe
C:\Program Files (x86)\Wondershare
HKU\S-1-5-21-2282976789-625184829-3266694354-1001\...\MountPoints2: {1746fe97-6bf2-11e7-9b05-364b50b7ef2d} - "F:\AutoRun.exe"
R2 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe [459408 2017-02-10] (Wondershare)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
C:\Windows\System32\ibtsiva
S2 WsDrvInst; C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\Library\DriverInstaller\DriverInstall.exe [X]
2017-08-31 07:48 - 2017-08-31 07:51 - 000003306 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
2017-08-28 15:18 - 2017-08-28 15:21 - 000000000 ____D C:\Users\jenni\AppData\Roaming\Wondershare
2017-08-28 15:18 - 2017-01-12 11:45 - 000076384 _____ (hxxp://libusb-win32.sourceforge.net) C:\WINDOWS\SysWOW64\libusb0.dll
2017-08-28 15:18 - 2017-01-12 11:45 - 000052832 _____ (hxxp://libusb-win32.sourceforge.net) C:\WINDOWS\SysWOW64\Drivers\libusb0.sys
2017-08-28 15:17 - 2017-08-29 11:27 - 000000000 ____D C:\ProgramData\Wondershare
2017-08-28 15:17 - 2017-08-29 11:27 - 000000000 ____D C:\Program Files (x86)\Wondershare
CustomCLSID: HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\jenni\AppData\Local\Microsoft\OneDrive\17.3.6917.0607\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\jenni\AppData\Local\Microsoft\OneDrive\17.3.6917.0607\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\jenni\AppData\Local\Microsoft\OneDrive\17.3.6917.0607\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
C:\Users\jenni\Desktop\Tweaking_Tabsv2.ocx
C:\Users\jenni\Desktop\TweakingImgCtl.ocx
C:\Users\jenni\Desktop\TweakingRegistryBackup.exe
C:\Users\jenni\Desktop\files\Backup_Failed_Message.exe
C:\Users\jenni\Desktop\files\ManageACL_32.exe
C:\Users\jenni\Desktop\files\vss_pause.exe
C:\Users\jenni\Desktop\files\vss_start.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | SIGN.IE=057FC00 tweaking.com_registry_backup_setup.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC | 7
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Users\jenni\Downloads\wondershare-drfone-for-ios-win.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\DrFoneLoader.exe
DeleteValue: HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\unins000.exe
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83045d03-658e-471c-ac48-edf4cb87f1a7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{004E4AAD-D59F-361E-AA3B-FAC643D99736}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0A90A8DA-5816-3B3B-A5C2-E0148B7B1638}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{163BDFFC-F4D7-3B75-99C7-0647C1990F8A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1A2BB261-997B-3CF9-B354-2930352742C5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1F91FA23-E954-32D1-B843-8A49F008CFCA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{263132E7-ED6F-347F-8810-B0DB87B47757}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{29EAD855-485A-3EA1-A30A-E77723B43C08}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{2FD94621-EDE2-3DBC-9A11-334430C9513A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{31F3164F-710F-3E90-A4B3-4D93F6A858A1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{380C1AA3-0B22-37F4-AFA1-8656380A1FD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4221A4B5-7008-3447-BA02-AAD6A1499DBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{479ADDA6-4547-3151-9952-56625163375B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{546CC7C5-C808-330F-AF43-B0FF84F504A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5EE50D16-F01C-3E6A-BF29-9E5D7119A743}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6A22565E-37FB-3168-A1C5-726ADEA7B095}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{766BD970-2E67-31FB-AC1C-17AD68FB59BA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{7E8DA4C2-42CA-3924-9437-299FF00BCBB7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9E9FC399-958F-395C-A658-44FF40FF82C9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BD193C18-3628-382A-B7CA-7B50E8E0621A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BDF7C4D0-65FF-394C-9067-A51719AC2AB5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C04B5EE4-81E5-39E7-A637-09A0570AF1B0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C9B789BF-6743-349D-A4A2-F097DC76A2D2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{CB3BBA96-8C21-32E9-987A-55421A62135F}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{D09426AE-094F-3A6F-BC9C-0A89FCCFA52A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF586E3F-AA4A-37BC-A7B5-829D790E170C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF5D4A8C-B4BD-398A-A39C-211B13ACE275}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{EA84A17B-8688-3001-AF12-BFA709140C53}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FEA3E5B8-0848-3EE4-94D4-45A78B2AB116}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{70347FA4-20ED-47F9-AEB8-FD01752EF3BC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{899AB13F-F8E7-4A4E-9F04-C9802BC4E799}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A83044C7-F70B-4202-9D24-6D5A737B3BA1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2910E1C-0E52-48E4-81A2-016D596C869F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B5F703-4465-40FF-A09A-42D11AA29DA5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF891359-5822-466D-999F-A7D7F5F92340}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F87E8A21-E0C6-4094-A85D-E10524011B29}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst]
[-HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Wow6432Node\Wondershare]
EmptyTemp:
cmd: ipconfig/flushdns
*****************

Restore point was successfully created.
[3300] C:\Program Files (x86)\Wondershare\WAF\2.3.2.221\WsAppService.exe => process closed successfully.
C:\Program Files (x86)\Wondershare => moved successfully
HKU\S-1-5-21-2282976789-625184829-3266694354-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1746fe97-6bf2-11e7-9b05-364b50b7ef2d} => key removed successfully
HKLM\Software\Classes\CLSID\{1746fe97-6bf2-11e7-9b05-364b50b7ef2d} => key not found.
HKLM\System\CurrentControlSet\Services\WsAppService => key removed successfully
WsAppService => service removed successfully
ibtsiva => Unable to stop service.
HKLM\System\CurrentControlSet\Services\ibtsiva => key removed successfully
ibtsiva => service removed successfully
"C:\Windows\System32\ibtsiva" => not found.
HKLM\System\CurrentControlSet\Services\WsDrvInst => key removed successfully
WsDrvInst => service removed successfully
C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt => moved successfully
C:\Users\jenni\AppData\Roaming\Wondershare => moved successfully
C:\WINDOWS\SysWOW64\libusb0.dll => moved successfully
C:\WINDOWS\SysWOW64\Drivers\libusb0.sys => moved successfully
C:\ProgramData\Wondershare => moved successfully
"C:\Program Files (x86)\Wondershare" => not found.
HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} => key removed successfully
HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} => key removed successfully
HKU\S-1-5-21-2282976789-625184829-3266694354-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} => key removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => key removed successfully
HKLM\Software\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => key removed successfully
HKLM\Software\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => key removed successfully
HKLM\Software\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => key removed successfully
HKLM\Software\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => key removed successfully
HKLM\Software\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => key removed successfully
HKLM\Software\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => key not found.
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => key removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found.
C:\Users\jenni\Desktop\Tweaking_Tabsv2.ocx => moved successfully
C:\Users\jenni\Desktop\TweakingImgCtl.ocx => moved successfully
C:\Users\jenni\Desktop\TweakingRegistryBackup.exe => moved successfully
C:\Users\jenni\Desktop\files\Backup_Failed_Message.exe => moved successfully
C:\Users\jenni\Desktop\files\ManageACL_32.exe => moved successfully
C:\Users\jenni\Desktop\files\vss_pause.exe => moved successfully
C:\Users\jenni\Desktop\files\vss_start.exe => moved successfully
HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store \\ SIGN.IE=057FC00 tweaking.com_registry_backup_setup.exe => value not found.
HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC \\ 7 => value not found.
HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store \\ C:\Users\jenni\Downloads\wondershare-drfone-for-ios-win.exe => value not found.
HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store \\ C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\DrFoneLoader.exe => value not found.
HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store \\ C:\Program Files (x86)\Wondershare\dr.fone toolkit for iOS\unins000.exe => value not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{83045d03-658e-471c-ac48-edf4cb87f1a7} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{004E4AAD-D59F-361E-AA3B-FAC643D99736} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{0A90A8DA-5816-3B3B-A5C2-E0148B7B1638} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{163BDFFC-F4D7-3B75-99C7-0647C1990F8A} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1A2BB261-997B-3CF9-B354-2930352742C5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{1F91FA23-E954-32D1-B843-8A49F008CFCA} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{263132E7-ED6F-347F-8810-B0DB87B47757} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{29EAD855-485A-3EA1-A30A-E77723B43C08} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{2FD94621-EDE2-3DBC-9A11-334430C9513A} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{31F3164F-710F-3E90-A4B3-4D93F6A858A1} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{380C1AA3-0B22-37F4-AFA1-8656380A1FD8} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4221A4B5-7008-3447-BA02-AAD6A1499DBA} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{479ADDA6-4547-3151-9952-56625163375B} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{546CC7C5-C808-330F-AF43-B0FF84F504A5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5EE50D16-F01C-3E6A-BF29-9E5D7119A743} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{6A22565E-37FB-3168-A1C5-726ADEA7B095} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{766BD970-2E67-31FB-AC1C-17AD68FB59BA} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{7E8DA4C2-42CA-3924-9437-299FF00BCBB7} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9E9FC399-958F-395C-A658-44FF40FF82C9} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BD193C18-3628-382A-B7CA-7B50E8E0621A} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{BDF7C4D0-65FF-394C-9067-A51719AC2AB5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C04B5EE4-81E5-39E7-A637-09A0570AF1B0} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C9B789BF-6743-349D-A4A2-F097DC76A2D2} => key removed successfully
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{CB3BBA96-8C21-32E9-987A-55421A62135F} => could not remove key. ErrorCode1: 0xC000003A
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{D09426AE-094F-3A6F-BC9C-0A89FCCFA52A} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF586E3F-AA4A-37BC-A7B5-829D790E170C} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DF5D4A8C-B4BD-398A-A39C-211B13ACE275} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{EA84A17B-8688-3001-AF12-BFA709140C53} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FEA3E5B8-0848-3EE4-94D4-45A78B2AB116} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB} => key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A4EAA72-4F9A-45D2-B403-4DFED157E2EB} => key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{70347FA4-20ED-47F9-AEB8-FD01752EF3BC} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{899AB13F-F8E7-4A4E-9F04-C9802BC4E799} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{91238E18-C8DD-4450-9B44-C9E7002AE3B6} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wondershare => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F804108-9A89-41E7-8A02-60A274FD707C} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69FCCA4B-E071-4FBB-A74D-9A19560E8BD5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E1D781-F055-4BD3-B58B-BF3ED285C4D3} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7704BEFF-B10C-4376-9A56-07FFDE318F7C} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96C61A75-C01A-4BCA-B71F-536F5AFE9B91} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A83044C7-F70B-4202-9D24-6D5A737B3BA1} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2910E1C-0E52-48E4-81A2-016D596C869F} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5B5F703-4465-40FF-A09A-42D11AA29DA5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF891359-5822-466D-999F-A7D7F5F92340} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F2462912-993D-4E9A-8E6D-AB3B73CD2962} => key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F87E8A21-E0C6-4094-A85D-E10524011B29} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F944179B-0EC4-400B-9B7E-1B15053A4A21} => key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Wondershare => key removed successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsAppService => key not found.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WsDrvInst => key not found.
HKEY_USERS\S-1-5-21-2282976789-625184829-3266694354-1001\Software\Wow6432Node\Wondershare => key removed successfully

