Start:
HKU\S-1-5-21-2034617936-65545164-3351714256-1001\...\Run: [bidiCore] => rundll32 "C:\Users\salon\AppData\Roaming\Microsoft\ApphdWSD\bootrvps.dll",DllRegisterServer
HKU\S-1-5-21-2034617936-65545164-3351714256-1001\...\Run: [APHotenc] => rundll32 "C:\Users\salon\AppData\Roaming\Microsoft\AcWiedDS\AppIpapi.dll",DllRegisterServer
CMD: dir /a "C:\Users\salon\AppData\Roaming"
CMD: dir /a "C:\Users\admin\AppData\Roaming"
C:\users\salon\AppData\Roaming\Microsoft\ApphdWSD
C:\users\salon\AppData\Roaming\Microsoft\AcWiedDS
End: