Skip to main content

Artemis2AF9CADD4C85_2af9cadd4c


HEUR:Trojan.Win32.Generic (Kaspersky), Artemis!2AF9CADD4C85 (McAfee), Win32:Dropper-gen [Drp] (Avast)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2af9cadd4c85e03c85cfe888bd937c82

SHA1: cefdcfde7a4315af082082032a23cd2d0bd285b3

SHA256: a1840bbb7e1aa8dd088d3acfd4136f8fea80e7bb209d971cbcaf8a0e58f4c4d8

SSDeep: 393216:fJtgf78QnN0SlX3HXHBIAohSjJbxUAukZdESKWdvXT:fjs7LTHHXhXo0pxU8ZdZ11

Size: 18735104 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2014-01-22 12:43:30

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Baidu_PC_Faster_4_0_1_51423.exe:2704
PCFasterSvc.exe:3424
LogReporter.exe:1096
LogReporter.exe:2300
LogReporter.exe:3036
LogReporter.exe:4072
LogReporter.exe:2024
LogReporter.exe:2376
LogReporter.exe:1380
sc.exe:3580
sc.exe:3492
Updater.exe:2876
Updater.exe:2904
Updater.exe:4076
Updater.exe:3516
Updater.exe:3400
Updater.exe:3328
Updater.exe:3644
WScript.exe:2392
schtasks.exe:3904
schtasks.exe:2560
schtasks.exe:2096
schtasks.exe:3632
schtasks.exe:3168
LeakRepair.exe:3392
regsvr32.exe:3920
PCFPopups.exe:748

The Trojan injects its code into the following process(es):

Pcftray.exe:2544
%original file name%.exe:2472
FasterNow.exe:3500

File activity

The process Baidu_PC_Faster_4_0_1_51423.exe:2704 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\14.png (19326 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\cloudy.png (3001 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_eng.png (7537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\log.dll (117440 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\3.png (27668 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_normal_id.png (8692 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Yontoo.rul (5258 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\GiantSavings.rul (7741 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1047.A180Darts.rul (17044 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\13.png (19866 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_pu.png (8198 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\feedback\feedback.bskin (142597 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\dbghelp.dll (1187272 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_crashreporter\skin_crashreporter.bskin (234526 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\6.png (1007 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\IWantThis.rul (9732 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1090.DVDVideoSoftToolbar.rul (25998 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\HipsDR.dll (341696 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Default.png (9058 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\PcfTray\PcfTray.bskin (66425 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\LeakRepair.dll (1427136 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\log2.dll (322752 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BProtectEx64.sys (99648 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_hover_id.png (8522 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\hipspop\hipspop.bskin (110224 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1070.IMVUToolbar.rul (16300 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\NewFeatures.ini (393 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1104.SavepathDeals.rul (3292 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_disable.png (1297 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_cancel_over.png (1227 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\data\rl.dat (1680 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\t1.db (155463 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\skin_feedback\skin_feedback.bskin (68143 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\tools\FasterNow\FasterNow.bskin (1046 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\update\update.bskin (13387 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_uninstall_over.png (1172 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\cloud.png (2909 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Facebook\res\res.bskin (142816 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Green.bskin (119344 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1088.yontooToolbar.rul (16384 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Tools\res\res.bskin (40354 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\res\res.bskin (157565 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\HipsPop.exe (329920 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_thai.png (9075 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\oovoo.rul (11349 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\11.png (22440 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\foggy.png (1555 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_eng.png (7855 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_eng.png (7744 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\MixiDJ.rul (7476 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1045.AccuWeather.rul (16044 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal.png (1460 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.6.1.def.db (11676 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\version.xml (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss79.tmp (57795427 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\NewFeatures.txt (1314 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_popup\skin_popup.bskin (106644 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\rainy.png (1120 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_uninstall_normal.png (1188 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\confirm\confirm.bskin (95756 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\ieprotect\ieprotect.bskin (16003 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_id.png (3006 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\min_normal.png (1385 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_pu.png (1107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\log2.dll (322752 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\Baidu PC Faster\Baidu PC Faster.lnk (878 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\Baidu PC Faster\Uninstall.lnk (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\config.ini (5652 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\outer_circle.png (4380 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BaiduStore.dll (1302720 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\4.png (20506 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1046.appbario12.rul (19512 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Tuvaro.rul (6164 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_hover_pu.png (7361 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\common\common.bskin (367 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\ieprotect_font\ieprotect_font.bskin (486 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_down_pu.png (7545 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1086.DownloadEnergyToolbar.rul (16402 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_hover_pu.png (7106 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\t2.db (128578 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\cricle_animate.png (186562 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optlist.dat (1504256 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\hipspop\hipspop.bskin (25568 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\screensnpashot\screensnpashot.bskin (1406 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Baidu_PC_Faster_4_0_1_51423-2014-03-26 03-26-53-0536-[7083].tmp (4777 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_frame\skin_frame.bskin (363409 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\ProgramFileList.xml (226642 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\lightning.png (1148 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Communication.dll (313024 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\0.png (1014 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_exit_down.png (7413 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_cancel_down.png (1206 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\NewFeatures.exe (498368 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Car.bskin (422873 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.HomeEx\res\res.bskin (966497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallCheck.dll (65216 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\2.png (28922 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\config.ini (5682 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\Baidu PC Faster\Feedback.lnk (896 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_eng.png (1079 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Christmas.png (14959 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1061.SearchProtect.rul (2247 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1118.A2ZLyrics.rul (8605 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\6.png (22840 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Dealio.rul.bak (7318 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\lightning.png (2949 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\url.ini (6598 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PcfTray.exe (1349824 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\2.png (1015 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Deal Spy.rul (8805 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\skin_update\skin_update.bskin (51031 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\FasterNow\FasterNow.bskin (106412 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1111.Vuze.rul (17726 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\data\sbr.dat (144 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\uTorrentBar.rul (2260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\BHips.dll (932712 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1105.FreeYoutubeDownload.rul (35306 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\cricle.png (10310 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\CouponDropDown.rul (7715 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\popups\popups.bskin (114892 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1055.WhiteSmoke.rul (15636 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\BugReporter\BugReporter.bskin (1329 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1097.NCH FRToolbar.rul (18674 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\LogReporter.exe (464064 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\log.dll (117440 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BEVMEngine.dll (570752 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_thai.png (8901 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\sqlite.dll (626880 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_hover_thai.png (7616 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Egypt.png (25034 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\PluginHome\drag_disable.cur (4286 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Gold.png (41588 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\BugReporter\BugReporter.bskin (1141 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Cherry.bskin (137275 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\VDownloader_Ask.rul (7782 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\15.png (18626 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\StartNow.rul (4575 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Aflamster.rul (1728 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\feedback\feedback.bskin (130773 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\HomeRank.dat (3017 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FutureSoldier.png (40854 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\appbario7.rul (27778 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1063.SnapDo.rul (42100 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\littleboy.png (5954 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\lang.ini (110 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable_pu.png (6635 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_homepage\skin_homepage.bskin (16143 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_titlebar.png (121336 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SysRepair\SysRepair.dll (1202368 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\cloudy.png (1142 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\9.png (1022 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_over.png (7097 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\res\res.bskin (124971 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Bhbase.sys (63840 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1094.BittorrentBar_DEToolbar.rul (16910 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\Baidu PC Faster\Uninstall.lnk (876 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down_id.png (8584 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_disable.png (6310 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1098.NewYorkYankeesToolbar.rul (16305 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Grey.bskin (104165 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_id.png (9636 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1049.SocialSearchBar.rul (20150 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BHips.dll (932712 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Baidu PC Faster.lnk (864 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\common\common.bskin (395 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_exit_hover.png (7580 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\BaiduSafe\BaiduSafe.bskin (235760 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1053.SupremeSavings.rul (7391 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\FasterNow.exe (501232 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys (135552 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\NSISInstall.exe (742592 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_pu.png (8038 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\Plugin_LeakRepair.dll (1192640 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BdApiUtil.dll (123584 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FIFA.png (16363 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1076.SavingsAddon.rul (8234 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1065.DeltaToolbar.rul (18834 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Christmas.bskin (265998 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\cloud.png (1130 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.HomeEx\Plugin_HomeEx.dll (1550016 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\BaiduSafe\BaiduSafe.bskin (259915 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\update\update.bskin (11869 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\Plugin_SystemCleaner.dll (1415360 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_thai.png (7851 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_eng.png (6849 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Egypt.bskin (416149 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFasterSvc.exe (712688 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1050.SolidSavings.rul (7546 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\lang.ini (100 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_pu.png (7188 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\ieprotect\ieprotect.bskin (14220 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_hover_thai.png (6714 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_over.png (1464 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\lang.ini (110 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1072.MyHomepage.rul (2297 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\tools\FasterNow\FasterNow.bskin (961 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1081.Funmoods.rul (15467 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\language_normal.png (1083 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\confirm\confirm.bskin (94993 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\res\res.bskin (48852 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_ieprotect\skin_ieprotect.bskin (24554 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (1162 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFaster.exe (604656 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1085.facesmooch.rul (3927 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\ShoppingSidekick.rul (8588 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_cancel_normal.png (1224 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_id.png (9237 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\common\common.bskin (374 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\min_down.png (1386 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Default.bskin (221267 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\screensnpashot\screensnpashot.bskin (1406 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1062.OnlineRadioPlayerRecorderToolbar.rul (19178 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1083.PriceGong.rul (2641 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\confirm\confirm.bskin (94419 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\Baidu PC Faster\Baidu PC Faster.lnk (878 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInstall\NSISInstall.bskin (137589 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\update_config.xml (3276 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_uncheck_normal.png (988 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_hover_id.png (8838 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\BrowserProtect.rul (101 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FutureSoldier.bskin (350001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\skin\common\common.bskin (41896 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_id.png (9456 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\ieprotect\ieprotect.bskin (11404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\LogReporter.exe (464064 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1112.SaveValet.rul (465 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\PluginHome\circle_progress.png (3398 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PopupTip.exe (342208 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\10.png (22470 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\sunny.png (1111 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFPopups.exe (2187648 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_id.png (9691 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1077.BrowserCompanion.rul (5359 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\citys.txt (10316 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\ieprotect_font\ieprotect_font.bskin (486 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\screensnpashot\screensnpashot.bskin (1406 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_pu.png (7894 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\1.png (974 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\hipspop\hipspop.bskin (17100 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\searchya.rul (4083 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal_pu.png (6908 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\BaiduSafe\BaiduSafe.bskin (150447 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\7.png (985 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\confirm\confirm.bskin (6353 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\screensnpashot\screensnpashot.bskin (956 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_thai.png (1609 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1058.ScenicReflections.rul (16089 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\common\common.bskin (41896 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Brown.png (10035 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_pop_percent_1.png (4434 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\FasterNow.dat (58352 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable_id.png (8515 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.6.2.def.db (38302 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\PluginRemover.dll (1176256 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\tools\FasterNow\FasterNow.bskin (996 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_checked_normal.png (1036 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Uninstall.exe (466608 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1074.CodecPerformer.rul (6416 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BHipsConfig.ini (684 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1114.ST-Eng7.rul (17012 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Antivirus\Plugin_Antivirus.dll (806760 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal_thai.png (6585 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BETManger.dll (523968 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\SdkConfig.ini (1618 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Green.png (5577 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\SearchAmong.rul (1582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\DirectUI.dll (893472 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\PcfTray\PcfTray.bskin (64960 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\popups\popups.bskin (115878 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1107.TVGenie.rul (2644 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\min_hover.png (1430 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1099.SearchDeals.rul (2461 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_down_thai.png (7750 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_bk2.png (61413 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\85Play_Games.rul (1405 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\NewFeatures\NewFeatures.bskin (272301 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\NewFeatures\NewFeatures.bskin (272299 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable_thai.png (6744 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\WhiteSmokeToolBar.rul (20234 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\language_over.png (1088 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\10.png (1105 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_bk.png (43460 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1082.PricePeep.rul (1686 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1113.SpyGuard.rul (2762 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1087.MediaFinder.rul (4761 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1117.RewardsArcade.rul (15848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\string.ini (9518 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1093.BittorrentBar_FRToolbar.rul (17858 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_default\skin_default.bskin (221120 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\common\common.bskin (371 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\CrashReport.exe (642544 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_boottime\skin_boottime.bskin (635846 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_uncheck_over.png (995 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1054.CouponCaddy.rul (7151 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\snow.png (2904 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFasterFeedback.exe (488128 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\data\LinkCensor.dat (104 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\hipspop\hipspop.bskin (18506 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Antivirus\res\res.bskin (145701 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1056.WhiteSmkeUSNew.rul (16089 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1116.NewVeoh.rul (17556 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\NewUpdater.exe (372416 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_uninstall_down.png (1179 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1064.Webblog.rul (16388 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOptEngine.dll (1410752 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_normal.png (7031 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\BugReporter\BugReporter.bskin (1053 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Cherry.png (5701 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\ieprotect\ieprotect.bskin (13325 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_percent_1.png (2385 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\lang.ini (94 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\PcfTray\PcfTray.bskin (263362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\Communication.dll (313024 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_percent_2.png (2351 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\list.xml (1447 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Brown.bskin (356891 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\UninstCaller.exe (161472 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\9.png (28340 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Tools\Plugin_Tools.dll (184512 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\EnumModules.exe (107200 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Genieo.rul (6867 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_normal_thai.png (7521 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\PluginOptimizer\img_circle.png (5453 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1101.VAFMusic.rul (22086 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\Baidu PC Faster\Feedback.lnk (896 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\nsis_install\nsis_install.bskin (68063 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\NewFeatures\NewFeatures.bskin (272299 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\PluginConfig.xml (2258 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\DirectUI.dll (893472 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_junkclean\skin_junkclean.bskin (45330 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BEVMApi001.dll (299712 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Gold.bskin (359720 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\data\mn.dat (864 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\nsis_install\nsis_install.bskin (70403 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Updater.exe (1134064 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\PcfTray\PcfTray.bskin (64697 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\feedback\feedback.bskin (129797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\System.dll (11264 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1108.SmartSuggestor.rul (256 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\NewFeatures\NewFeatures.bskin (272299 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\popups\popups.bskin (114250 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1110.BrowseForTheCause.rul (1023 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\foggy.png (1005 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_down.png (7091 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\Plugin_Optimizer.dll (1260736 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\update\update.bskin (12522 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\sunny.png (2744 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\5.png (23510 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_pop_percent_2.png (4443 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down.png (1461 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\liveupdate.exe (244928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallUtility.dll (1130688 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_down_id.png (8899 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\webcake.rul (3263 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Deals.rul (7661 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_pop_percent_0.png (4448 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\tools\FasterNow\FasterNow.bskin (1197 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\update\update.bskin (13645 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\RebateInformer.rul (6988 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_exit_normal.png (7463 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1052.TigerSavings.rul (7088 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\DataReport.dll (310976 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\IEProtect.exe (972440 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Car.png (26076 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\8.png (1012 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_over.png (1358 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_percent_0.png (2407 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\uTorrentControl.rul (18562 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Inbox.rul (3712 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1095.DigiModeToolbar.rul (17790 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\update.dll (1192640 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\5.png (1007 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_thai.png (9175 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down_pu.png (7106 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\ieprotect_font\ieprotect_font.bskin (486 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\language_down.png (1103 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\confirm\confirm.bskin (102232 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\MainFrame\splash_light.png (2080 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys (162048 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1051.SavingsApp.rul (6928 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1067.SearchAssistant.rul (1506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\sysconfig.ini (4 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1048.MixiDjV30.rul (19660 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\skin_upgrade\skin_upgrade.bskin (9174 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\VidSaver.rul (6468 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_down.png (1349 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\nsis_install\nsis_install.bskin (68487 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\feedback\feedback.bskin (127155 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\snow.png (1126 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\InternetHelper.rul (20494 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\CleanerEngine.dll (1589952 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\12.png (21134 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1106.GetSavin.rul (4104 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\MyWebSearch.rul (33402 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\BProtectEx.sys (116544 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\7.png (23710 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\8.png (21960 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FIFA.bskin (342272 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SysAndNetworkOpt\SysAndNetworkOpt.dll (988864 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\ieprotect\ieprotect.bskin (35338 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\popups\popups.bskin (114892 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\hipspop\hipspop.bskin (20640 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\BaiduSafe\BaiduSafe.bskin (150628 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\config.ini (5682 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.5.1.def.db (7402 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_checked_over.png (1044 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\CP.dll (556224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallUtility.log (39412 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_install.png (6863 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1115.Qwiklinx.rul (1845 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\nsis_install\nsis_install.bskin (68666 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\HipsHB.dll (389312 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\3.png (1002 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.6.0.def.db (11430 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\1.png (22682 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\BrowserDefender.rul.bak (3636 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1057.TrustWorthy.rul (16305 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\BugReporter\BugReporter.bskin (1153 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\rainy.png (2933 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_normal.png (1334 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\sysconfig.ini (4 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\CouponCompanion.rul (7793 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\common\common.bskin (16620 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\4.png (997 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1068.AppBario2.rul (6155 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\ieprotect_font\ieprotect_font.bskin (486 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1060.LuckySavings.rul (7283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\url.ini (6598 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1089.DVDVideoSoftToolbar.rul (15759 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\CrashUL.exe (220144 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\LeakRepair.exe (1474240 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Facebook\Plugin_Facebook.dll (378048 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\DataFileVer.xml (303 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down_thai.png (6789 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\DataFileList.xml (10206 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\PcfTray\PcfTray.bskin (69909 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Grey.png (2581 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable.png (6308 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_normal_pu.png (7168 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1102.FastFreeConverter.rul (3693 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal_id.png (8374 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss78.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\sysconfig.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\DirectUI.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\skin\common\common.bskin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\BHips.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\url.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallUtility.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\config.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallCheck.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\log.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\skin\common (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\NewFeatures.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\string.ini (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Baidu_PC_Faster_4_0_1_51423-2014-03-26 03-26-53-0536-[7083].tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\LogReporter.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\log2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\skin (0 bytes)

The process PCFasterSvc.exe:3424 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\drivers\BprotectEx.sys (100160 bytes)
%Documents and Settings%\All Users\Application Data\Log\00000000-000C29F803BA!acc7ad6a-0a29-4edf-aae3-cc9dcd0ce41e@#000C29F803BA-LogFile-2014-03-26 21-26-41-0832.log (598125 bytes)
%WinDir%\Temp\Plu7C.tmp (2258 bytes)
%WinDir%\Temp\Plu7D.tmp (2258 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\SdkConfig.ini (164 bytes)
%System%\drivers\Bhbase.sys (47456 bytes)
%WinDir%\Temp\Plu7B.tmp (2258 bytes)
%Documents and Settings%\All Users\Application Data\Log (536576 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (86 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-PCFasterSvc-2014-03-26 03-27-41-0473-[7240].tmp (4448 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\config.ini (4658 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\Plu7B.tmp (0 bytes)
%WinDir%\Temp\Plu7C.tmp (0 bytes)
%WinDir%\Temp\Plu7D.tmp (0 bytes)

The process Updater.exe:2876 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu Security\PC Faster\4.0.0.0\update_ultimate.ini (38 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\log\Updater.log (33696 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\update_statistic.xml (1336 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (32 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Updater-2014-03-26 03-26-57-0629-[7096].tmp (4441 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\log (32768 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Updater-2014-03-26 03-26-57-0629-[7096].tmp (0 bytes)

The process Updater.exe:4076 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu Security\PC Faster\4.0.0.0\update_ultimate.ini (6 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\log\Updater.log (33693 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\update_statistic.xml (1002 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (32 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\log (32768 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Updater-2014-03-26 03-27-36-0770-[7223].tmp (4441 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Updater-2014-03-26 03-27-36-0770-[7223].tmp (0 bytes)

The process Updater.exe:3516 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (32 bytes)

The process Pcftray.exe:2544 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Pcftray-2014-03-26 03-27-57-0723-[7292].tmp (4573 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (40 bytes)
%Program Files%\Baidu Security\PC Faster\4.0.0.0\SdkConfig.ini (8 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)

The process %original file name%.exe:2472 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\WindowsApplication1\Baidu PC Faster\4.0.1.56500\Windows\dll.vbs (82338 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (18432 bytes)
%Documents and Settings%\All Users\Application Data\WindowsApplication1\Baidu PC Faster\4.0.1.56500\Windows\Baidu_PC_Faster_4_0_1_51423.exe (36955816 bytes)

The process schtasks.exe:2096 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Baidu PC Faster Update.job (412 bytes)

The process LeakRepair.exe:3392 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (32 bytes)

The process PCFPopups.exe:748 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (32 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-PCFPopups-2014-03-26 03-27-22-0661-[7178].tmp (4441 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-PCFPopups-2014-03-26 03-27-22-0661-[7178].tmp (0 bytes)

The process FasterNow.exe:3500 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (32 bytes)
%Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\config.ini (228 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-FasterNow-2014-03-26 03-28-05-0942-[7318].tmp (4441 bytes)
%Documents and Settings%\All Users\Application Data\Baidu Security\RpData (4096 bytes)

Registry activity

The process Baidu_PC_Faster_4_0_1_51423.exe:2704 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"DisplayVersion" = "4.0.1.56500"
"Beta" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Baidu Security\PC Faster\Setup]
"SetupResult" = "0"

[HKCU\Software\Baidu Security\PC Faster]
"InstallTime" = "2014-03-26 19:26:17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"UninstallString" = "%Program Files%\Baidu Security\PC Faster\4.0.0.0\UninstCaller.exe"
"InstallDir" = "%Program Files%\Baidu Security\PC Faster\4.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Baidu Security\PC Faster]
"InstallChannel" = "web|gl|official|direct"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Baidu Security\PC Faster]
"IsEverInstalled" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\test\LOCALS~1\Temp\vmware-test\VMwareDnD\672be3c6\vmsc.exe, , \??\C:\DOCUME~1\test\LOCALS~1\Temp\vmware-test\VMwareDnD\672be3c6\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy7A.tmp\InstallUtility.dll,"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"DisplayIcon" = "%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFaster.exe"

[HKCU\Software\Baidu Security\PC Faster\4.0.0.0\Install\3103015]
"URL" = "http://sync.pcfaster.baidu.com.eg/cgi-bin-py/get_channel_info.cgi?install_channel=web|gl|official|direct&version=4.0.1.56500&errorcode=0&userid=00000000-000C29F803BA!acc7ad6a-0a29-4edf-aae3-cc9dcd0ce41e@#000C29F803BA&install_time=2014-03-26 19:26:17"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Назначенные задания"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"InstallChannel" = "web|gl|official|direct"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy7A.tmp]
"LogReporter.exe" = "Log Reporter"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKCU\Software\Baidu Security\PC Faster]
"CurrentInstallVersion" = "4.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 3D 6B 96 FA 7B 7F 91 08 5C 37 18 88 6F C7 CF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Главное меню\Программы"

[HKLM\System\CurrentControlSet\Services\PCFasterSvc_{PCFaster_4.0.0.0}]
"Description" = "Baidu PC Faster Service 4.0.0.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"Publisher" = "Baidu, Inc."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Главное меню\Программы"

[HKLM\SOFTWARE\Baidu Security\PC Faster]
"StopSvc" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKCU\Software\Baidu Security\PC Faster\4.0.0.0\Install\3103468]
"URL" = "http://sync.security.baidu.co.th/cgi-bin-py/get_channel_info.cgi?install_channel=web|gl|official|direct&version=4.0.1.56500&errorcode=0&userid=00000000-000C29F803BA!acc7ad6a-0a29-4edf-aae3-cc9dcd0ce41e@#000C29F803BA&install_time=2014-03-26 19:26:17"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"URLInfoAbout" = "http://www.pcfaster.com/go.php?link=1&pos=about"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"InstallTime" = "2014-03-26 19:26:17"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-guid" = "acc7ad6a-0a29-4edf-aae3-cc9dcd0ce41e"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Baidu_PC_Faster_4_0_1_51423\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0]
"DisplayName" = "Baidu PC Faster"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Baidu PC Faster 4.0.0.0" = "%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFaster.exe -auto -start"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Baidu Security\PC Faster]
"StopSvc"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Baidu_PC_Faster_4_0_1_51423\DEBUG]
"Trace Level"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Baidu PC Faster 4.0.0.0"

"BaiduPCFasterSetup"

"BSECURE"

The process PCFasterSvc.exe:3424 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\System\CurrentControlSet\Services\BprotectEx\Instances\BprotectEx Instance]
"Altitude" = "388020"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\System\CurrentControlSet\Services\BprotectEx\Instances\BprotectEx Instance]
"Flags" = "0"

[HKCU\Software\Baidu Security\PC Faster\4.0.0.0\Statistic]
"statistic_last" = "1395862025"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\System\CurrentControlSet\Services\BprotectEx]
"InstPath" = "%Program Files%\Baidu Security\PC Faster\4.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\BprotectEx\Instances]
"DefaultInstance" = "BprotectEx Instance"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Baidu Security\LogLoc]
"(Default)" = "%Documents and Settings%\All Users\Application Data\Log\00000000-000C29F803BA!acc7ad6a-0a29-4edf-aae3-cc9dcd0ce41e@#000C29F803BA-LogFile-2014-03-26 21-26-41-0832.log"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 E3 92 3D ED 69 95 54 8A F4 AB A6 BE 01 B4 59"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\System\CurrentControlSet\Services\fortest]
"test123456" = "286392319"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Главное меню\Программы"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\PCFasterSvc\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\PCFApiUtil]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\PCFApiUtil]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\PCFApiUtil]
"ImagePath" = "\??\%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\BprotectEx]
"Start" = "1"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\Bhbase]
"Start" = "0"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\PCFApiUtil]
"Start" = "3"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\fortest\deltest]
[HKLM\System\CurrentControlSet\Services\fortest]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\fortest]
"test123456"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\PCFasterSvc\DEBUG]
"Trace Level"

The process LogReporter.exe:1096 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 17 89 37 E6 28 9D D5 4D BF 9B 80 BE 91 56 88"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process LogReporter.exe:2300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB A0 BB DD D2 57 59 32 0B C3 C4 17 AC 73 FC 91"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process LogReporter.exe:3036 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 54 81 A9 9B B1 DC C5 D0 E4 9D 6E F8 0A C3 97"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process LogReporter.exe:4072 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\LogReporter\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 35 E6 56 DC 55 DF 8E EE 23 C1 51 D4 B4 D4 F4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\LogReporter\DEBUG]
"Trace Level"

The process LogReporter.exe:2024 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 16 E0 88 D8 04 1D 17 75 96 8B 67 C1 17 B8 49"

The process LogReporter.exe:2376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 47 3D 96 4D 15 6B B8 8E 26 49 48 FA 44 C9 9D"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process LogReporter.exe:1380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 68 E0 C6 BB 5F BF 73 82 4F 06 30 B5 20 C3 89"

The process sc.exe:3580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 5A 83 CC 7C 6D 45 44 2A 64 B3 82 0E 6B 60 40"

The process sc.exe:3492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 CD 62 A2 E1 FF 1C F5 A4 AF 9E 19 A5 76 4B 32"

The process Updater.exe:2876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 42 BD 95 C1 57 DA B3 AF B8 29 C1 40 BE 6A 1A"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Updater\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Updater\DEBUG]
"Trace Level"

The process Updater.exe:2904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 3A 55 88 FC B2 5E 90 44 83 04 72 3F E5 F1 5D"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Updater.exe:4076 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 FD FC 12 6E E5 A3 65 D6 BC 25 B2 F2 E4 4B 4A"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Updater.exe:3516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 6F 95 9A 64 DA 6B 44 80 48 CE 22 6E FD 95 D3"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Updater.exe:3400 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 7C 84 4E C6 00 43 C7 1E 6C E9 42 0E F4 FD EA"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Updater.exe:3328 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 B9 79 9D A0 4A 3C C4 1A 16 A0 7A ED 82 CA F5"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Updater.exe:3644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 25 35 65 A7 04 0B DB 71 2E AD 5A 26 A6 12 41"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process WScript.exe:2392 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 DC 4E B0 E6 8A F0 47 C1 08 71 B0 94 A9 7F 39"

The process Pcftray.exe:2544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Pcftray\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 67 BA 26 9C 33 C0 82 F1 E5 94 DD 6A 70 EE 84"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Pcftray\DEBUG]
"Trace Level"

The process %original file name%.exe:2472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 40 D7 2C E8 54 73 A6 3D 25 DA 3E 0D 0C 68 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\WindowsApplication1\Baidu PC Faster\4.0.1.56500\Windows]
"Baidu_PC_Faster_4_0_1_51423.exe" = "PC Faster Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\GDIPlus]
"FontCachePath" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process schtasks.exe:3904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 78 18 6F B1 88 29 04 1E 74 F5 EA 40 C1 CD 78"

The process schtasks.exe:2560 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 68 34 20 FF A0 F3 C0 35 C8 4A C5 F9 4A 40 8B"

The process schtasks.exe:2096 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 0D C7 ED 72 37 16 4B 32 9D 2A E5 8A 5B 5B 65"

The process schtasks.exe:3632 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 9C B4 7A FB 5A 7D ED 8B 26 67 BD F7 B0 1B D8"

The process schtasks.exe:3168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 64 BE E7 2C CE E3 EE C2 65 10 40 1F 5C E2 05"

The process LeakRepair.exe:3392 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\LeakRepair\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 37 B8 C3 7D DF 76 19 C6 E5 24 EA D4 3E 01 83"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\LeakRepair\DEBUG]
"Trace Level"

The process regsvr32.exe:3920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 41 1A 20 92 2F 7F 88 34 39 EE 6C 4D 14 EF 0C"

The process PCFPopups.exe:748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\PCFPopups\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 06 2F 0B A2 6A B4 78 89 05 9A 0E 0E CB 40 37"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\PCFPopups\DEBUG]
"Trace Level"

The process FasterNow.exe:3500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Baidu Security\PC Faster]
"pcfaster-id" = "S-1-5-21-606747145-1060284298-839522115-1004#000C29F803BA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\FasterNow\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 66 65 89 50 E3 86 F6 DB 42 B7 DB AA C4 8D 99"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\PerfOS\Performance]
"Error Count"

[HKLM\System\CurrentControlSet\Services\PerfProc\Performance]
"Error Count"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\FasterNow\DEBUG]
"Trace Level"

[HKLM\System\CurrentControlSet\Services\PerfDisk\Performance]
"Error Count"

Dropped PE files

MD5 File path
cf636fe8ac628e4aff999777874a1054c:\Documents and Settings\All Users\Application Data\WindowsApplication1\Baidu PC Faster\4.0.1.56500\Windows\Baidu_PC_Faster_4_0_1_51423.exe
d219d3182e9a0415843452792d6a0308c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy7A.tmp\BHips.dll
9fa202ca895dbcfde57b45ba92a15527c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy7A.tmp\Communication.dll
fae72efe6faaaca64efdea60ba573284c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy7A.tmp\InstallUtility.dll
1887ad04d1f6e03b9b6570ec4c1b8e8bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy7A.tmp\LogReporter.exe
99b4f71b2fb7fa93cc1389340205b5adc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy7A.tmp\log.dll
610e0954d676567b720015644e81dd2dc:\Program Files\Baidu Security\PC Faster\4.0.0.0\BETManger.dll
3713f1ff61b88d13472792d62bcb4eb3c:\Program Files\Baidu Security\PC Faster\4.0.0.0\BEVMApi001.dll
592893b5d3b4a3eb7f8cfbcb11d5bbdec:\Program Files\Baidu Security\PC Faster\4.0.0.0\BEVMEngine.dll
d219d3182e9a0415843452792d6a0308c:\Program Files\Baidu Security\PC Faster\4.0.0.0\BHips.dll
a109b9ed793fb3c2c00f36977a4c9c95c:\Program Files\Baidu Security\PC Faster\4.0.0.0\BProtectEx.sys
90fc18cbefcd54be4288541558e5187ec:\Program Files\Baidu Security\PC Faster\4.0.0.0\BProtectEx64.sys
661c1dcc5511824be8abc9529436c679c:\Program Files\Baidu Security\PC Faster\4.0.0.0\BaiduStore.dll
945ca7ce939a2b9b63298daa5220496ac:\Program Files\Baidu Security\PC Faster\4.0.0.0\BdApiUtil.dll
36d995ee7dd05e77e50dd0dd4f953f94c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Bhbase.sys
539a5a6b567300e4043e033ae3f3943bc:\Program Files\Baidu Security\PC Faster\4.0.0.0\CP.dll
9fa202ca895dbcfde57b45ba92a15527c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Communication.dll
9cab8f2b2c84d2b1457052170a1a7ff8c:\Program Files\Baidu Security\PC Faster\4.0.0.0\CrashReport.exe
8279318c97c59104b0134e430dedda70c:\Program Files\Baidu Security\PC Faster\4.0.0.0\CrashUL.exe
7f8643cd4fffc56ac6d4163498213d54c:\Program Files\Baidu Security\PC Faster\4.0.0.0\DataReport.dll
e75171190ad5eb7d62e71eec1603066fc:\Program Files\Baidu Security\PC Faster\4.0.0.0\DirectUI.dll
b2c06b6b37eb112d3a2eabb1d6e0f76dc:\Program Files\Baidu Security\PC Faster\4.0.0.0\FasterNow.exe
129e07f6e114f5313604db0916a587b5c:\Program Files\Baidu Security\PC Faster\4.0.0.0\HipsDR.dll
e82103ad527fd9b19f78dffa7cee3cc3c:\Program Files\Baidu Security\PC Faster\4.0.0.0\HipsHB.dll
9d83f2d9309c40ecddeb4712ce34fd9ac:\Program Files\Baidu Security\PC Faster\4.0.0.0\HipsPop.exe
51b31d6081aff856fa3b581e8c1a514dc:\Program Files\Baidu Security\PC Faster\4.0.0.0\IEProtect.exe
c5f4a040dabcdc0a267c24aadf0dbcebc:\Program Files\Baidu Security\PC Faster\4.0.0.0\LeakRepair.exe
1887ad04d1f6e03b9b6570ec4c1b8e8bc:\Program Files\Baidu Security\PC Faster\4.0.0.0\LogReporter.exe
9142cd77a25c3a8a595d36d79ec2413dc:\Program Files\Baidu Security\PC Faster\4.0.0.0\NSISInstall.exe
23a271dda00a6d98b650ba363122d789c:\Program Files\Baidu Security\PC Faster\4.0.0.0\NewFeatures.exe
a6fe93d64b0e6b59f448c3073bea237bc:\Program Files\Baidu Security\PC Faster\4.0.0.0\NewUpdater.exe
ae9fe50324a33c03b9cb9ac832a78646c:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys
b63be4062741cb280d1f1522a59f33a6c:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys
48cecd4b4a7fa0d9c9e8e17eba639770c:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFPopups.exe
41eb3ee22f37d54c56a78170608c5da7c:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFaster.exe
c2430cc1bc31a4488ff868a89e5ec118c:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFasterFeedback.exe
b88353efe93ac3c6518415621fd8ebcbc:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFasterSvc.exe
f23fec819f6d1181c47374df8ee89a6ec:\Program Files\Baidu Security\PC Faster\4.0.0.0\PcfTray.exe
e3feb2031aebf766426c7b551256e552c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Antivirus\Plugin_Antivirus.dll
03e2817759676cb684673e843e90453ac:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Facebook\Plugin_Facebook.dll
03771ae2d49a1d294c7266a6ea837049c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.HomeEx\Plugin_HomeEx.dll
c7a34482dc13943a0ead3b1fefac6ddfc:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\LeakRepair.dll
204a5025a829aac2439ca7c65a4b7f0bc:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\Plugin_LeakRepair.dll
f8e61428a351e75792a86e7b7f5cef7ec:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\Plugin_Optimizer.dll
79bd40264f3d249393ecefdd2cd033d1c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOptEngine.dll
955fe8ac197e43500452dfede5eb18a4c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\EnumModules.exe
83e7242c7c44216f366680ead9da8568c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\PluginRemover.dll
dc7eea6e5c56c8f38172b999899a0328c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SysAndNetworkOpt\SysAndNetworkOpt.dll
01758e92d87405495d7ff22475337126c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SysRepair\SysRepair.dll
7a04ec9f14fb94c2f3915b4e337a0128c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\CleanerEngine.dll
f512cbdadffef8a4ce2e3b39218375fac:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\Plugin_SystemCleaner.dll
f1b428719f82c2dfd97685ee77ccc6f9c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Tools\Plugin_Tools.dll
f5fa1b1a574f6465ca831ed1495c2405c:\Program Files\Baidu Security\PC Faster\4.0.0.0\PopupTip.exe
867f8dcdad9a3d7cfd56628b9f244e74c:\Program Files\Baidu Security\PC Faster\4.0.0.0\UninstCaller.exe
434177441d30e979cba2346466686eb1c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Uninstall.exe
fe1d9a95168499203c96d9f3dd27dd82c:\Program Files\Baidu Security\PC Faster\4.0.0.0\Updater.exe
88d62065f635baae190eccf04a37a4fec:\Program Files\Baidu Security\PC Faster\4.0.0.0\dbghelp.dll
afff8a2b33ea375b51e966d7dd052580c:\Program Files\Baidu Security\PC Faster\4.0.0.0\liveupdate.exe
99b4f71b2fb7fa93cc1389340205b5adc:\Program Files\Baidu Security\PC Faster\4.0.0.0\log.dll
f8eb29633e9c8032de3606d9ad9e265cc:\Program Files\Baidu Security\PC Faster\4.0.0.0\log2.dll
3103029dede8b96f1cb694b5c0d8ae22c:\Program Files\Baidu Security\PC Faster\4.0.0.0\sqlite.dll
6bcf98fb3d78e088b30231261a4c2efec:\Program Files\Baidu Security\PC Faster\4.0.0.0\update.dll
36d995ee7dd05e77e50dd0dd4f953f94c:\WINDOWS\system32\drivers\Bhbase.sys
a109b9ed793fb3c2c00f36977a4c9c95c:\WINDOWS\system32\drivers\BprotectEx.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys" the Trojan controls creation and closing of processes by installing the process notifier.


Using the driver "%System%\drivers\Bhbase.sys" the Trojan controls creation and closing of processes by installing the process notifier.


Using the driver "%System%\drivers\Bhbase.sys" the Trojan controls creation and closing of threads by installing the thread notifier.


Using the driver "%System%\drivers\Bhbase.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.


Using the driver "\??\%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys" the Trojan controls operations with a system registry by installing the registry notifier.


The Trojan installs the following kernel-mode hooks:

ZwAssignProcessToJobObject
ZwCreateFile
ZwCreateKey
ZwCreateProcess
ZwCreateProcessEx
ZwCreateSection
ZwCreateSymbolicLinkObject
ZwCreateThread
ZwDeleteFile
ZwDeleteKey
ZwDeleteValueKey
ZwDeviceIoControlFile
ZwDuplicateObject
ZwEnumerateValueKey
ZwLoadDriver
ZwOpenProcess
ZwOpenSection
ZwOpenThread
ZwProtectVirtualMemory
ZwQueryValueKey
ZwQueueApcThread
ZwRenameKey
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSetContextThread
ZwSetInformationFile
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetValueKey
ZwSuspendThread
ZwSystemDebugControl
ZwTerminateProcess
ZwTerminateThread
ZwUnmapViewOfSection
ZwWriteFile
ZwWriteVirtualMemory

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Baidu_PC_Faster_4_0_1_51423.exe:2704
    PCFasterSvc.exe:3424
    LogReporter.exe:1096
    LogReporter.exe:2300
    LogReporter.exe:3036
    LogReporter.exe:4072
    LogReporter.exe:2024
    LogReporter.exe:2376
    LogReporter.exe:1380
    sc.exe:3580
    sc.exe:3492
    Updater.exe:2876
    Updater.exe:2904
    Updater.exe:4076
    Updater.exe:3516
    Updater.exe:3400
    Updater.exe:3328
    Updater.exe:3644
    WScript.exe:2392
    schtasks.exe:3904
    schtasks.exe:2560
    schtasks.exe:2096
    schtasks.exe:3632
    schtasks.exe:3168
    LeakRepair.exe:3392
    regsvr32.exe:3920
    PCFPopups.exe:748

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\14.png (19326 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\cloudy.png (3001 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_eng.png (7537 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\log.dll (117440 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\3.png (27668 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_normal_id.png (8692 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Yontoo.rul (5258 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\GiantSavings.rul (7741 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1047.A180Darts.rul (17044 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\13.png (19866 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_pu.png (8198 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\feedback\feedback.bskin (142597 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\dbghelp.dll (1187272 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_crashreporter\skin_crashreporter.bskin (234526 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\6.png (1007 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\IWantThis.rul (9732 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1090.DVDVideoSoftToolbar.rul (25998 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\HipsDR.dll (341696 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Default.png (9058 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\PcfTray\PcfTray.bskin (66425 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\LeakRepair.dll (1427136 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\log2.dll (322752 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BProtectEx64.sys (99648 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_hover_id.png (8522 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\hipspop\hipspop.bskin (110224 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1070.IMVUToolbar.rul (16300 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\NewFeatures.ini (393 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1104.SavepathDeals.rul (3292 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_disable.png (1297 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_cancel_over.png (1227 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\data\rl.dat (1680 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\t1.db (155463 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\skin_feedback\skin_feedback.bskin (68143 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\tools\FasterNow\FasterNow.bskin (1046 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\update\update.bskin (13387 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_uninstall_over.png (1172 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\cloud.png (2909 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Facebook\res\res.bskin (142816 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Green.bskin (119344 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1088.yontooToolbar.rul (16384 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Tools\res\res.bskin (40354 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\res\res.bskin (157565 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\HipsPop.exe (329920 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_thai.png (9075 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\oovoo.rul (11349 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\11.png (22440 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\foggy.png (1555 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_eng.png (7855 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_eng.png (7744 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\MixiDJ.rul (7476 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1045.AccuWeather.rul (16044 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal.png (1460 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.6.1.def.db (11676 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\version.xml (294 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss79.tmp (57795427 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\NewFeatures.txt (1314 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_popup\skin_popup.bskin (106644 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\rainy.png (1120 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_uninstall_normal.png (1188 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\confirm\confirm.bskin (95756 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\ieprotect\ieprotect.bskin (16003 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_id.png (3006 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\min_normal.png (1385 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_pu.png (1107 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\log2.dll (322752 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\Baidu PC Faster\Baidu PC Faster.lnk (878 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\Baidu PC Faster\Uninstall.lnk (876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\config.ini (5652 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\outer_circle.png (4380 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BaiduStore.dll (1302720 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\4.png (20506 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1046.appbario12.rul (19512 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Tuvaro.rul (6164 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_hover_pu.png (7361 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\common\common.bskin (367 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\ieprotect_font\ieprotect_font.bskin (486 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_down_pu.png (7545 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1086.DownloadEnergyToolbar.rul (16402 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_hover_pu.png (7106 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\t2.db (128578 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\cricle_animate.png (186562 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optlist.dat (1504256 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\hipspop\hipspop.bskin (25568 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\screensnpashot\screensnpashot.bskin (1406 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Baidu_PC_Faster_4_0_1_51423-2014-03-26 03-26-53-0536-[7083].tmp (4777 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_frame\skin_frame.bskin (363409 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\ProgramFileList.xml (226642 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\lightning.png (1148 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Communication.dll (313024 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\0.png (1014 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_exit_down.png (7413 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_cancel_down.png (1206 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\NewFeatures.exe (498368 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Car.bskin (422873 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.HomeEx\res\res.bskin (966497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallCheck.dll (65216 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\2.png (28922 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\config.ini (5682 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\Baidu PC Faster\Feedback.lnk (896 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_eng.png (1079 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Christmas.png (14959 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1061.SearchProtect.rul (2247 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1118.A2ZLyrics.rul (8605 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\6.png (22840 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Dealio.rul.bak (7318 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\lightning.png (2949 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\url.ini (6598 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PcfTray.exe (1349824 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\2.png (1015 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Deal Spy.rul (8805 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\skin_update\skin_update.bskin (51031 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\FasterNow\FasterNow.bskin (106412 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1111.Vuze.rul (17726 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\data\sbr.dat (144 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\uTorrentBar.rul (2260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\BHips.dll (932712 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1105.FreeYoutubeDownload.rul (35306 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\cricle.png (10310 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\CouponDropDown.rul (7715 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\popups\popups.bskin (114892 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1055.WhiteSmoke.rul (15636 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\BugReporter\BugReporter.bskin (1329 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1097.NCH FRToolbar.rul (18674 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\LogReporter.exe (464064 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\log.dll (117440 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BEVMEngine.dll (570752 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_thai.png (8901 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\sqlite.dll (626880 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_hover_thai.png (7616 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Egypt.png (25034 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\PluginHome\drag_disable.cur (4286 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Gold.png (41588 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\BugReporter\BugReporter.bskin (1141 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Cherry.bskin (137275 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\VDownloader_Ask.rul (7782 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\15.png (18626 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\StartNow.rul (4575 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Aflamster.rul (1728 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\feedback\feedback.bskin (130773 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\HomeRank.dat (3017 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FutureSoldier.png (40854 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\appbario7.rul (27778 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1063.SnapDo.rul (42100 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\littleboy.png (5954 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\lang.ini (110 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable_pu.png (6635 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_homepage\skin_homepage.bskin (16143 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_titlebar.png (121336 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SysRepair\SysRepair.dll (1202368 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\cloudy.png (1142 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\9.png (1022 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_over.png (7097 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\res\res.bskin (124971 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Bhbase.sys (63840 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1094.BittorrentBar_DEToolbar.rul (16910 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\Baidu PC Faster\Uninstall.lnk (876 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down_id.png (8584 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_disable.png (6310 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1098.NewYorkYankeesToolbar.rul (16305 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Grey.bskin (104165 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_id.png (9636 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1049.SocialSearchBar.rul (20150 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BHips.dll (932712 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Baidu PC Faster.lnk (864 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\common\common.bskin (395 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_exit_hover.png (7580 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\BaiduSafe\BaiduSafe.bskin (235760 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1053.SupremeSavings.rul (7391 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\FasterNow.exe (501232 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys (135552 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\NSISInstall.exe (742592 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_pu.png (8038 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\Plugin_LeakRepair.dll (1192640 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BdApiUtil.dll (123584 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FIFA.png (16363 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1076.SavingsAddon.rul (8234 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1065.DeltaToolbar.rul (18834 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Christmas.bskin (265998 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\cloud.png (1130 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.HomeEx\Plugin_HomeEx.dll (1550016 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\BaiduSafe\BaiduSafe.bskin (259915 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\update\update.bskin (11869 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\Plugin_SystemCleaner.dll (1415360 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_thai.png (7851 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_eng.png (6849 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Egypt.bskin (416149 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFasterSvc.exe (712688 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1050.SolidSavings.rul (7546 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\lang.ini (100 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_pu.png (7188 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\ieprotect\ieprotect.bskin (14220 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_hover_thai.png (6714 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_over.png (1464 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\lang.ini (110 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1072.MyHomepage.rul (2297 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\tools\FasterNow\FasterNow.bskin (961 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1081.Funmoods.rul (15467 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\language_normal.png (1083 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\confirm\confirm.bskin (94993 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.LeakRepair\res\res.bskin (48852 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_ieprotect\skin_ieprotect.bskin (24554 bytes)
    %Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\Dump\BugReportConfig.ini (1162 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFaster.exe (604656 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1085.facesmooch.rul (3927 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\ShoppingSidekick.rul (8588 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_cancel_normal.png (1224 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_disable_id.png (9237 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\common\common.bskin (374 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\min_down.png (1386 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Default.bskin (221267 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\screensnpashot\screensnpashot.bskin (1406 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1062.OnlineRadioPlayerRecorderToolbar.rul (19178 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1083.PriceGong.rul (2641 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\confirm\confirm.bskin (94419 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\Baidu PC Faster\Baidu PC Faster.lnk (878 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInstall\NSISInstall.bskin (137589 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\update_config.xml (3276 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_uncheck_normal.png (988 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_hover_id.png (8838 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\BrowserProtect.rul (101 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FutureSoldier.bskin (350001 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\skin\common\common.bskin (41896 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_id.png (9456 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\ieprotect\ieprotect.bskin (11404 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\LogReporter.exe (464064 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1112.SaveValet.rul (465 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\PluginHome\circle_progress.png (3398 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PopupTip.exe (342208 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\10.png (22470 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\sunny.png (1111 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFPopups.exe (2187648 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_hover_id.png (9691 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1077.BrowserCompanion.rul (5359 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\citys.txt (10316 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\ieprotect_font\ieprotect_font.bskin (486 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\screensnpashot\screensnpashot.bskin (1406 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_normal_pu.png (7894 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\1.png (974 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\hipspop\hipspop.bskin (17100 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\searchya.rul (4083 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal_pu.png (6908 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\BaiduSafe\BaiduSafe.bskin (150447 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\7.png (985 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\confirm\confirm.bskin (6353 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\screensnpashot\screensnpashot.bskin (956 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_finishing_thai.png (1609 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1058.ScenicReflections.rul (16089 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\common\common.bskin (41896 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Brown.png (10035 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_pop_percent_1.png (4434 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\FasterNow.dat (58352 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable_id.png (8515 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.6.2.def.db (38302 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\PluginRemover.dll (1176256 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\tools\FasterNow\FasterNow.bskin (996 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_checked_normal.png (1036 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Uninstall.exe (466608 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1074.CodecPerformer.rul (6416 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BHipsConfig.ini (684 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1114.ST-Eng7.rul (17012 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Antivirus\Plugin_Antivirus.dll (806760 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal_thai.png (6585 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BETManger.dll (523968 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\SdkConfig.ini (1618 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Green.png (5577 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\SearchAmong.rul (1582 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\DirectUI.dll (893472 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\PcfTray\PcfTray.bskin (64960 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\popups\popups.bskin (115878 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1107.TVGenie.rul (2644 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\min_hover.png (1430 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1099.SearchDeals.rul (2461 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_down_thai.png (7750 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_bk2.png (61413 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\85Play_Games.rul (1405 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\NewFeatures\NewFeatures.bskin (272301 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\NewFeatures\NewFeatures.bskin (272299 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable_thai.png (6744 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\WhiteSmokeToolBar.rul (20234 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\language_over.png (1088 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\10.png (1105 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_bk.png (43460 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1082.PricePeep.rul (1686 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1113.SpyGuard.rul (2762 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1087.MediaFinder.rul (4761 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1117.RewardsArcade.rul (15848 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\string.ini (9518 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1093.BittorrentBar_FRToolbar.rul (17858 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_default\skin_default.bskin (221120 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\common\common.bskin (371 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\CrashReport.exe (642544 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_boottime\skin_boottime.bskin (635846 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_uncheck_over.png (995 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1054.CouponCaddy.rul (7151 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\snow.png (2904 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFasterFeedback.exe (488128 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\data\LinkCensor.dat (104 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\hipspop\hipspop.bskin (18506 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Antivirus\res\res.bskin (145701 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1056.WhiteSmkeUSNew.rul (16089 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1116.NewVeoh.rul (17556 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\NewUpdater.exe (372416 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_un_uninstall_down.png (1179 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1064.Webblog.rul (16388 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOptEngine.dll (1410752 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_normal.png (7031 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\BugReporter\BugReporter.bskin (1053 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Cherry.png (5701 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\ieprotect\ieprotect.bskin (13325 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_percent_1.png (2385 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\lang.ini (94 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\PcfTray\PcfTray.bskin (263362 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\Communication.dll (313024 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_percent_2.png (2351 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\list.xml (1447 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Brown.bskin (356891 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\UninstCaller.exe (161472 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\9.png (28340 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Tools\Plugin_Tools.dll (184512 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\EnumModules.exe (107200 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Genieo.rul (6867 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_normal_thai.png (7521 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\PluginOptimizer\img_circle.png (5453 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1101.VAFMusic.rul (22086 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\Baidu PC Faster\Feedback.lnk (896 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\nsis_install\nsis_install.bskin (68063 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\NewFeatures\NewFeatures.bskin (272299 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\PluginConfig.xml (2258 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\DirectUI.dll (893472 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\skin_junkclean\skin_junkclean.bskin (45330 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BEVMApi001.dll (299712 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Gold.bskin (359720 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\data\mn.dat (864 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\nsis_install\nsis_install.bskin (70403 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Updater.exe (1134064 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\PcfTray\PcfTray.bskin (64697 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\feedback\feedback.bskin (129797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\System.dll (11264 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1108.SmartSuggestor.rul (256 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\NewFeatures\NewFeatures.bskin (272299 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\popups\popups.bskin (114250 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1110.BrowseForTheCause.rul (1023 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\foggy.png (1005 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_install_down.png (7091 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\Plugin_Optimizer.dll (1260736 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\update\update.bskin (12522 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\sunny.png (2744 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\5.png (23510 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_pop_percent_2.png (4443 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down.png (1461 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\liveupdate.exe (244928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallUtility.dll (1130688 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_down_id.png (8899 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\webcake.rul (3263 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Deals.rul (7661 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_pop_percent_0.png (4448 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\tools\FasterNow\FasterNow.bskin (1197 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\update\update.bskin (13645 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\RebateInformer.rul (6988 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_exit_normal.png (7463 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1052.TigerSavings.rul (7088 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\DataReport.dll (310976 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\IEProtect.exe (972440 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Car.png (26076 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\8.png (1012 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_over.png (1358 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\FasterNow\img_percent_0.png (2407 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\uTorrentControl.rul (18562 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\Inbox.rul (3712 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1095.DigiModeToolbar.rul (17790 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\update.dll (1192640 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\5.png (1007 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\reinstall_down_thai.png (9175 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down_pu.png (7106 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\ieprotect_font\ieprotect_font.bskin (486 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\language_down.png (1103 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\confirm\confirm.bskin (102232 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\MainFrame\splash_light.png (2080 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys (162048 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1051.SavingsApp.rul (6928 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1067.SearchAssistant.rul (1506 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\sysconfig.ini (4 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1048.MixiDjV30.rul (19660 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\skin_upgrade\skin_upgrade.bskin (9174 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\VidSaver.rul (6468 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_down.png (1349 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\nsis_install\nsis_install.bskin (68487 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\feedback\feedback.bskin (127155 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\small\snow.png (1126 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\InternetHelper.rul (20494 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SystemCleaner\CleanerEngine.dll (1589952 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\12.png (21134 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1106.GetSavin.rul (4104 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\MyWebSearch.rul (33402 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\BProtectEx.sys (116544 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\7.png (23710 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\8.png (21960 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\FIFA.bskin (342272 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.SysAndNetworkOpt\SysAndNetworkOpt.dll (988864 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\ieprotect\ieprotect.bskin (35338 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\popups\popups.bskin (114892 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\hipspop\hipspop.bskin (20640 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1033\BaiduSafe\BaiduSafe.bskin (150628 bytes)
    %Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\config.ini (5682 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.5.1.def.db (7402 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\btn_checked_over.png (1044 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\CP.dll (556224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\InstallUtility.log (39412 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\logo_install.png (6863 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1115.Qwiklinx.rul (1845 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\nsis_install\nsis_install.bskin (68666 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\HipsHB.dll (389312 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\3.png (1002 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Optimizer\SysOpt\optrec.6.0.def.db (11430 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\logo\system\1.png (22682 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\BrowserDefender.rul.bak (3636 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1057.TrustWorthy.rul (16305 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1046\BugReporter\BugReporter.bskin (1153 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\boottime\weather\big\rainy.png (2933 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\location_normal.png (1334 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\sysconfig.ini (4 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\CouponCompanion.rul (7793 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\common\common.bskin (16620 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\4.png (997 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1068.AppBario2.rul (6155 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1057\ieprotect_font\ieprotect_font.bskin (486 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1060.LuckySavings.rul (7283 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7A.tmp\url.ini (6598 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1089.DVDVideoSoftToolbar.rul (15759 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\CrashUL.exe (220144 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\LeakRepair.exe (1474240 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.Facebook\Plugin_Facebook.dll (378048 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\DataFileVer.xml (303 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_down_thai.png (6789 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\DataFileList.xml (10206 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\I18N\1054\PcfTray\PcfTray.bskin (69909 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\Scattered\SkinList\Grey.png (2581 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_disable.png (6308 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\install_normal_pu.png (7168 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\Plugins\Plugin.PluginRemover\data\1102.FastFreeConverter.rul (3693 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\skin\tools\NSISInatsllSkin\close_normal_id.png (8374 bytes)
    %System%\drivers\BprotectEx.sys (100160 bytes)
    %Documents and Settings%\All Users\Application Data\Log\00000000-000C29F803BA!acc7ad6a-0a29-4edf-aae3-cc9dcd0ce41e@#000C29F803BA-LogFile-2014-03-26 21-26-41-0832.log (598125 bytes)
    %WinDir%\Temp\Plu7C.tmp (2258 bytes)
    %WinDir%\Temp\Plu7D.tmp (2258 bytes)
    %System%\drivers\Bhbase.sys (47456 bytes)
    %WinDir%\Temp\Plu7B.tmp (2258 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-PCFasterSvc-2014-03-26 03-27-41-0473-[7240].tmp (4448 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\update_ultimate.ini (38 bytes)
    %Documents and Settings%\All Users\Документы\Baidu Security\PC Faster\4.0.0.0\log\Updater.log (33696 bytes)
    %Program Files%\Baidu Security\PC Faster\4.0.0.0\update_statistic.xml (1336 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Updater-2014-03-26 03-26-57-0629-[7096].tmp (4441 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Updater-2014-03-26 03-27-36-0770-[7223].tmp (4441 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-Pcftray-2014-03-26 03-27-57-0723-[7292].tmp (4573 bytes)
    %Documents and Settings%\All Users\Application Data\WindowsApplication1\Baidu PC Faster\4.0.1.56500\Windows\dll.vbs (82338 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (18432 bytes)
    %Documents and Settings%\All Users\Application Data\WindowsApplication1\Baidu PC Faster\4.0.1.56500\Windows\Baidu_PC_Faster_4_0_1_51423.exe (36955816 bytes)
    %WinDir%\Tasks\Baidu PC Faster Update.job (412 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-PCFPopups-2014-03-26 03-27-22-0661-[7178].tmp (4441 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu Security\RpData\rpFile-FasterNow-2014-03-26 03-28-05-0942-[7318].tmp (4441 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Baidu PC Faster 4.0.0.0" = "%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFaster.exe -auto -start"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Baidu PC Faster
Product Version: 4.0.1.56500
Legal Copyright: Copyright (c) 2014
Legal Trademarks:
Original Filename: WindowsApplication1.exe
Internal Name: WindowsApplication1.exe
File Version: 4.0.1.56500
File Description: Baidu PC Faster
Comments:
Language: English (United States)

Company Name: Product Name: Baidu PC FasterProduct Version: 4.0.1.56500Legal Copyright: Copyright (c) 2014Legal Trademarks: Original Filename: WindowsApplication1.exeInternal Name: WindowsApplication1.exeFile Version: 4.0.1.56500File Description: Baidu PC FasterComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text819218696356186967045.5448824f6b31d2552cc5042f4f1a61b512a83
.sdata187105283125121.55676eebdde6d374d74ad4d237932c2af9b67
.rsrc1871872036256363524.5090722ca7b0741408013267b2c5427ea4ee6
.reloc18759680125120.0847551ae2de31d426726935025f3b3d2550e9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
popup.security.baidu.co.th
update.pcfaster.baidu.com.eg
sync.pcfaster.baidu.com.eg
download.pcfaster.baidu.com.eg
rtp.bav.baidu.com
sync.security.baidu.co.th

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

Strings from Dumps

Pcftray.exe_2544:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

kernel32.dll

kernel32.dll

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

CHECK failed: !iter->second.is_repeated:

CHECK failed: !iter->second.is_repeated:

CHECK failed: ((iter->second).is_repeated ? REPEATED : OPTIONAL) == (OPTIONAL):

CHECK failed: ((iter->second).is_repeated ? REPEATED : OPTIONAL) == (OPTIONAL):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_INT32):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_INT32):

CHECK failed: ((*extension).is_repeated ? REPEATED : OPTIONAL) == (OPTIONAL):

CHECK failed: ((*extension).is_repeated ? REPEATED : OPTIONAL) == (OPTIONAL):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_INT32):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_INT32):

CHECK failed: iter != extensions_.end():

CHECK failed: iter != extensions_.end():

CHECK failed: ((iter->second).is_repeated ? REPEATED : OPTIONAL) == (REPEATED):

CHECK failed: ((iter->second).is_repeated ? REPEATED : OPTIONAL) == (REPEATED):

CHECK failed: ((*extension).is_repeated ? REPEATED : OPTIONAL) == (REPEATED):

CHECK failed: ((*extension).is_repeated ? REPEATED : OPTIONAL) == (REPEATED):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_INT64):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_INT64):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_INT64):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_INT64):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_UINT32):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_UINT32):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_UINT32):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_UINT32):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_UINT64):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_UINT64):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_UINT64):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_UINT64):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_FLOAT):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_FLOAT):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_FLOAT):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_FLOAT):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_DOUBLE):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_DOUBLE):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_DOUBLE):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_DOUBLE):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_BOOL):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_BOOL):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_BOOL):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_BOOL):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_ENUM):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_ENUM):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_ENUM):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_ENUM):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_STRING):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_STRING):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_STRING):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_STRING):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_MESSAGE):

CHECK failed: (cpp_type((iter->second).type)) == (WireFormatLite::CPPTYPE_MESSAGE):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_MESSAGE):

CHECK failed: (cpp_type((*extension).type)) == (WireFormatLite::CPPTYPE_MESSAGE):

CHECK failed: (extension->type) == (other_extension.type):

CHECK failed: (extension->type) == (other_extension.type):

CHECK failed: ((iter->second).is_repeated ? FieldDescriptor::LABEL_REPEATED : FieldDescriptor::LABEL_OPTIONAL) == (FieldDescriptor::LABEL_OPTIONAL):

CHECK failed: ((iter->second).is_repeated ? FieldDescriptor::LABEL_REPEATED : FieldDescriptor::LABEL_OPTIONAL) == (FieldDescriptor::LABEL_OPTIONAL):

CHECK failed: (cpp_type((iter->second).type)) == (FieldDescriptor::CPPTYPE_MESSAGE):

CHECK failed: (cpp_type((iter->second).type)) == (FieldDescriptor::CPPTYPE_MESSAGE):

CHECK failed: ((*extension).is_repeated ? FieldDescriptor::LABEL_REPEATED : FieldDescriptor::LABEL_OPTIONAL) == (FieldDescriptor::LABEL_OPTIONAL):

CHECK failed: ((*extension).is_repeated ? FieldDescriptor::LABEL_REPEATED : FieldDescriptor::LABEL_OPTIONAL) == (FieldDescriptor::LABEL_OPTIONAL):

CHECK failed: (cpp_type((*extension).type)) == (FieldDescriptor::CPPTYPE_MESSAGE):

CHECK failed: (cpp_type((*extension).type)) == (FieldDescriptor::CPPTYPE_MESSAGE):

CHECK failed: ((*extension).is_repeated ? FieldDescriptor::LABEL_REPEATED : FieldDescriptor::LABEL_OPTIONAL) == (FieldDescriptor::LABEL_REPEATED):

CHECK failed: ((*extension).is_repeated ? FieldDescriptor::LABEL_REPEATED : FieldDescriptor::LABEL_OPTIONAL) == (FieldDescriptor::LABEL_REPEATED):

Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:

Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:

Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:

Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:

Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:

Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:

Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().

Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().

google/protobuf/descriptor.proto

google/protobuf/descriptor.proto

google/protobuf/descriptor.proto

google/protobuf/descriptor.proto

google.protobuf"G

google.protobuf"G

2$.google.protobuf.FileDescriptorProto"

2$.google.protobuf.FileDescriptorProto"

2 .google.protobuf.DescriptorProto

2 .google.protobuf.DescriptorProto

2$.google.protobuf.EnumDescriptorProto

2$.google.protobuf.EnumDescriptorProto

2'.google.protobuf.ServiceDescriptorProto

2'.google.protobuf.ServiceDescriptorProto

2%.google.protobuf.FieldDescriptorProto

2%.google.protobuf.FieldDescriptorProto

.google.protobuf.FileOptions

.google.protobuf.FileOptions

.google.protobuf.SourceCodeInfo"

.google.protobuf.SourceCodeInfo"

2/.google.protobuf.DescriptorProto.ExtensionRange

2/.google.protobuf.DescriptorProto.ExtensionRange

.google.protobuf.MessageOptions

.google.protobuf.MessageOptions

2 .google.protobuf.FieldDescriptorProto.Label

2 .google.protobuf.FieldDescriptorProto.Label

2*.google.protobuf.FieldDescriptorProto.Type

2*.google.protobuf.FieldDescriptorProto.Type

.google.protobuf.FieldOptions"

.google.protobuf.FieldOptions"

2).google.protobuf.EnumValueDescriptorProto

2).google.protobuf.EnumValueDescriptorProto

.google.protobuf.EnumOptions"l

.google.protobuf.EnumOptions"l

2!.google.protobuf.EnumValueOptions"

2!.google.protobuf.EnumValueOptions"

2&.google.protobuf.MethodDescriptorProto

2&.google.protobuf.MethodDescriptorProto

.google.protobuf.ServiceOptions"

.google.protobuf.ServiceOptions"

.google.protobuf.MethodOptions"

.google.protobuf.MethodOptions"

2).google.protobuf.FileOptions.OptimizeMode:

2).google.protobuf.FileOptions.OptimizeMode:

2$.google.protobuf.UninterpretedOption":

2$.google.protobuf.UninterpretedOption":

2$.google.protobuf.UninterpretedOption*

2$.google.protobuf.UninterpretedOption*

2#.google.protobuf.FieldOptions.CType:

2#.google.protobuf.FieldOptions.CType:

experimental_map_key

experimental_map_key

2$.google.protobuf.UninterpretedOption"/

2$.google.protobuf.UninterpretedOption"/

2-.google.protobuf.UninterpretedOption.NamePart

2-.google.protobuf.UninterpretedOption.NamePart

2(.google.protobuf.SourceCodeInfo.Location

2(.google.protobuf.SourceCodeInfo.Location

com.google.protobufB

com.google.protobufB

Error reporting not implemented.

Error reporting not implemented.

\xx

\xx

google::protobuf::strings::CHexEscape

google::protobuf::strings::CHexEscape

google::protobuf::JoinStringsIterator

google::protobuf::JoinStringsIterator

CHECK failed: backup_bytes_ == 0 && buffer_.get() != NULL:

CHECK failed: backup_bytes_ == 0 && buffer_.get() != NULL:

google::protobuf::internal::`anonymous-namespace'::ReportReflectionUsageError

google::protobuf::internal::`anonymous-namespace'::ReportReflectionUsageError

google::protobuf::internal::`anonymous-namespace'::ReportReflectionUsageTypeError

google::protobuf::internal::`anonymous-namespace'::ReportReflectionUsageTypeError

google::protobuf::internal::`anonymous-namespace'::ReportReflectionUsageEnumTypeError

google::protobuf::internal::`anonymous-namespace'::ReportReflectionUsageEnumTypeError

import "$0";

import "$0";

$0$1 $2 $3 = $4

$0$1 $2 $3 = $4

$0$1 = $2

$0$1 = $2

". To use it here, please add the necessary import.

". To use it here, please add the necessary import.

", which is not imported by "

", which is not imported by "

.placeholder.proto

.placeholder.proto

.PLACEHOLDER_VALUE

.PLACEHOLDER_VALUE

.dummy

.dummy

File recursively imports itself:

File recursively imports itself:

Missing field: FileDescriptorProto.name.

Missing field: FileDescriptorProto.name.

Import "

Import "

FieldDescriptorProto.extendee not set for extension field.

FieldDescriptorProto.extendee not set for extension field.

FieldDescriptorProto.extendee set for non-extension field.

FieldDescriptorProto.extendee set for non-extension field.

Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "

Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "

map_key must not name a repeated field.

map_key must not name a repeated field.

map key must name a scalar or string field.

map key must name a scalar or string field.

" is repeated. Repeated options are not supported.

" is repeated. Repeated options are not supported.

CHECK failed: !out.HadError():

CHECK failed: !out.HadError():

.foo = value".

.foo = value".

CHECK failed: dynamic.get() != NULL:

CHECK failed: dynamic.get() != NULL:

CHECK failed: (from.GetDescriptor()) == (descriptor):

CHECK failed: (from.GetDescriptor()) == (descriptor):

: Tried to copy from a message with a different type.to:

: Tried to copy from a message with a different type.to:

CHECK failed: !coded_out.HadError():

CHECK failed: !coded_out.HadError():

%d.%d.%d

%d.%d.%d

libprotobuf %s %s:%d] %s

libprotobuf %s %s:%d] %s

LeakRepair.proto

LeakRepair.proto

.LeakRepair.HOTFIXLEVEL:

.LeakRepair.HOTFIXLEVEL:

.LeakRepair.IGNOREREASON:

.LeakRepair.IGNOREREASON:

strLinkUrl

strLinkUrl

strOfficialDownloadUrl

strOfficialDownloadUrl

.LeakRepair.HOTFIXSTATE:

.LeakRepair.HOTFIXSTATE:

.LeakRepair.LEAKREPAIRTYPE"

.LeakRepair.LEAKREPAIRTYPE"

.LeakRepair.OUTDATA_HEADER

.LeakRepair.OUTDATA_HEADER

.LeakRepair.HOTFIXINFO"1

.LeakRepair.HOTFIXINFO"1

.LeakRepair.HOTFIXIDLIST"n

.LeakRepair.HOTFIXIDLIST"n

.LeakRepair.HOTFIXIDLIST"^

.LeakRepair.HOTFIXIDLIST"^

OUTDATA_GETWINDOWSUPDATESTATE

OUTDATA_GETWINDOWSUPDATESTATE

.LeakRepair.LEAKREPAIRTYPE"M

.LeakRepair.LEAKREPAIRTYPE"M

.LeakRepair.INDATA_HEADER

.LeakRepair.INDATA_HEADER

.LeakRepair.HOTFIXIDLIST

.LeakRepair.HOTFIXIDLIST

.LeakRepair.HOTFIXIDLIST"Z

.LeakRepair.HOTFIXIDLIST"Z

.LeakRepair.LEAKREPAIRTYPE"X

.LeakRepair.LEAKREPAIRTYPE"X

.LeakRepair.NOTIFYDATA_HEADER

.LeakRepair.NOTIFYDATA_HEADER

strNotifyCmd

strNotifyCmd

INDATA_SETWINDOWSUPDATESTATE

INDATA_SETWINDOWSUPDATESTATE

2!.LeakRepair.INDATA_DOWNLOADHOTFIX

2!.LeakRepair.INDATA_DOWNLOADHOTFIX

2 .LeakRepair.INDATA_INSTALLHOTFIX"O

2 .LeakRepair.INDATA_INSTALLHOTFIX"O

.LeakRepair.INDATA_HEADER"Q

.LeakRepair.INDATA_HEADER"Q

.LeakRepair.RETURNCODE"5

.LeakRepair.RETURNCODE"5

MIRRORLDOWNLOADURL

MIRRORLDOWNLOADURL

strMirrorlDownloadUrl

strMirrorlDownloadUrl

.LeakRepair.HOTFIXINFO

.LeakRepair.HOTFIXINFO

.LeakRepair.INSTALLCOMMAND

.LeakRepair.INSTALLCOMMAND

MirrorlDownloadUrl

MirrorlDownloadUrl

.LeakRepair.MIRRORLDOWNLOADURL"F

.LeakRepair.MIRRORLDOWNLOADURL"F

HOTFIXLEVEL_IMPORTANT

HOTFIXLEVEL_IMPORTANT

LeakRepair::OUTDATA_GETWINDOWSUPDATESTATE::MergeFrom

LeakRepair::OUTDATA_GETWINDOWSUPDATESTATE::MergeFrom

LeakRepair::INDATA_SETWINDOWSUPDATESTATE::MergeFrom

LeakRepair::INDATA_SETWINDOWSUPDATESTATE::MergeFrom

LeakRepair::MIRRORLDOWNLOADURL::MergeFrom

LeakRepair::MIRRORLDOWNLOADURL::MergeFrom

7438FEF7-71A6-4116-83C0-94C23BF3E228

7438FEF7-71A6-4116-83C0-94C23BF3E228

\\.\PhysicalDrive%d

\\.\PhysicalDrive%d

\\.\Scsi%d:

\\.\Scsi%d:

00000000

00000000

google::protobuf::TextFormat::Parser::ParserImpl::ReportError

google::protobuf::TextFormat::Parser::ParserImpl::ReportError

google::protobuf::TextFormat::Parser::ParserImpl::ReportWarning

google::protobuf::TextFormat::Parser::ParserImpl::ReportWarning

&#xX;

&#xX;

%s="%s"

%s="%s"

%s='%s'

%s='%s'

<!--%s-->

<!--%s-->

<![CDATA[%s]]>

<![CDATA[%s]]>

version="%s"

version="%s"

encoding="%s"

encoding="%s"

standalone="%s"

standalone="%s"

o:\app\gensoft\security-client\pc-faster\public\output\pdb\PcfTray.pdb

o:\app\gensoft\security-client\pc-faster\public\output\pdb\PcfTray.pdb

DirectUI.dll

DirectUI.dll

DataReport.dll

DataReport.dll

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegEnumKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

?ReportIncCount@CBaiduStoreMgr@@QAEHK@Z

?ReportIncCount@CBaiduStoreMgr@@QAEHK@Z

?ReportIncCount@CBaiduStoreMgr@@QAEHKK@Z

?ReportIncCount@CBaiduStoreMgr@@QAEHKK@Z

?ReportValueEx@CBaiduStoreMgr@@QAEHKPB_W@Z

?ReportValueEx@CBaiduStoreMgr@@QAEHKPB_W@Z

?DoShellExecute@CBaiduStoreMgr@@QAEXV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@0@Z

?DoShellExecute@CBaiduStoreMgr@@QAEXV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@0@Z

?PostKrnMsg@CBaiduStoreMgr@@QAEHPB_W0PAXK0@Z

?PostKrnMsg@CBaiduStoreMgr@@QAEHPB_W0PAXK0@Z

?ReportStateEx@CBaiduStoreMgr@@QAEHKPB_W@Z

?ReportStateEx@CBaiduStoreMgr@@QAEHKPB_W@Z

BaiduStore.dll

BaiduStore.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

COMCTL32.dll

COMCTL32.dll

WTSAPI32.dll

WTSAPI32.dll

VERSION.dll

VERSION.dll

USERENV.dll

USERENV.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

.?AVCHeapMemAlloc@BugReportHelper@@

.?AVCHeapMemAlloc@BugReportHelper@@

.?AVBugReportHelper@@

.?AVBugReportHelper@@

.?AV?$CSafeSingleton@VBugReportHelper@@@@

.?AV?$CSafeSingleton@VBugReportHelper@@@@

zcÁ

zcÁ

.?AVCRegKey@ATL@@

.?AVCRegKey@ATL@@

.?AVCMyRegKeyBase@@

.?AVCMyRegKeyBase@@

.?AVOUTDATA_GETWINDOWSUPDATESTATE@LeakRepair@@

.?AVOUTDATA_GETWINDOWSUPDATESTATE@LeakRepair@@

.?AVINDATA_SETWINDOWSUPDATESTATE@LeakRepair@@

.?AVINDATA_SETWINDOWSUPDATESTATE@LeakRepair@@

.?AVMIRRORLDOWNLOADURL@LeakRepair@@

.?AVMIRRORLDOWNLOADURL@LeakRepair@@

.eYB>

.eYB>

:.UTT$

:.UTT$

\.CD9D

\.CD9D

"""%####

"""%####

@@@#@@@%@@@%@@@#@@@

@@@#@@@%@@@%@@@#@@@

"""%%%%!

"""%%%%!

@@@!@@@%@@@%@@@!@@@

@@@!@@@%@@@%@@@!@@@

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

5%5&636^6

5%5&636^6

6&757\7|7

6&757\7|7

9œ9

9œ9

0&151\1|1

0&151\1|1

4 4$4(4,4

4 4$4(4,4

3&454&585

3&454&585

3 3$3(3,30343

3 3$3(3,30343

7-868<8}>

7-868<8}>

0 0$0(0,00040

0 0$0(0,00040

: ;$;(;,;0;4;8;

: ;$;(;,;0;4;8;

4 4$4(4,404,5

4 4$4(4,404,5

4O5U5{5

4O5U5{5

5%5x5}5

5%5x5}5

=4=\=&?5?

=4=\=&?5?

42585?5|5

42585?5|5

?"?'?.?4?

?"?'?.?4?

7}7b7

7}7b7

0$0(0,00040

0$0(0,00040

6$7)767;7

6$7)767;7

9 9$9(9,9094989<9@9

9 9$9(9,9094989<9@9

7 7$7(7,7074787<7@7

7 7$7(7,7074787<7@7

3 3$3(3,3034383

3 3$3(3,3034383

= =$=(=,=0=4=8=<=@=

= =$=(=,=0=4=8=<=@=

5 5<5@5`5

5 5<5@5`5

explorer.exe

explorer.exe

HTTP/1.1

HTTP/1.1

BugReportConfig.ini

BugReportConfig.ini

ShowBugReport

ShowBugReport

DumpConfig.ini

DumpConfig.ini

_ServerStore.dat

_ServerStore.dat

http://

http://

product=%s;guid=%s;type=%d;

product=%s;guid=%s;type=%d;

/cgi-bin-py/dump_controler.cgi

/cgi-bin-py/dump_controler.cgi

CrashUL.exe

CrashUL.exe

trayreported

trayreported

/Start:%s /Program:%s /Path:%s /Version:%s /Module:%s /App:%s /ID:%s /Email:%s /DumpPath:%s

/Start:%s /Program:%s /Path:%s /Version:%s /Module:%s /App:%s /ID:%s /Email:%s /DumpPath:%s

serverreported

serverreported

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

BugReportConfig

BugReportConfig

BugInfoUploadURL

BugInfoUploadURL

http://sync.bav.baidu.com

http://sync.bav.baidu.com

BugURL

BugURL

http://bug.bav.baidu.com

http://bug.bav.baidu.com

Baidu Crash Report

Baidu Crash Report

CrashCallBackExe

CrashCallBackExe

c:\crash.ini

c:\crash.ini

ntdll.dll

ntdll.dll

CrashReport.exe

CrashReport.exe

KERNEL32.DLL

KERNEL32.DLL

mscoree.dll

mscoree.dll

%u.%u.%u.%u

%u.%u.%u.%u

PCAppStore.exe

PCAppStore.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall\

Software\Microsoft\Windows\CurrentVersion\Uninstall\

\sysconfig.ini

\sysconfig.ini

\Baidu Security\PC Faster\4.0.0.0

\Baidu Security\PC Faster\4.0.0.0

\config.ini

\config.ini

url.ini

url.ini

%d:%d,%d:%d

%d:%d,%d:%d

Kernel32.dll

Kernel32.dll

Wtsapi32.dll

Wtsapi32.dll

PCFaster.exe

PCFaster.exe

MainExeName

MainExeName

C:\Users\Public\Documents

C:\Users\Public\Documents

"%s" %s

"%s" %s

BugReporter.exe

BugReporter.exe

d-d-d d:d:d

d-d-d d:d:d

Unknown error X

Unknown error X

COMM_FUNC::GetAppDataDir, user_info::UniqueUserID::GetActiveDesktopToken()=%u

COMM_FUNC::GetAppDataDir, user_info::UniqueUserID::GetActiveDesktopToken()=%u

COMM_FUNC::GetAppDataDir, SHGetFolderPath(%d)=%u

COMM_FUNC::GetAppDataDir, SHGetFolderPath(%d)=%u

COMM_FUNC::GetAppDataDir, SHGetSpecialFolderPath(%d)

COMM_FUNC::GetAppDataDir, SHGetSpecialFolderPath(%d)

LCWMIQuery::WMIQuery, Failed to initialize COM library. Error code = 0xx

LCWMIQuery::WMIQuery, Failed to initialize COM library. Error code = 0xx

CWMIQuery::WMIQuery, Failed to initialize security. Error code = 0xx

CWMIQuery::WMIQuery, Failed to initialize security. Error code = 0xx

CWMIQuery::WMIQuery, Failed to create IWbemLocator object. Err code = 0xx

CWMIQuery::WMIQuery, Failed to create IWbemLocator object. Err code = 0xx

CWMIQuery::WMIQuery, Could not connect. Error code = 0xx

CWMIQuery::WMIQuery, Could not connect. Error code = 0xx

CWMIQuery::WMIQuery, Could not set proxy blanket. Error code = 0xx

CWMIQuery::WMIQuery, Could not set proxy blanket. Error code = 0xx

PCFPopups.exe

PCFPopups.exe

CWMIQuery::WMIQuery, Query for Win32_QuickFixEngineering failed. Error code = 0xx

CWMIQuery::WMIQuery, Query for Win32_QuickFixEngineering failed. Error code = 0xx

Baidu PC Faster Popups_{PCFaster_4.0.0.0}

Baidu PC Faster Popups_{PCFaster_4.0.0.0}

PCFasterFeedback.exe

PCFasterFeedback.exe

Baidu PC Faster Feedback_{PCFaster_4.0.0.0}

Baidu PC Faster Feedback_{PCFaster_4.0.0.0}

Baidu PC Faster Gamefaster_{PCFaster_4.0.0.0}

Baidu PC Faster Gamefaster_{PCFaster_4.0.0.0}

GameFaster.exe

GameFaster.exe

Baidu PC Faster IEProtect_{PCFaster_4.0.0.0}

Baidu PC Faster IEProtect_{PCFaster_4.0.0.0}

IEProtect.exe

IEProtect.exe

Baidu PC Faster FasterNow_{PCFaster_4.0.0.0}

Baidu PC Faster FasterNow_{PCFaster_4.0.0.0}

FasterNow.exe

FasterNow.exe

Baidu PC Faster Flash Repair_{PCFaster_4.0.0.0}

Baidu PC Faster Flash Repair_{PCFaster_4.0.0.0}

FlashPlayerRepair.exe

FlashPlayerRepair.exe

LSPRepair.exe

LSPRepair.exe

Baidu PC Faster Layer Service Provider Repair_{PCFaster_4.0.0.0}

Baidu PC Faster Layer Service Provider Repair_{PCFaster_4.0.0.0}

Baidu PC Faster Network Repair_{PCFaster_4.0.0.0}

Baidu PC Faster Network Repair_{PCFaster_4.0.0.0}

DisconnectionEmergency.exe

DisconnectionEmergency.exe

Baidu PC Faster Facebook Repair_{PCFaster_4.0.0.0}

Baidu PC Faster Facebook Repair_{PCFaster_4.0.0.0}

FacebookRepair.exe

FacebookRepair.exe

Baidu PC Faster Network Speed Tester_{PCFaster_4.0.0.0}

Baidu PC Faster Network Speed Tester_{PCFaster_4.0.0.0}

InternetSpeedTest.exe

InternetSpeedTest.exe

FileRecovery.exe

FileRecovery.exe

Baidu PC Faster File Recovery_{PCFaster_4.0.0.0}

Baidu PC Faster File Recovery_{PCFaster_4.0.0.0}

Baidu PC Faster File fred_{PCFaster_4.0.0.0}

Baidu PC Faster File fred_{PCFaster_4.0.0.0}

FileShredder.exe

FileShredder.exe

Baidu PC Faster Default Programs Setting_{PCFaster_4.0.0.0}

Baidu PC Faster Default Programs Setting_{PCFaster_4.0.0.0}

DefaultPrograms.exe

DefaultPrograms.exe

Baidu PC Faster Extension Mgr_{PCFaster_4.0.0.0}

Baidu PC Faster Extension Mgr_{PCFaster_4.0.0.0}

Right-ClickMenuManager.exe

Right-ClickMenuManager.exe

Baidu PC Faster Desktop Assistant_{PCFaster_4.0.0.0}

Baidu PC Faster Desktop Assistant_{PCFaster_4.0.0.0}

DesktopCleaner.exe

DesktopCleaner.exe

Baidu PC Faster System Info_{PCFaster_4.0.0.0}

Baidu PC Faster System Info_{PCFaster_4.0.0.0}

SystemInformation.exe

SystemInformation.exe

/language=%s

/language=%s

Chrome

Chrome

chrome

chrome

Firefox

Firefox

firefox

firefox

Opera

Opera

opera

opera

%d.%d.%d.%d

%d.%d.%d.%d

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

HTTP\shell\open\command

HTTP\shell\open\command

pathToSignedProductExe

pathToSignedProductExe

user32.dll

user32.dll

[TrayWnd] ReleaseMutex error: %x

[TrayWnd] ReleaseMutex error: %x

Baidu PC Faster Tray_{PCFaster_4.0.0.0}

Baidu PC Faster Tray_{PCFaster_4.0.0.0}

Baidu PC Fatser Tray Mutex_{PCFaster_4.0.0.0}

Baidu PC Fatser Tray Mutex_{PCFaster_4.0.0.0}

[TrayWnd] CreateMutex error: %d

[TrayWnd] CreateMutex error: %d

[MainFrame] Failed to call CreateFileMapping, ErrorCode:%x

[MainFrame] Failed to call CreateFileMapping, ErrorCode:%x

[Main Frame] Failed to call MapViewOfFile, ErrorCode:%x

[Main Frame] Failed to call MapViewOfFile, ErrorCode:%x

PCFasterSvc.exe

PCFasterSvc.exe

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

CMyRegKeyBase::Open, m_mapRegKey.find(%s)

CMyRegKeyBase::Open, m_mapRegKey.find(%s)

CMyRegKeyBase::EqualType, m_mapRegType.find(%s)

CMyRegKeyBase::EqualType, m_mapRegType.find(%s)

%s%d bytes to %d wide chars

%s%d bytes to %d wide chars

%d wide chars to %s%d bytes

%d wide chars to %s%d bytes

No start tag for end tag '%s' at offset %d

No start tag for end tag '%s' at offset %d

End tag '%s' at offset %d does not match start tag '%s' at offset %d

End tag '%s' at offset %d does not match start tag '%s' at offset %d

Element '%s' at offset %d not ended

Element '%s' at offset %d not ended

%s at offset %d unterminated

%s at offset %d unterminated

Incorrect %s at offset %d

Incorrect %s at offset %d

skin\common\common.bskin

skin\common\common.bskin

skin\PcfTray\PcfTray.bskin

skin\PcfTray\PcfTray.bskin

DumpReportInterval

DumpReportInterval

Baidu PC Faster_{PCFaster_4.0.0.0}

Baidu PC Faster_{PCFaster_4.0.0.0}

-pushmsgDlg

-pushmsgDlg

UpLoadReportErrorDmp

UpLoadReportErrorDmp

-urlcensor

-urlcensor

%s|%s

%s|%s

NewFeatures.exe

NewFeatures.exe

SdkConfig.ini

SdkConfig.ini

\PcfTray\PcfTray.bskin

\PcfTray\PcfTray.bskin

-ShowPlugin %u %u

-ShowPlugin %u %u

TrayIcon loading result code: %x

TrayIcon loading result code: %x

Failed to add TrayIcon,last error code: %x

Failed to add TrayIcon,last error code: %x

Failed to delete TrayIcon,last error code: %x

Failed to delete TrayIcon,last error code: %x

d/d/d d:d:d.d

d/d/d d:d:d.d

Global\baidu_pcf_log_share_memory_name_{48D28937-41F9-4e2d-B333-BD5717FE2904}

Global\baidu_pcf_log_share_memory_name_{48D28937-41F9-4e2d-B333-BD5717FE2904}

Global\baidu_pcf_log_share_momory_mutex_{FE0D80C5-F99F-495b-8C5E-5C1DD8B897CF}

Global\baidu_pcf_log_share_momory_mutex_{FE0D80C5-F99F-495b-8C5E-5C1DD8B897CF}

Global\baidu_pcf_log_buffer_ready_sema_{ACB1FF3E-5A36-4abc-AC60-B39B60B93BE4}

Global\baidu_pcf_log_buffer_ready_sema_{ACB1FF3E-5A36-4abc-AC60-B39B60B93BE4}

Global\baidu_pcf_log_data_ready_event_{352CD775-0FFA-4c23-804E-E414962419CE}

Global\baidu_pcf_log_data_ready_event_{352CD775-0FFA-4c23-804E-E414962419CE}

mainFrame.confirmexit

mainFrame.confirmexit

mainFrame.confirmexit.orange

mainFrame.confirmexit.orange

static.msg2

static.msg2

dlg.tip.confirmexit

dlg.tip.confirmexit

mainFrame.autostart.dlg

mainFrame.autostart.dlg

static.msg

static.msg

[Confirm Dlg] Failed to call CreateFileMapping, ErrorCode:%x

[Confirm Dlg] Failed to call CreateFileMapping, ErrorCode:%x

[Confirm Dlg] Failed to call MapViewOfFile, ErrorCode:%x

[Confirm Dlg] Failed to call MapViewOfFile, ErrorCode:%x

[ConfirmDlg] Failed to call CreateFileMapping, ErrorCode:%x

[ConfirmDlg] Failed to call CreateFileMapping, ErrorCode:%x

[ConfirmDlg] Failed to call MapViewOfFile, ErrorCode:%x

[ConfirmDlg] Failed to call MapViewOfFile, ErrorCode:%x

btn.ok

btn.ok

btn.cancel

btn.cancel

btn.neverAsk

btn.neverAsk

default.bskin

default.bskin

INDATA_HEADER::Load, pb.ParseFromArray(0xx, %d)

INDATA_HEADER::Load, pb.ParseFromArray(0xx, %d)

NOTIFYDATA_HEADER::Load, pb.ParseFromArray(0xx, %d)

NOTIFYDATA_HEADER::Load, pb.ParseFromArray(0xx, %d)

NOTIFYDATA_SCANLEAK::Load, pb.ParseFromArray(0xx, %d)

NOTIFYDATA_SCANLEAK::Load, pb.ParseFromArray(0xx, %d)

INDATA_LEAKREPAIRINIT::Load, pb.ParseFromArray(0xx, %d)

INDATA_LEAKREPAIRINIT::Load, pb.ParseFromArray(0xx, %d)

@HKEY_CURRENT_CONFIG

@HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

version.xml

version.xml

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

ReportURL

ReportURL

DataReport

DataReport

%Program Files%\Baidu Security\PC Faster\4.0.0.0\

%Program Files%\Baidu Security\PC Faster\4.0.0.0\

4.0.1.56500

4.0.1.56500

%Documents and Settings%\All Users\

%Documents and Settings%\All Users\

\Baidu Security\PC Faster\4.0.0.0\Dump

\Baidu Security\PC Faster\4.0.0.0\Dump

5.1.2600.5512 (xpsp.080413-21

5.1.2600.5512 (xpsp.080413-21

%Program Files%\Baidu Security\PC Faster\4.0.0.0\Pcftray.exe

%Program Files%\Baidu Security\PC Faster\4.0.0.0\Pcftray.exe

4,0,1,56101

4,0,1,56101

PCFasterSvc.exe_3424:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

CNotSupportedException

CNotSupportedException

hhctrl.ocx

hhctrl.ocx

CCmdTarget

CCmdTarget

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

KrnMsg

KrnMsg

\\.\PhysicalDrive%d

\\.\PhysicalDrive%d

\\.\Scsi%d:

\\.\Scsi%d:

00000000

00000000

&#xX;

&#xX;

%s="%s"

%s="%s"

%s='%s'

%s='%s'

<!--%s-->

<!--%s-->

<![CDATA[%s]]>

<![CDATA[%s]]>

version="%s"

version="%s"

encoding="%s"

encoding="%s"

standalone="%s"

standalone="%s"

p:\app\gensoft\security-client\pc-faster\public\output\pdb\PCFasterSvc.pdb

p:\app\gensoft\security-client\pc-faster\public\output\pdb\PCFasterSvc.pdb

DataReport.dll

DataReport.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

ConnectNamedPipe

ConnectNamedPipe

WaitNamedPipeW

WaitNamedPipeW

SetNamedPipeHandleState

SetNamedPipeHandleState

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

UnhookWindowsHookEx

UnhookWindowsHookEx

GetKeyState

GetKeyState

SetWindowsHookExW

SetWindowsHookExW

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegOpenKeyW

RegOpenKeyW

RegCreateKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

OLEAUT32.dll

OLEAUT32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

WTSAPI32.dll

WTSAPI32.dll

VERSION.dll

VERSION.dll

USERENV.dll

USERENV.dll

BHips.dll

BHips.dll

OLEACC.dll

OLEACC.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AVCCmdUI@@

zcÁ

zcÁ

.?AVCHeapMemAlloc@BugReportHelper@@

.?AVCHeapMemAlloc@BugReportHelper@@

.?AVBugReportHelper@@

.?AVBugReportHelper@@

.?AV?$CSafeSingleton@VBugReportHelper@@@@

.?AV?$CSafeSingleton@VBugReportHelper@@@@

.?AUKrnMsg@Msg@KRN_UI_protocol@@

.?AUKrnMsg@Msg@KRN_UI_protocol@@

.PAVCException@@

.PAVCException@@

.?AUPIPEINST2@@

.?AUPIPEINST2@@

.eYB>

.eYB>

:.UTT$

:.UTT$

\.CD9D

\.CD9D

"""%####

"""%####

@@@#@@@%@@@%@@@#@@@

@@@#@@@%@@@%@@@#@@@

"""%%%%!

"""%%%%!

@@@!@@@%@@@%@@@!@@@

@@@!@@@%@@@%@@@!@@@

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

8(8-8X8}8

8(8-8X8}8

9&>6>]>}>

9&>6>]>}>

2.34383<3@3

2.34383<3@3

1#1)1.141

1#1)1.141

9 9$9(9,9

9 9$9(9,9

;8;<;\;`;|;

;8;<;\;`;|;

0(9,90949

0(9,90949

9 9$9(9,90949

9 9$9(9,90949

: :$:(:,:0:4:8:

: :$:(:,:0:4:8:

C%s (%s:%d)

C%s (%s:%d)

%s (%s:%d)

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

Ccomctl32.dll

Ccomctl32.dll

Ccomdlg32.dll

Ccomdlg32.dll

Cshell32.dll

Cshell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

ole32.dll

ole32.dll

accKeyboardShortcut

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

commctrl_DragListMsg

kernel32.dll

kernel32.dll

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

explorer.exe

explorer.exe

HTTP/1.1

HTTP/1.1

BugReportConfig.ini

BugReportConfig.ini

ShowBugReport

ShowBugReport

DumpConfig.ini

DumpConfig.ini

_ServerStore.dat

_ServerStore.dat

http://

http://

product=%s;guid=%s;type=%d;

product=%s;guid=%s;type=%d;

/cgi-bin-py/dump_controler.cgi

/cgi-bin-py/dump_controler.cgi

CrashUL.exe

CrashUL.exe

trayreported

trayreported

/Start:%s /Program:%s /Path:%s /Version:%s /Module:%s /App:%s /ID:%s /Email:%s /DumpPath:%s

/Start:%s /Program:%s /Path:%s /Version:%s /Module:%s /App:%s /ID:%s /Email:%s /DumpPath:%s

serverreported

serverreported

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

BugReportConfig

BugReportConfig

BugInfoUploadURL

BugInfoUploadURL

http://sync.bav.baidu.com

http://sync.bav.baidu.com

BugURL

BugURL

http://bug.bav.baidu.com

http://bug.bav.baidu.com

Baidu Crash Report

Baidu Crash Report

CrashCallBackExe

CrashCallBackExe

c:\crash.ini

c:\crash.ini

ntdll.dll

ntdll.dll

CrashReport.exe

CrashReport.exe

Eversion.xml

Eversion.xml

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

ReportURL

ReportURL

DataReport

DataReport

%u.%u.%u.%u

%u.%u.%u.%u

PCAppStore.exe

PCAppStore.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall\

Software\Microsoft\Windows\CurrentVersion\Uninstall\

d-d-d d:d:d

d-d-d d:d:d

Unknown error X

Unknown error X

\sysconfig.ini

\sysconfig.ini

\Baidu Security\PC Faster\4.0.0.0

\Baidu Security\PC Faster\4.0.0.0

\config.ini

\config.ini

url.ini

url.ini

%d:%d,%d:%d

%d:%d,%d:%d

Kernel32.dll

Kernel32.dll

Wtsapi32.dll

Wtsapi32.dll

PCFaster.exe

PCFaster.exe

MainExeName

MainExeName

C:\Users\Public\Documents

C:\Users\Public\Documents

"%s" %s

"%s" %s

BugReporter.exe

BugReporter.exe

failed to GetModuleFileName: 0x%x

failed to GetModuleFileName: 0x%x

[ClientAgent2] create window %s

[ClientAgent2] create window %s

lastError: %d

lastError: %d

(id: %d,name:%S),

(id: %d,name:%S),

[ClientAgent2] (id:%d name:%S)

[ClientAgent2] (id:%d name:%S)

(id:%d name:%S),

(id:%d name:%S),

[ClientBackground2] IPCMessage (ID:%d name:%S)

[ClientBackground2] IPCMessage (ID:%d name:%S)

[ClientBackground2] DisconnectNamedPipe

[ClientBackground2] DisconnectNamedPipe

:0x%x

:0x%x

[ClientBackground2] SetNamedPipeHandleState

[ClientBackground2] SetNamedPipeHandleState

[IPC] Readfile from server pipe failed. Errorcode: %d.

[IPC] Readfile from server pipe failed. Errorcode: %d.

[ServerAgent2] create window %s

[ServerAgent2] create window %s

CreateNamedPipe

CreateNamedPipe

LastError [%d]

LastError [%d]

intrusive_ptr_add_ref : %S %d

intrusive_ptr_add_ref : %S %d

[ClientBackground] DisconnectNamedPipe

[ClientBackground] DisconnectNamedPipe

[IPC] Readfile from client pipe failed. Errorcode: %d.

[IPC] Readfile from client pipe failed. Errorcode: %d.

[ipcChannel] found no channel of this type:%d

[ipcChannel] found no channel of this type:%d

[ipcChannel::GetPipeHandle]

[ipcChannel::GetPipeHandle]

ClientBackground, pipe:%s, channel:%s

ClientBackground, pipe:%s, channel:%s

\\.\Pipe\%s

\\.\Pipe\%s

COMM_FUNC::GetAppDataDir, user_info::UniqueUserID::GetActiveDesktopToken()=%u

COMM_FUNC::GetAppDataDir, user_info::UniqueUserID::GetActiveDesktopToken()=%u

COMM_FUNC::GetAppDataDir, SHGetFolderPath(%d)=%u

COMM_FUNC::GetAppDataDir, SHGetFolderPath(%d)=%u

COMM_FUNC::GetAppDataDir, SHGetSpecialFolderPath(%d)

COMM_FUNC::GetAppDataDir, SHGetSpecialFolderPath(%d)

Updater.exe

Updater.exe

LookupPrivilegeValue error: %u

LookupPrivilegeValue error: %u

AdjustTokenPrivileges error: %u

AdjustTokenPrivileges error: %u

user name: %s, domain: %s

user name: %s, domain: %s

WTSEnumerateSessions failed, error code:%u

WTSEnumerateSessions failed, error code:%u

WTSEnumerateSessions OK, %u sessions

WTSEnumerateSessions OK, %u sessions

%dth session: %s, id:%d, state:%d

%dth session: %s, id:%d, state:%d

OnSessionLogon, session id: %d

OnSessionLogon, session id: %d

OnSessionLogoff, session id: %d

OnSessionLogoff, session id: %d

OnSessionConnect, session id: %d

OnSessionConnect, session id: %d

StartAppForUser: %s, thread id: %u

StartAppForUser: %s, thread id: %u

CreateEnvironmentBlock failed, error code:%u, thread id: %u

CreateEnvironmentBlock failed, error code:%u, thread id: %u

CreateProcessAsUser for %s OK., thread id: %u

CreateProcessAsUser for %s OK., thread id: %u

CreateProcessAsUser failed, error code:%u, thread id: %u

CreateProcessAsUser failed, error code:%u, thread id: %u

Enter StartAppForActiveUser, thread id: %u

Enter StartAppForActiveUser, thread id: %u

Before WTSQueryUserToken, thread id: %u

Before WTSQueryUserToken, thread id: %u

QueryUserToken failed, error code:%u, thread id: %u

QueryUserToken failed, error code:%u, thread id: %u

GetTokenInformation failed, error code:%u, thread id: %u

GetTokenInformation failed, error code:%u, thread id: %u

StartAppForActiveUser: %s, thread id: %u

StartAppForActiveUser: %s, thread id: %u

LogReporter.exe

LogReporter.exe

"%s" -show_ui -launch_uac_app %s

"%s" -show_ui -launch_uac_app %s

"%s" -launch_uac_app %s

"%s" -launch_uac_app %s

OnShutdown, thread id: %u

OnShutdown, thread id: %u

Leave StartAppForActiveUser, thread id: %u

Leave StartAppForActiveUser, thread id: %u

"%s" found, session id: %u, process id: %u

"%s" found, session id: %u, process id: %u

CreateEnvironmentBlock Failed: %u

CreateEnvironmentBlock Failed: %u

CreateProcessAsUser Failed, error code: %u

CreateProcessAsUser Failed, error code: %u

OnInit, thread id: %u

OnInit, thread id: %u

WTSEnumerateSessions failed, error code: %u

WTSEnumerateSessions failed, error code: %u

winlogon.exe

winlogon.exe

Process token open Error: %u

Process token open Error: %u

DuplicateTokenEx Error: %u

DuplicateTokenEx Error: %u

%s %s

%s %s

\PcfPopups.exe

\PcfPopups.exe

-ieprotectDlg %d %d "%s"

-ieprotectDlg %d %d "%s"

-homepageDlg %d "%s"

-homepageDlg %d "%s"

HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\services\PCFasterSvc_{PCFaster_4.0.0.0}

HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\services\PCFasterSvc_{PCFaster_4.0.0.0}

HKEY_CURRENT_USER\SOFTWARE\Baidu Security\PC Faster

HKEY_CURRENT_USER\SOFTWARE\Baidu Security\PC Faster

HKEY_LOCAL_MACHINE\SOFTWARE\Baidu Security\PC Faster

HKEY_LOCAL_MACHINE\SOFTWARE\Baidu Security\PC Faster

HKEY_CURRENT_USER\SOFTWARE\Baidu Security\PC Faster\4.0.0.0

HKEY_CURRENT_USER\SOFTWARE\Baidu Security\PC Faster\4.0.0.0

HKEY_LOCAL_MACHINE\SOFTWARE\Baidu Security\PC Faster\4.0.0.0

HKEY_LOCAL_MACHINE\SOFTWARE\Baidu Security\PC Faster\4.0.0.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Baidu PC Faster 4.0.0.0

Baidu PC Faster 4.0.0.0

BHips_RegisterCallback: %u(%s)

BHips_RegisterCallback: %u(%s)

PSafeSysTray.exe

PSafeSysTray.exe

PSafeWD.exe

PSafeWD.exe

PSafeSvc.exe

PSafeSvc.exe

psprotegesvc.exe

psprotegesvc.exe

CMsgRouteMgr::StopMgr

CMsgRouteMgr::StopMgr

PluginConfig.xml

PluginConfig.xml

Unload component: %s

Unload component: %s

Component: %s!

Component: %s!

Load component %s successfully!

Load component %s successfully!

Can not unload component %s because the done function returns EXEC_ERROR!

Can not unload component %s because the done function returns EXEC_ERROR!

Force to unload component %s even done function returns EXEC_ERROR!

Force to unload component %s even done function returns EXEC_ERROR!

Updating component: %s

Updating component: %s

CMsgRouteMgr::QueryInterface :

CMsgRouteMgr::QueryInterface :

CMsgRouteMgr::QueryInterface : Load Component %s

CMsgRouteMgr::QueryInterface : Load Component %s

CMsgRouteMgr::DispatchMsg :

CMsgRouteMgr::DispatchMsg :

strCMDID

strCMDID

CMsgRouteMgr::QueryInfByCmdID :

CMsgRouteMgr::QueryInfByCmdID :

bd_krn_ui_D3152864-5AFF-42e3-9FB2-99ABF218961_{PCFaster_4.0.0.0}

bd_krn_ui_D3152864-5AFF-42e3-9FB2-99ABF218961_{PCFaster_4.0.0.0}

PCFShellEx.dll

PCFShellEx.dll

PCFShellEx64.dll

PCFShellEx64.dll

regsvr32.exe /s /i "%s%s"

regsvr32.exe /s /i "%s%s"

ReadFile, CreateFile(%s), GetLastError()=%u

ReadFile, CreateFile(%s), GetLastError()=%u

ReadFile, _tstat(%s), errno=%d, st.st_size=%d

ReadFile, _tstat(%s), errno=%d, st.st_size=%d

ReadFile, ::ReadFile(st.st_size=%u, dwNumberOfBytesRead=%u), GetLastError()=%u

ReadFile, ::ReadFile(st.st_size=%u, dwNumberOfBytesRead=%u), GetLastError()=%u

CMsgRouteMgr::DoWork

CMsgRouteMgr::DoWork

DumpReportInterval

DumpReportInterval

LogReport

LogReport

-send_uu_msg

-send_uu_msg

-no_ui -send_uu_msg

-no_ui -send_uu_msg

SOFTWARE\Baidu Security\PC Faster\4.0.0.0\Statistic

SOFTWARE\Baidu Security\PC Faster\4.0.0.0\Statistic

ReportSysOpt

ReportSysOpt

"-send_p_msg=%s"

"-send_p_msg=%s"

UpLoadReportErrorDmp

UpLoadReportErrorDmp

PCAppStore_Setup.exe

PCAppStore_Setup.exe

"%s" /S /PCF

"%s" /S /PCF

com_ui_shellexecute

com_ui_shellexecute

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Receive unknown init msg

Receive unknown init msg

Send kernel response to process: %s error!

Send kernel response to process: %s error!

Global\BDKERNELPROTECTOR_{PCFaster_4.0.0.0}

Global\BDKERNELPROTECTOR_{PCFaster_4.0.0.0}

log2.dll

log2.dll

PCFasterSvc_{PCFaster_4.0.0.0}

PCFasterSvc_{PCFaster_4.0.0.0}

SOFTWARE\Baidu Security\PC Faster\4.0.0.0\Setup

SOFTWARE\Baidu Security\PC Faster\4.0.0.0\Setup

d/d/d d:d:d.d

d/d/d d:d:d.d

Global\baidu_pcf_log_share_memory_name_{48D28937-41F9-4e2d-B333-BD5717FE2904}

Global\baidu_pcf_log_share_memory_name_{48D28937-41F9-4e2d-B333-BD5717FE2904}

Global\baidu_pcf_log_share_momory_mutex_{FE0D80C5-F99F-495b-8C5E-5C1DD8B897CF}

Global\baidu_pcf_log_share_momory_mutex_{FE0D80C5-F99F-495b-8C5E-5C1DD8B897CF}

Global\baidu_pcf_log_buffer_ready_sema_{ACB1FF3E-5A36-4abc-AC60-B39B60B93BE4}

Global\baidu_pcf_log_buffer_ready_sema_{ACB1FF3E-5A36-4abc-AC60-B39B60B93BE4}

Global\baidu_pcf_log_data_ready_event_{352CD775-0FFA-4c23-804E-E414962419CE}

Global\baidu_pcf_log_data_ready_event_{352CD775-0FFA-4c23-804E-E414962419CE}

A"%s" %s

A"%s" %s

CHelper::RunExeInSvc, CreateProcess(%s), pi.hProcess=%u

CHelper::RunExeInSvc, CreateProcess(%s), pi.hProcess=%u

A[ServerBackground] PIPEINST

A[ServerBackground] PIPEINST

[ServerBackground] PIPEINST

[ServerBackground] PIPEINST

%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFasterSvc.exe

%Program Files%\Baidu Security\PC Faster\4.0.0.0\PCFasterSvc.exe

%Program Files%\Baidu Security\PC Faster\4.0.0.0\

%Program Files%\Baidu Security\PC Faster\4.0.0.0\

4.0.1.56500

4.0.1.56500

%Documents and Settings%\All Users\

%Documents and Settings%\All Users\

\Baidu Security\PC Faster\4.0.0.0\Dump

\Baidu Security\PC Faster\4.0.0.0\Dump

5.1.2600.5512 (xpsp.080413-21

5.1.2600.5512 (xpsp.080413-21

4,0,1,55642

4,0,1,55642

%original file name%.exe_2472_rwx_02020000_00004000:

System.Deployment.resources

System.Deployment.resources

FasterNow.exe_3500:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

tGHt.Ht&

tGHt.Ht&

kernel32.dll

kernel32.dll

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

7438FEF7-71A6-4116-83C0-94C23BF3E228

7438FEF7-71A6-4116-83C0-94C23BF3E228

RegDeleteKeyExW

RegDeleteKeyExW

&#xX;

&#xX;

%s="%s"

%s="%s"

%s='%s'

%s='%s'

<!--%s-->

<!--%s-->

<![CDATA[%s]]>

<![CDATA[%s]]>

version="%s"

version="%s"

encoding="%s"

encoding="%s"

standalone="%s"

standalone="%s"

o:\app\gensoft\security-client\pc-faster\public\output\pdb\FasterNow.pdb

o:\app\gensoft\security-client\pc-faster\public\output\pdb\FasterNow.pdb

DirectUI.dll

DirectUI.dll

DataReport.dll

DataReport.dll

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

EnumWindows

EnumWindows

USER32.dll

USER32.dll

RegCreateKeyExW

RegCreateKeyExW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHLWAPI.dll

SHLWAPI.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

WTSAPI32.dll

WTSAPI32.dll

VERSION.dll

VERSION.dll

PSAPI.DLL

PSAPI.DLL

pdh.dll

pdh.dll

USERENV.dll

USERENV.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

.?AVCHeapMemAlloc@BugReportHelper@@

.?AVCHeapMemAlloc@BugReportHelper@@

.?AVBugReportHelper@@

.?AVBugReportHelper@@

.?AV?$CSafeSingleton@VBugReportHelper@@@@

.?AV?$CSafeSingleton@VBugReportHelper@@@@

zcÁ

zcÁ

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

0*1014181<1

0*1014181<1

5 5$5@5\5`5|5

5 5$5@5\5`5|5

explorer.exe

explorer.exe

HTTP/1.1

HTTP/1.1

BugReportConfig.ini

BugReportConfig.ini

ShowBugReport

ShowBugReport

DumpConfig.ini

DumpConfig.ini

_ServerStore.dat

_ServerStore.dat

http://

http://

product=%s;guid=%s;type=%d;

product=%s;guid=%s;type=%d;

/cgi-bin-py/dump_controler.cgi

/cgi-bin-py/dump_controler.cgi

CrashUL.exe

CrashUL.exe

trayreported

trayreported

/Start:%s /Program:%s /Path:%s /Version:%s /Module:%s /App:%s /ID:%s /Email:%s /DumpPath:%s

/Start:%s /Program:%s /Path:%s /Version:%s /Module:%s /App:%s /ID:%s /Email:%s /DumpPath:%s

serverreported

serverreported

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

BugReportConfig

BugReportConfig

BugInfoUploadURL

BugInfoUploadURL

http://sync.bav.baidu.com

http://sync.bav.baidu.com

BugURL

BugURL

http://bug.bav.baidu.com

http://bug.bav.baidu.com

Baidu Crash Report

Baidu Crash Report

CrashCallBackExe

CrashCallBackExe

c:\crash.ini

c:\crash.ini

ntdll.dll

ntdll.dll

CrashReport.exe

CrashReport.exe

KERNEL32.DLL

KERNEL32.DLL

mscoree.dll

mscoree.dll

d-d-d d:d:d

d-d-d d:d:d

Unknown error X

Unknown error X

\sysconfig.ini

\sysconfig.ini

\Baidu Security\PC Faster\4.0.0.0

\Baidu Security\PC Faster\4.0.0.0

\config.ini

\config.ini

url.ini

url.ini

%d:%d,%d:%d

%d:%d,%d:%d

Kernel32.dll

Kernel32.dll

Wtsapi32.dll

Wtsapi32.dll

PCFaster.exe

PCFaster.exe

MainExeName

MainExeName

C:\Users\Public\Documents

C:\Users\Public\Documents

"%s" %s

"%s" %s

BugReporter.exe

BugReporter.exe

COMM_FUNC::GetAppDataDir, user_info::UniqueUserID::GetActiveDesktopToken()=%u

COMM_FUNC::GetAppDataDir, user_info::UniqueUserID::GetActiveDesktopToken()=%u

COMM_FUNC::GetAppDataDir, SHGetFolderPath(%d)=%u

COMM_FUNC::GetAppDataDir, SHGetFolderPath(%d)=%u

COMM_FUNC::GetAppDataDir, SHGetSpecialFolderPath(%d)

COMM_FUNC::GetAppDataDir, SHGetSpecialFolderPath(%d)

FasterNow.dat

FasterNow.dat

Can not open process, lasterror = %d

Can not open process, lasterror = %d

\FasterNow.db

\FasterNow.db

\\.\PCFBdApiUtil

\\.\PCFBdApiUtil

Find a hung process, id = %d

Find a hung process, id = %d

img_pop_percent_1.png

img_pop_percent_1.png

skin\scattered\FasterNow\img_pop_percent_0.png

skin\scattered\FasterNow\img_pop_percent_0.png

img_pop_percent_2.png

img_pop_percent_2.png

MNBST.title

MNBST.title

tree.proc

tree.proc

tree.result

tree.result

pop.mem.num

pop.mem.num

pop.status.text

pop.status.text

pop.status.text.vigorous

pop.status.text.vigorous

pop.status.note.vigorous

pop.status.note.vigorous

pop.status.text.tired

pop.status.text.tired

pop.status.note.tired

pop.status.note.tired

pop.status.text.exhausted

pop.status.text.exhausted

pop.status.note.exhausted

pop.status.note.exhausted

pop.status.note

pop.status.note

pop.static.mem

pop.static.mem

pop.static.cpu

pop.static.cpu

pop.static.io

pop.static.io

chk.select

chk.select

pop.tree.text.junk

pop.tree.text.junk

%s,%s;

%s,%s;

btn.boost

btn.boost

layout.main

layout.main

layout.normal

layout.normal

layout.cleaning

layout.cleaning

layout.result

layout.result

pop.result.size.note

pop.result.size.note

pop.status.speed.end.size

pop.status.speed.end.size

layout.normal.result

layout.normal.result

layout.normal.speeding

layout.normal.speeding

layout.normal.speed.end

layout.normal.speed.end

pop.tree.text.clean

pop.tree.text.clean

pop.tree.text.recommend

pop.tree.text.recommend

pop.tree.text.depends

pop.tree.text.depends

pop.tree.text.common

pop.tree.text.common

Tahoma.13.bold

Tahoma.13.bold

\%s(_Total)\%s

\%s(_Total)\%s

\%s(%s)\%s

\%s(%s)\%s

2Iphlpapi.dll

2Iphlpapi.dll

Iphlpapi.dll

Iphlpapi.dll

ResetDataIncrement, name = %s

ResetDataIncrement, name = %s

skin\scattered\FasterNow\img_percent_0.png

skin\scattered\FasterNow\img_percent_0.png

img_percent_1.png

img_percent_1.png

img_percent_2.png

img_percent_2.png

outer_circle.png

outer_circle.png

skin\Common\Common.bskin

skin\Common\Common.bskin

skin\tools\Common\Common.bskin

skin\tools\Common\Common.bskin

skin\tools\FasterNow\FasterNow.bskin

skin\tools\FasterNow\FasterNow.bskin

layout.speeding

layout.speeding

layout.speed

layout.speed

\tools\FasterNow\FasterNow.bskin

\tools\FasterNow\FasterNow.bskin

pop.static.mem.usage

pop.static.mem.usage

InternetSpeedTest.exe

InternetSpeedTest.exe

MNBST.netTest

MNBST.netTest

DisconnectionEmergency.exe

DisconnectionEmergency.exe

MNBST.netRepair

MNBST.netRepair

GameFaster.exe

GameFaster.exe

MNBST.gameFaster

MNBST.gameFaster

MNBST.transparency

MNBST.transparency

MNBST.hideInFullScreen

MNBST.hideInFullScreen

MNBST.hideBooster

MNBST.hideBooster

MNBST.alwaysOnTop

MNBST.alwaysOnTop

%d-%d-%d %d:%d:%d

%d-%d-%d %d:%d:%d

m_bShowGuidePop=%d ---------------

m_bShowGuidePop=%d ---------------

skin\common\common.bskin

skin\common\common.bskin

Baidu PC Faster FasterNow_{PCFaster_4.0.0.0}

Baidu PC Faster FasterNow_{PCFaster_4.0.0.0}

skin\tools\common\common.bskin

skin\tools\common\common.bskin

Pdh.dll

Pdh.dll

%s_Process

%s_Process

%s_DiskIo

%s_DiskIo

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

d/d/d d:d:d.d

d/d/d d:d:d.d

Global\baidu_pcf_log_share_memory_name_{48D28937-41F9-4e2d-B333-BD5717FE2904}

Global\baidu_pcf_log_share_memory_name_{48D28937-41F9-4e2d-B333-BD5717FE2904}

Global\baidu_pcf_log_share_momory_mutex_{FE0D80C5-F99F-495b-8C5E-5C1DD8B897CF}

Global\baidu_pcf_log_share_momory_mutex_{FE0D80C5-F99F-495b-8C5E-5C1DD8B897CF}

Global\baidu_pcf_log_buffer_ready_sema_{ACB1FF3E-5A36-4abc-AC60-B39B60B93BE4}

Global\baidu_pcf_log_buffer_ready_sema_{ACB1FF3E-5A36-4abc-AC60-B39B60B93BE4}

Global\baidu_pcf_log_data_ready_event_{352CD775-0FFA-4c23-804E-E414962419CE}

Global\baidu_pcf_log_data_ready_event_{352CD775-0FFA-4c23-804E-E414962419CE}

user32.dll

user32.dll

\skin\Scattered\SkinList\default.bskin

\skin\Scattered\SkinList\default.bskin

version.xml

version.xml

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Baidu PC Faster 4.0.0.0

ReportURL

ReportURL

DataReport

DataReport

@Advapi32.dll

@Advapi32.dll

Baidu PC Faster Tray_{PCFaster_4.0.0.0}

Baidu PC Faster Tray_{PCFaster_4.0.0.0}

default.bskin

default.bskin

\SHELL32.DLL

\SHELL32.DLL

imageres.dll

imageres.dll

Ashell32.dll

Ashell32.dll

%Program Files%\Baidu Security\PC Faster\4.0.0.0\

%Program Files%\Baidu Security\PC Faster\4.0.0.0\

4.0.1.56500

4.0.1.56500

%Documents and Settings%\All Users\

%Documents and Settings%\All Users\

\Baidu Security\PC Faster\4.0.0.0\Dump

\Baidu Security\PC Faster\4.0.0.0\Dump

5.1.2600.5512 (xpsp.080413-21

5.1.2600.5512 (xpsp.080413-21

%Program Files%\Baidu Security\PC Faster\4.0.0.0\FasterNow.exe

%Program Files%\Baidu Security\PC Faster\4.0.0.0\FasterNow.exe

4,0,1,55145

4,0,1,55145