========= ipconfig/flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 183039738 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 461814 B
Edge => 4945497 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 458222 B
jenni => 388128318 B


RecycleBin => 35131710 B
EmptyTemp: => 589.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 06:43:01 ====
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby Gary R » September 2nd, 2017, 12:37 am

Looks like everything was successfully removed.

Please reboot your computer, then let me know how it is behaving now.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Wondershare NIGHTmare

Unread postby tincat » September 2nd, 2017, 2:19 am

I restarted it after I posted you the Fixlog, *coz it said to. It is running FINE, I just have all the cogs and things all over my desktop from the other thing I botched up....the Uninstall program.
I have also ended up with two lots of FRST64, one on the desktop and the other I know not where. When I used it it generated two lots of everything.
Once again, thanks Gary for your help and patience.
p.s. I notice you are in Yorkshire, I had assumed America ... is that Yorkshire in England ?? ... surely Yes, America doesn*t have *Gary*s* does it???
<no apostrophes, or brackets :/ >
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby Gary R » September 2nd, 2017, 12:41 pm

I suspect the "cogs and things" are hidden and system files, which are not normally shown.

To set your settings back to normal, so that you don't see them, and to remove FRST and its associated files and folders, please do the following ....

  • Please download delfix and save it to your desktop.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Check (tick) the following boxes only ...
    • Remove disinfection tools
    • Reset system settings

    ... then click on Run.
  • Once it has finished, a notepad file named DelFix.txt will open. Post the contents of this notepad in your next reply.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.


Please let me know if that fixes things
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Wondershare NIGHTmare

Unread postby tincat » September 2nd, 2017, 4:55 pm

Hi Gary, The cogs etc are from the below failed registry backup I tried to do at the beginning. I never end up doing it because of this.
I will go ahead and do the delfix thing now.

Re: Wondershare NIGHTmare

Postby tincat » Thu 31 Aug, 2017 8:40 am

Hi Gary,
Well despite saying I would follow your instructions, I have already stuffed this all up - sorry!
I first clicked on the backup registry download, which took me to bleeping computer - there were two buttons, on said download now bleeping computer, the other said download now portable version, and I clicked on the FORMER. It asked if I wanted to run or save ... ?? .. so I clicked Run, then asked if I wanted to allow it to make changes to my computer and I clicked YES. THEN it said where did I want it save...I clicked on DESKTOP, and then it said where did I want the SHORTCUT, but there WAS NO desktop amongst the options, so I saw the Pictures folder and I thought I could find it okay in there, and selected that. It did it*s thing and then a sign popped up to say there was .. I can*t quite remember, but something like *a CONFLICT* on desktop... not quite accurate, .. anyhow it stopped there. I cannot find the QUICKSTART or whatever the Launch icon thing is called <that I thought was going into Pictures> - I panicked and thought I might be able to start again, so I tried to click on the UNINSTALL pic on my desktop, and that pops up a little box that says *Invalid start mode: archive filename*. There are folders and bits of *paper* with pics of COGS on the desktop. SORRY, what should I do now? Thanks again for your help and patience, Jenni
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby tincat » September 2nd, 2017, 6:46 pm

# DelFix v1.010 - Logfile created 03/09/2017 at 08:40:52
# Updated 26/04/2015 by Xplode
# Username : jenni - LAPTOP
# Operating System : Windows 10 Home (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\Users\jenni\Desktop\Addition.txt
Deleted : C:\Users\jenni\Desktop\Fixlog.txt
Deleted : C:\Users\jenni\Desktop\FRST.txt
Deleted : C:\Users\jenni\Desktop\FRST64.exe
Deleted : C:\Users\jenni\Downloads\FRST64.exe

~ Resetting system settings ... OK

########## - EOF - ##########

Hi Gary, here *tis --- FRST 64 plus this Delfix etc all GONE, but the cogs etc still there. thx again, Jenni
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby Gary R » September 3rd, 2017, 12:20 am

OK, the only files and folders that FRST shows being installed on your computer at that time (31st August) were these .....

C:\Users\jenni\Desktop\uninstall.exe
C:\Users\jenni\Desktop\lua5.1.dll
C:\Users\jenni\Desktop\Uninstall
C:\Users\jenni\Desktop\files
C:\Users\jenni\Desktop\color_presets
C:\Users\jenni\Desktop\JESSICA31August.rtf

..... are these the files/folders on your Desktop that you wish to get rid of ???? If any of them are not, please let me know.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Wondershare NIGHTmare

Unread postby tincat » September 3rd, 2017, 3:35 am

Yes Gary, that is them, but there are a few more that appeared at that time that I have never seen before.
This is a list of all of them, including the ones you have above:

My descriptions are just of the little pics that are sitting on the desktop, not of what is inside them:

Settings.ini < a piece of paper with a cog
keywords.txt <paper with lines
SsubTmr6.dll < paper with 2 cogs
Uninstall <A Folder
uninstall.exe < A picture of a screen, with a blue and yellow shield on it
pcwintech_tasksch.dll < paper w. 2 cogs
color_presets < folder
data.dat < blank paper
lua5.1.dll <paper 2 cogs
files < a folder
MSINET.Ocx < paper 2 cogs
SearchReg.txt <paper with lines

The only ones I attempted to click on were the uninstall pic with shield on the day I attempted to install it <as per story above 31 August>,
and the keywords.txt just now.
I see where you said only some were created on 31 Aug, but they did all appear at once, .... does that mean I have done BAD things to the Registry by botching the install of the Registry Backup?
I have NO IDEA how serious it could be, but I gather that Registry stuff is a big deal :(
Once again Thanks for your help, and Sorry for my ineptitude, Jenni.
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby Gary R » September 3rd, 2017, 4:02 am

OK, no worries, what we'll do now, is download a new copy of FRST, and use that to remove those files and folders, and see how that affects your computer.

The advantage of using FRST is that it quarantines the files and folders, so if there's any problems, we can restore them if necessary. Once we've determined that removing them has not affected anything, then we can remove FRST and those files and folders will go with it.

So .....

  • Download FRST64 to your Desktop.

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank notepad file named fixlist.txt will open.
  • Copy and paste the following into it (don't include Code: Select all) ....
Code: Select all
C:\Users\jenni\Desktop\uninstall.exe
C:\Users\jenni\Desktop\lua5.1.dll
C:\Users\jenni\Desktop\Uninstall
C:\Users\jenni\Desktop\files
C:\Users\jenni\Desktop\color_presets
C:\Users\jenni\Desktop\keywords.txt
C:\Users\jenni\Desktop\SsubTmr6.dll
C:\Users\jenni\Desktop\pcwintech_tasksch.dll
C:\Users\jenni\Desktop\data.dat
C:\Users\jenni\Desktop\MSINET.Ocx 
C:\Users\jenni\Desktop\SearchReg.txt
C:\Users\jenni\Desktop\Settings.ini

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log


Please let me know if all the "unknown" items are now removed from your Desktop. Also play around with your machine, and let me know if everything appears to be working the way you expect it to or not.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Wondershare NIGHTmare

Unread postby tincat » September 3rd, 2017, 4:41 am

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by jenni (03-09-2017 18:27:00) Run:1
Running from C:\Users\jenni\Desktop
Loaded Profiles: jenni (Available Profiles: jenni)
Boot Mode: Normal
==============================================

fixlist content:
*****************
C:\Users\jenni\Desktop\uninstall.exe
C:\Users\jenni\Desktop\lua5.1.dll
C:\Users\jenni\Desktop\Uninstall
C:\Users\jenni\Desktop\files
C:\Users\jenni\Desktop\color_presets
C:\Users\jenni\Desktop\keywords.txt
C:\Users\jenni\Desktop\SsubTmr6.dll
C:\Users\jenni\Desktop\pcwintech_tasksch.dll
C:\Users\jenni\Desktop\data.dat
C:\Users\jenni\Desktop\MSINET.Ocx
C:\Users\jenni\Desktop\SearchReg.txt
C:\Users\jenni\Desktop\Settings.ini
*****************

C:\Users\jenni\Desktop\uninstall.exe => moved successfully
C:\Users\jenni\Desktop\lua5.1.dll => moved successfully
C:\Users\jenni\Desktop\Uninstall => moved successfully
C:\Users\jenni\Desktop\files => moved successfully
C:\Users\jenni\Desktop\color_presets => moved successfully
C:\Users\jenni\Desktop\keywords.txt => moved successfully
C:\Users\jenni\Desktop\SsubTmr6.dll => moved successfully
C:\Users\jenni\Desktop\pcwintech_tasksch.dll => moved successfully
C:\Users\jenni\Desktop\data.dat => moved successfully
C:\Users\jenni\Desktop\MSINET.Ocx => moved successfully
C:\Users\jenni\Desktop\SearchReg.txt => moved successfully
C:\Users\jenni\Desktop\Settings.ini => moved successfully

==== End of Fixlog 18:27:01 ====


NO :shock: it has only removed 3 of them.

I deleted the JESSICA one on your list, <only me looking at my silly stars which I don*t even believe in anyway>;
AND I notice that you HAD NOT included one of them in your list - Settings.ini - the first one on MY list below,

apart from that, the three FOLDERS are gone, all the others are still sitting there. <Plus now the FRST icon?, and it*s log >

Thanks Gary, Jenni
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby tincat » September 3rd, 2017, 5:03 am

okay, I see that settings.ini IS on your list - embarrassed, not sure what I was looking at there ?? - um, but the rest is correct, just the 3 folders are gone.
The computer appears to be acting normally.
thx again
tincat
Regular Member
 
Posts: 38
Joined: November 17th, 2009, 4:38 pm

Re: Wondershare NIGHTmare

Unread postby Gary R » September 3rd, 2017, 9:01 am

If you haven't already done so, please reboot your computer and let me know if the files are still there.

If they are please do the following for me ...

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank notepad file named fixlist.txt will open.
  • Copy and paste the following into it (don't include Code: Select all) ....
Code: Select all
File: C:\Users\jenni\Desktop\uninstall.exe
File: C:\Users\jenni\Desktop\lua5.1.dll
File: C:\Users\jenni\Desktop\keywords.txt
File: C:\Users\jenni\Desktop\SsubTmr6.dll
File: C:\Users\jenni\Desktop\pcwintech_tasksch.dll 
File: C:\Users\jenni\Desktop\data.dat
File: C:\Users\jenni\Desktop\MSINET.Ocx
File: C:\Users\jenni\Desktop\SearchReg.txt
File: C:\Users\jenni\Desktop\Settings.ini

  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

This will not remove those files, but it will give me details for them, including their permissions, so I can see why they were not removed when your fixlog says they were.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware