Remote Host Port Number
173.212.218.186 32211
193.105.207.31 80
193.105.207.32 80
221.230.2.208 80
91.188.59.197 80
93.174.92.220 80
58.59.85ae.static.theplanet.com 25
195.50.106.142 25
199.185.220.200 25
65.54.188.72 25
66.94.236.34 25
67.195.168.230 25
67.195.168.31 25
74.125.43.27 25
74.125.45.27 25
210.166.223.51 3305 ircd here pass secretpass
212.117.177.136 3954
212.117.185.40 21131
222.170.127.203 88
65.55.16.121 443
67.215.233.58 3491
NICK P|g7q3gjyde
USER o4wzlowrn * 0 :USA|XP|034
USERHOST P|g7q3gjyde
MODE P|g7q3gjyde
JOIN #mm RSA
* The data identified by the following URLs was then requested from the remote web server:
o http://mskla.com/list.php?c=CCD4F7201FA9218D5DBACCE4490CE83977EE78439BA9339A18205017268C99A00C323C213F48F09E641D61FB8DC8103224DEFE096019DA8B3C48943F&v=2&t=0.5280268
o http://streq.cn/in.cgi?ka2
o http://ku.perfectexe.com:88/WINC.exe
o http://ad.ghura.pl/dm.exe
o http://vbmcom.com/read.txt
o http://vbmcom.com/doc/err1.txt
o http://vbmcom.com/doc/err4.txt
o http://vbmcom.com/doc/err3.txt
o http://vbmcom.com/doc/err2.txt
* The following ports were open in the system:
Port Protocol Process
69 UDP unwise_.exe (%FontsDir%unwise_.exe)
1088 TCP unwise_.exe (%FontsDir%unwise_.exe)
53534 TCP unwise_.exe (%FontsDir%unwise_.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection
o HKEY_LOCAL_MACHINESOFTWAREAGProtect
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts Controller
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts Controller
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerEnum
o HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerInternational
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsP3P
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsP3PHistory
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ h612wm = “%Temp%917ded.exe”
so that 917ded.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ aaaaaaaa� = “%System%aaaaaaaa�.exe”
so that aaaaaaaa�.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShell Extensions]
+ intime = “06/12/2010, 00:49 AM”
+ reup = 0x0000006E
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]
+ DoNotAllowXPSP2 = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
+ DontReportInfectionInformation = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection]
+ SFCDisable = 0xFFFFFF9D
+ SFCScan = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREAGProtect]
+ Cfg = 09 00 00 00 6A 42 00 00 A8 D4 0A 20 EB EA EA EA ED EA FC EA EA EA EA EA 3A EA 1B 13 1E 04 12 04 18 1F 1B 04 1B 1E 18 EA FC EA EA EA EA EA 3A EA 18 18 1B 04 18 19 1A 04 18 04 18 1A 12 EA FC EA EA EA EA EA 3A EA 1B 13 1E 04 12 04 18 1F 1B 04 1B 1E 1E E
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Control]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000]
+ Service = “Windows Hosts Controller”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerEnum]
+ 0 = “RootLEGACY_WINDOWS_HOSTS_CONTROLLER�000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts Controller]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%unwise_.exe””
+ DisplayName = “Windows Hosts Controller”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables Windows Host Controller Service. This service cannot be stopped.”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER�000]
+ Service = “Windows Hosts Controller”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerEnum]
+ 0 = “RootLEGACY_WINDOWS_HOSTS_CONTROLLER�000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts Controller]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%unwise_.exe””
+ DisplayName = “Windows Hosts Controller”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables Windows Host Controller Service. This service cannot be stopped.”
o [HKEY_USERS.DEFAULTAppEventsSchemesAppsExplorerNavigating.Current]
+ (Default) = “”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMain]
+ DisableScriptDebuggerIE = “ye”
+ Error Dlg Displayed On Every Error = “ye”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerInternational]
+ W2KLpk = 0x00000000
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer]
+ UpdateHost = 00 50 53 85 77 CE
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000
+ MaxConnectionsPer1_0Server = 0x0000FFFE
+ MaxConnectionsPerServer = 0x0000FFFE
+ WarnOnZoneCrossing = 0x00000000
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
+ aaaaaaaa� = “%UserProfile%aaaaaaaa�.exe”
so that aaaaaaaa�.exe runs every time Windows starts
* The following Registry Value was deleted:
o [HKEY_USERS.DEFAULTAppEventsSchemesAppsExplorerNavigating.Current]
+ (Default) = “%SystemRoot%mediaWindows XP Start.wav”
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ AntiVirusOverride =
+ FirewallOverride =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMain]
+ Disable Script Debugger =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ Cache =
+ History =
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
unwise_.exe %FontsDir%unwise_.exe 5 103 616 bytes
917ded.exe %Windir%temp917ded.exe 233 472 bytes
917ded.exe %Temp%917ded.exe 233 472 bytes
* There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
svchost.exe %System%svchost.exe 5 124 096 bytes
svchost.exe %System%svchost.exe 974 848 bytes
svchost.exe %System%svchost.exe 974 848 bytes
* The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
3.tmp %Windir%TEMP3.tmp Process name: spoolsv.exe
Process filename: %System%spoolsv.exe
Address space: 0xF60000 – 0xF79000
* There was a new service created in the system:
Service Name Display Name Status Service Filename
Windows Hosts Controller Windows Hosts Controller “Running” “%FontsDir%unwise_.exe”
* The following system services were modified:
Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
RemoteRegistry Remote Registry “Stopped” %System%svchost.exe -k LocalService
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %UserProfile%aaaaaaaa�.exe 52 736 bytes MD5: 0x7E4AFA9F775F7C02F2217A10DF77BF47
SHA-1: 0xA4F9510EBB5687CFE51C2D7DC7F076AB73A8445C
2 %Temp%917ded.exe
%Windir%Temp917ded.exe 61 952 bytes MD5: 0xAB6C74563910DF6F6A036ADB7A84E4A8
SHA-1: 0x2FD407E8A026A068A00DF6985F56FE9303620E8C
3 %Temp%meslfowk.bat 102 bytes MD5: 0xF67D14F680102B3EA4CE4AA46B08EDBE
SHA-1: 0xF1F539976E1FFF4BE76D55FC4D9A3C52D0CC9AF4
4 %FontsDir%unwise_.exe 172 543 bytes MD5: 0x44C6947392ABD0942E31BCAB9219DFA2
SHA-1: 0x8EA7A51BC65F29A0359AB2A0D7C8F42E5649DC5A
5 %System%aaaaaaaa�.exe 52 736 bytes MD5: 0xAD9E1A3FB3294B9CCAB6670EE34F0E22
SHA-1: 0xF9AECF10BA1D9803485416E61A6DE9F815571DE6
6 %System%dllcachendis.sys 211 072 bytes MD5: 0x93B984ECAFF503D80C61E76A9959CEEA
SHA-1: 0xC2B736C902BC16A8E975FC8592313EF868DE0B5D
7 %System%nhrbcg.log 622 bytes MD5: 0xF41ED7C15A2E5E36B119281EA5F11D14
SHA-1: 0x7DF91DC600EB0AF8FAB43F98A1C4773EB6094C82
8 %Windir%Temp4.tmp 97 280 bytes MD5: 0x5DA9C6E441B4F06295168609E205885C
SHA-1: 0x6542AD21C2E00FA15C00207281BCCB45251DE602
9 %Windir%Temp6.tmp 97 280 bytes MD5: 0x0E800DC6D5DDB32F71961E3484AFC0B1
SHA-1: 0x8E5BEEC99AE4485FE2ED4F586E3CB3788A3D892E
10 %Windir%Temp7.tmp 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
11 %Windir%TempVRT8.tmp 10 660 bytes MD5: 0xA3C11B91B35CF55C8668A2383FC5F4B7
SHA-1: 0xB3025147FD64BDB81EB33E9D3C7C77A81ECD8989
* Notes:
o %UserProfile% is a variable that specifies the current user’s profile folder. By default, this is C:Documents and Settings[UserName] (Windows NT/2000/XP).
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:Documents and Settings[UserName]Local SettingsTemp (Windows NT/2000/XP).
o %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
o %FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:WindowsFonts.
o %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
* The following files were modified:
o c:contacts.html
o c:Inetpubwwwrootindex.html
o [pathname with a string SHARE]msinfo32.exe
o [pathname with a string SHARE]sapisvr.exe
o [pathname with a string SHARE]Sunflower.htm
o [pathname with a string SHARE]Sweets.htm
o [pathname with a string SHARE]Technical.htm
o %ProgramFiles%Common FilesSystemadoMDACReadme.htm
o %ProgramFiles%Internet ExplorerConnection Wizardicwconn1.exe
o %ProgramFiles%Internet ExplorerConnection Wizardicwconn2.exe
o %ProgramFiles%Internet ExplorerConnection Wizardicwrmind.exe
o %ProgramFiles%Internet ExplorerConnection Wizardicwtutor.exe
o %ProgramFiles%Internet ExplorerConnection Wizardinetwiz.exe
o %ProgramFiles%Internet ExplorerConnection Wizardisignup.exe
o %ProgramFiles%Internet Exploreriedw.exe
o %ProgramFiles%Internet ExplorerIEXPLORE.EXE
o %ProgramFiles%MSNMSNIAmsniasvc.exe
o %ProgramFiles%MSNMSNIAprestp.exe
o %ProgramFiles%MSNMsnInstallermsninst.exe
o %ProgramFiles%NetMeetingcb32.exe
o %ProgramFiles%NetMeetingconf.exe
o %ProgramFiles%NetMeetingnetmeet.htm
o %ProgramFiles%NetMeetingwb32.exe
o %ProgramFiles%Outlook Expressmsimn.exe
o %ProgramFiles%Outlook Expressoemig50.exe
o %ProgramFiles%Outlook Expresssetup50.exe
o %ProgramFiles%Outlook Expresswab.exe
o %ProgramFiles%Outlook Expresswabmig.exe
o %ProgramFiles%Web PublishWPWIZ.EXE
o %ProgramFiles%Windows Media Playermigrate.exe
o %ProgramFiles%Windows Media Playermplayer2.exe
o %ProgramFiles%Windows Media Playersetup_wm.exe
o %ProgramFiles%Windows Media Playerwmplayer.exe
o %ProgramFiles%Windows NTAccessorieswordpad.exe
o %ProgramFiles%Windows NTdialer.exe
o %ProgramFiles%Windows NThypertrm.exe
o %ProgramFiles%Windows NTPinballPINBALL.EXE
o %Windir%CacheAdobe Reader 6.0.1ENUBIGsetup.exe
o %Windir%hh.exe
o %Windir%infunregmp2.exe
o %Windir%Installer{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}places.exe
o %Windir%Microsoft.NETFrameworkNETFXSBS10.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727ASP.NETWebAdminFileserror.aspx
o %Windir%Microsoft.NETFrameworkv2.0.50727ASP.NETWebAdminFilesSecurityWizardwizard.aspx
o %Windir%Microsoft.NETFrameworkv2.0.50727aspnet_compiler.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727aspnet_regbrowsers.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727aspnet_regsql.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727CasPol.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727CONFIGDefaultWsdlHelpGenerator.aspx
o %Windir%Microsoft.NETFrameworkv2.0.50727dfsvc.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727IEExec.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727jsc.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727MSBuild.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727RegAsm.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727RegSvcs.exe
o %Windir%msagentagentsvr.exe
o %Windir%muimuisetup.exe
o %Windir%NOTEPAD.EXE
o %Windir%pchealthhelpctrbinariesHelpCtr.exe
o %Windir%pchealthhelpctrbinariesHelpHost.exe
o %Windir%pchealthhelpctrbinariesHelpSvc.exe
o %Windir%pchealthhelpctrbinariesHscUpd.exe
o %Windir%pchealthhelpctrbinariesmsconfig.exe
o %Windir%pchealthhelpctrbinariesnotiflag.exe
o %Windir%pchealthhelpctrSystemblurbsabout_support.htm
o %Windir%pchealthhelpctrSystemblurbsFavorites.htm
o %Windir%pchealthhelpctrSystemblurbsftshelp.htm
o %Windir%pchealthhelpctrSystemblurbsHistory.htm
o %Windir%pchealthhelpctrSystemblurbsIndex.htm
o %Windir%pchealthhelpctrSystemblurbsisupport.htm
o %Windir%pchealthhelpctrSystemblurbskeywordhelp.htm
o %Windir%pchealthhelpctrSystemblurbsoptions.htm
o %Windir%pchealthhelpctrSystemblurbssearchblurb.htm
o %Windir%pchealthhelpctrSystemblurbssearchtips.htm
o %Windir%pchealthhelpctrSystemblurbstools.htm
o %Windir%pchealthhelpctrSystemblurbswindows_newsgroups.htm
o %Windir%pchealthhelpctrSystemCompatCtrAboutCompat.htm
o %Windir%pchealthhelpctrSystemCompatCtrCompatMode.htm
o %Windir%pchealthhelpctrSystemCompatCtrCompatOffline.htm
o %Windir%pchealthhelpctrSystemCompatCtrLearnCompat.htm
o %Windir%pchealthhelpctrSystemDVDUpgrddvdupgrd.htm
o %Windir%pchealthhelpctrSystemErrMsgErrorMessagesOffline.htm
o %Windir%pchealthhelpctrSystemerrorsbadurl.htm
o %Windir%pchealthhelpctrSystemerrorsconnection.htm
o %Windir%pchealthhelpctrSystemerrorsindexfirstlevel.htm
o %Windir%pchealthhelpctrSystemerrorsnotfound.htm
o %Windir%pchealthhelpctrSystemerrorsoffline.htm
o %Windir%pchealthhelpctrSystemerrorsredirect.htm
o %Windir%pchealthhelpctrSystemerrorsunreachable.htm
o %Windir%pchealthhelpctrSystemHeadlines.htm
o %Windir%pchealthhelpctrSystemHomePage__DESKTOP.htm
o %Windir%pchealthhelpctrSystemHomePage__SERVER.htm
o %Windir%pchealthhelpctrSystemNetDiagdglogs.htm
o %Windir%pchealthhelpctrSystemNetDiagdglogshelp.htm
o %Windir%pchealthhelpctrSystempanelsAdvSearch.htm
o %Windir%pchealthhelpctrSystempanelsblank.htm
o %Windir%pchealthhelpctrSystempanelsContext.htm
o %Windir%pchealthhelpctrSystempanelsfirstpage.htm
o %Windir%pchealthhelpctrSystempanelsHHWrapper.htm
o %Windir%pchealthhelpctrSystempanelsMiniNavBar.htm
* Notes:
o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:Program Files.
* The following directories were created:
o c:System Volume Information.
o c:System Volume Information..
here more about downloaded exe files
64.79.86.26 64.79.86.26
ku.perfectexe.com
ku.perfectexe.com 222.170.127.203
sky.perfectexe.com
sky.perfectexe.com 122.224.6.164
Download URLs
http://64.79.86.26/pk/ucsp0416.exe?t=0,5313793 (64.79.86.26)
http://222.170.127.203/w.exe?t=8,808541E-02 (ku.perfectexe.com)
http://122.224.6.164/banner.exe?t=6,200206E-02 (sky.perfectexe.com)
Outgoing connection to remote server: 64.79.86.26 TCP port 80
Outgoing connection to remote server: ku.perfectexe.com TCP port 88
Outgoing connection to remote server: sky.perfectexe.com TCP port 555
DNS Lookup
Host Name IP Address
sendinvest.com 64.120.176.66
findhobbits.com 64.79.82.218
64.79.86.26 64.79.86.26
64.120.176.66 64.120.176.66
Outgoing connection to remote server: sendinvest.com TCP port 8392
Outgoing connection to remote server: findhobbits.com TCP port 8392
Outgoing connection to remote server: 64.79.86.26 TCP port 8392
Outgoing connection to remote server: sendinvest.com TCP port 8392
Outgoing connection to remote server: findhobbits.com TCP port 8392
Outgoing connection to remote server: findhobbits.com TCP port 8392
Outgoing connection to remote server: findhobbits.com TCP port 8392
Outgoing connection to remote server: 64.79.86.26 TCP port 8392
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEM “UpdateNew” = [REG_BINARY, size: 8 bytes]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEM “uid” = ucsp0416
HKEY_CURRENT_USERAppEventsSchemesApps.DefaultSystemExclamation.Current “” =
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternational “W2KLpk” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “jimuqf” = RUNDLL32.EXE C:WINDOWSsystem32mspyeajp.dll,w
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D} “” = Microsoft WinSock Control, version 6.0
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}InprocServer32 “” = C:WINDOWSsystem32MSWINSCK.OCX
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}InprocServer32 “ThreadingModel” = Apartment
HKEY_LOCAL_MACHINESOFTWAREClassesMSWinsock.Winsock “” = Microsoft WinSock Control, version 6.0
HKEY_LOCAL_MACHINESOFTWAREClassesMSWinsock.WinsockCLSID “” = {248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREClassesMSWinsock.WinsockCurVer “” = MSWinsock.Winsock.1
HKEY_LOCAL_MACHINESOFTWAREClassesMSWinsock.Winsock.1 “” = Microsoft WinSock Control, version 6.0
HKEY_LOCAL_MACHINESOFTWAREClassesMSWinsock.Winsock.1CLSID “” = {248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}VersionIndependentProgID “” = MSWinsock.Winsock
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}ProgID “” = MSWinsock.Winsock.1
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “” = {248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}Version “” = 1.0
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}MiscStatus “” = 0
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}MiscStatus1 “” = 132497
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}ToolboxBitmap32 “” = C:WINDOWSsystem32MSWINSCK.OCX, 1
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD897-BB45-11CF-9ABC-0080C7E7B78D} “” = Winsock General Property Page Object
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD897-BB45-11CF-9ABC-0080C7E7B78D}InprocServer32 “” = C:WINDOWSsystem32MSWINSCK.OCX
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0 “” = Microsoft Winsock Control 6.0
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0FLAGS “” = 2
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0�win32 “” = C:WINDOWSsystem32MSWINSCK.OCX
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0HELPDIR “” =
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D} “” = IMSWinsockControl
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid “” = {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid32 “” = {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “” = {248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “Version” = 1.0
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D} “” = DMSWinsockControlEvents
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid “” = {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid32 “” = {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “” = {248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “Version” = 1.0
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun “exec” = C:WINDOWSfontsservices.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows “load” = C:WINDOWSfontsservices.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows “run” = C:WINDOWSfontsservices.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN “CheckedValue” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL “CheckedValue” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDORSYS “CheckedValue” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain “Use FormSuggest” = yes
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use FormSuggest” = yes
HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigating.Current “” = [REG_EXPAND_SZ, value: ]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 “1601” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Disable Script Debugger” = yes
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “DisableScriptDebuggerIE” = yes
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Error Dlg Displayed On Every Error” = no
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAeDebug “Auto” = 0
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMScripting “Default Impersonation Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Repository Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMScripting “Default Namespace”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ProcessID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnablePrivateObjectHeap”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ContextLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ObjectLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “IdentifierLimit”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{565783C6-CB41-11D1-8B02-00600806D9B6}1.2� “win32”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{00020430-0000-0000-C000-000000000046}2.0� “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “Version”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Sink Transmit Buffer Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “DefaultRpcStackSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “ThreadingModel”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “Synchronization”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “AppId”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotFixKB956572 “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOMSecuredHostProviders “ROOTCIMV2:__Win32Provider.Name=”CIMWin32″”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “ProductName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEM “UpdateNew”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEM “uid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEM “l”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerAppCompatibility “DisableAppCompat”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}InProcServer32 “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedLow”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedHigh”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{B722BCCB-4E68-101B-A2BC-00AA00404770}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{000214E6-0000-0000-C000-000000000046}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{56F9679E-7826-4C84-81F3-532071A8BCC5}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile� “ProgID”
HKEY_LOCAL_MACHINESOFTWAREClassesfile “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREClassesMapi “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREClassesOutlookexpress “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREClassesOTFS “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersDefault “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.bmp “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.c “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cpp “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cs “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.cxx “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.doc “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.dot “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.emf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.eml “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.err “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.gif “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.h “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.htm “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.html “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.hxx “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.idl “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpeg “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jpg “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.jsl “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mht “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.mhtml “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.nws “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pdf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.png “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pot “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.pps “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.ppt “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.rtf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.txt “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.vb “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wmf “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.wrn “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xls “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xlt “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xml “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension.xsd “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecalendar “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecommunications “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypecontact “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypedocument “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeemail “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefavorite “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypefolder “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeim “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeimages “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypemusic “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypenote “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepicture “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypepresentation “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypeprogram “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypespreadsheet “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypetext “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “ContentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “TemplateUrl”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedTypevideo “ScriptOk”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREClasses.ocx “”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0 “”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0FLAGS “”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0�win32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{248DD890-BB45-11CF-9ABC-0080C7E7B78D}1.0HELPDIR “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D} “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD892-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “Version”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D} “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{248DD893-BB45-11CF-9ABC-0080C7E7B78D}TypeLib “Version”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedLow”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedHigh”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{B722BCCB-4E68-101B-A2BC-00AA00404770}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{000214E6-0000-0000-C000-000000000046}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}ProxyStubClsid32 “”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSecurityP3Global “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerAppCompatibility “DisableAppCompat”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00021401-0000-0000-C000-000000000046}InProcServer32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}InProcServer32 “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUrl History “DaysToKeep”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}1.1� “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_INTERNET_SHELL_FOLDERS “services.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_INTERNET_SHELL_FOLDERS “*”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “MenuText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “MenuCustomize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “MenuStatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{5067A26B-1337-4436-8AFE-EE169C2DA79F}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “ButtonText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “MenuText”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Default Visible”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “MenuText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “MenuCustomize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “MenuStatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{e2e2dd38-d088-4134-82b7-f2ba38496583}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “ButtonText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “MenuText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “MenuCustomize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “MenuStatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{FB5F1910-F110-11d2-BB9E-00C04F795683}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Default Visible”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsICWCONN1.EXE “Path”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURL Compatibility~/CONNWIZ.HTM “Compatibility Flags”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURL Compatibility~/CWIZINTR.HTM “Compatibility Flags”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerApplication Compatibility “services.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesRatings “Key”
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “No3DBorder”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “No3DBorder”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “UrlEncoding”
HKEY_CURRENT_USERControl PanelInternational “NumShape”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “ProxyEnable”
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “SmartDithering”
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “RtfConverterFlags”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “UseClearType”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Page_Transitions”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use_DlgBox_Colors”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Anchor Underline”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “CSS_Compat”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Expand Alt Text”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Display Inline Images”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Display Inline Videos”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Play_Background_Sounds”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Play_Animations”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Print_Background”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use Stylesheets”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “SmoothScroll”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “XMLHTTP”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Show image placeholders”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Disable Script Debugger”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “DisableScriptDebuggerIE”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Move System Caret”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Force Offscreen Composition”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Enable AutoImageResize”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “UseThemes”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “UseHR”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Q300829”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Disable_Local_Machine_Navigate”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Cleanup HTCs”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Q331869”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “AlwaysAllowExecCommand”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternational “Default_CodePage”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternational “AutoDetect”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts “Default_IEFontSize”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts “Default_IEFontSizePrivate”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Anchor Color”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Anchor Color Visited”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Anchor Color Hover”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Always Use My Colors”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Always Use My Font Size”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Always Use My Font Face”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Use Anchor Hover Color”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “MiscFlags”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPolicies “Allow Programmatic Cut_Copy_Paste”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “DisableCachingOfSSLPages”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsCodePage “950”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEFontSize”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEFontSizePrivate”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEPropFontName”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEFixedFontName”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “PopupMgr”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}InprocServer32 “”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “BlockUserInit”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “UseTimerMethod”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “UseHooks”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “AllowHTTPS”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “BlockControls”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilter “Enabled”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “IEHardenWarnOnNav”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings “IEHardenWarnOnNav”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile�x00000000{63800dac-e7ca-4df9-9a5c-20765055488d} “Enable”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{5130A009-5540-4FCF-97EB-AAD33FC0EE09} “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{7AE86BB7-262C-431E-9111-C974B6B7CAC3} “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{C6DEBC0A-F2B2-4F17-930E-CA9FAFF4CD04} “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerFeed Discovery “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCOM3 “COM+Enabled”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersExtension
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Desktop SearchPreviewersPerceivedType
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURL Compatibility
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile�x00000000
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryCategory{B95F181B-EA4C-4AF1-8056-7C321ABBB091}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}CategoryCategory{B95F181B-EA4C-4AF1-8056-7C321ABBB091}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryCategory{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}CategoryItem{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSSystem328833,124.exe
DeviceRasAcd
C:WINDOWSSystem321258,443.exe
C:WINDOWSSystem321332,774.exe
C:jktyket108.bat
C:WINDOWSsystem32txpxr_471857049
DeviceRasAcd
C:WINDOWSsystem32mspyeajp.dll.1544859
C:DOKUME~1ADMINI~1LOKALE~1Temp1544968.system
C:WINDOWSsystem32mspyeajp.dll
c:1548515.BAT
C:WINDOWSsystem32MSWINSCK.OCX
C:WINDOWSfontsservices.exe
C:DOKUME~1ADMINI~1LOKALE~1Temptmp0,7055475.bat
Opened Files C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
C:WINDOWSsystem32wbemwbemdisp.TLB
C:WINDOWSsystem32stdole2.tlb
.PIPEROUTER
c:autoexec.bat
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSSystem32
C:
.PIPElsarpc
.pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSREPAIRSETUP.LOG
C:WINDOWSSysWOW64comcat.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSSystem32
.PIPEwkssvc
C:WINDOWSsystem32ieframe.dll
C:WINDOWSRegistrationR000000000007.clb
C:ProgrammeInternet ExplorerIEXPLORE.EXE
C:ProgrammeWindows Desktop SearchMSNLNamespaceMgr.dll
.PIPElsarpc
C:
C:1548515.BAT
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSSystem32
C:WINDOWSsystem32SVCHOST.EXE
C:WINDOWSfontsservices.exe
C:WINDOWSfonts
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:WINDOWSsystem32MSWINSCK.OCX
C:WINDOWSRegistrationR000000000007.clb
C:ProgrammeInternet ExplorerIEXPLORE.EXE
.PIPElsarpc
C:WINDOWSsystem32ieframe.dll
C:WINDOWSsystem32xpsp3res.dll
C:WINDOWSsystem32de-DEieframe.dll.mui
C:jktyket108.bat
Deleted Files C:WINDOWSsystem32txpxr_471857049
C:WINDOWSsystem32mspyeajp.dll
C:WINDOWSSystem321258,443.exe
C:WINDOWSSystem321258_4~1.EXE
c:WINC.exe
C:jktyket108.bat
Chronological Order Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSsystem32wbemwbemdisp.TLB (OPEN_EXISTING)
Open File: C:WINDOWSsystem32stdole2.tlb (OPEN_EXISTING)
Find File: C:WINDOWSSystem328833,124.exe
Open File: .PIPEROUTER (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: C:WINDOWSSystem328833,124.exe (OPEN_ALWAYS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSSystem32 ()
Find File: C:WINDOWSsystem328833,124.exe
Find File: C:WINDOWSSystem321258,443.exe
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: C:WINDOWSSystem321258,443.exe (OPEN_ALWAYS)
Find File: C:WINDOWSsystem321258,443.exe
Find File: C:WINDOWSSystem321332,774.exe
Create/Open File: C:WINDOWSSystem321332,774.exe (OPEN_ALWAYS)
Find File: C:WINDOWSsystem321332,774.exe
Create File: C:jktyket108.bat
Open File: C: ()
Find File: C:jktyket108.bat
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSREPAIRSETUP.LOG ()
Open File: C:WINDOWSSysWOW64comcat.dll (OPEN_EXISTING)
Create/Open File: C:WINDOWSsystem32txpxr_471857049 (OPEN_ALWAYS)
Delete File: C:WINDOWSsystem32txpxr_471857049
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Delete File:
Delete File: C:WINDOWSsystem32mspyeajp.dll
Move File: C:WINDOWSsystem32mspyeajp.dll to C:WINDOWSsystem32mspyeajp.dll.1544859
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1544968.system
Move File: C:DOKUME~1ADMINI~1LOKALE~1Temp1544968.system to C:WINDOWSsystem32mspyeajp.dll
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSSystem32 ()
Find File: C:WINDOWSsystem32Rundll32.exe
Create File: c:1548515.BAT
Open File: .PIPEwkssvc (OPEN_EXISTING)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:1548515.BAT Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32ieframe.dll (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:ProgrammeInternet ExplorerIEXPLORE.EXE (OPEN_EXISTING)
Open File: C:ProgrammeWindows Desktop SearchMSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:1548515.BAT Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:1548515.BAT:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C: ()
Find File: C:1548515.BAT
Get File Attributes: C:WINDOWSsystem32mspyeajp.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32mspyeajp.dll.manifest Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: “C:1548515.BAT” Flags: (SECURITY_ANONYMOUS)
Find File: C:1548515.BAT
Open File: C:1548515.BAT (OPEN_EXISTING)
Get File Attributes: C:WINDOWSSystem321258,443.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSSystem32 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSSystem321258,443.exe
Delete File: C:WINDOWSSystem321258,443.exe
Delete File: C:WINDOWSSystem321258_4~1.EXE
Find File: C:WINDOWSfontsservices.exe
Find File: C:WINDOWSsystem32MSWINSCK.OCX
Create/Open File: C:WINDOWSsystem32MSWINSCK.OCX (OPEN_ALWAYS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSSystem32 ()
Find File: C:WINDOWSsystem32Regsvr32.exe
Create/Open File: C:WINDOWSfontsservices.exe (OPEN_ALWAYS)
Open File: C:WINDOWSsystem32SVCHOST.EXE (OPEN_EXISTING)
Open File: C:WINDOWSfontsservices.exe (OPEN_EXISTING)
Set File Time: C:WINDOWSFontsservices.exe
Set File Attributes: C:WINDOWSfontsservices.exe Flags: (FILE_ATTRIBUTE_HIDDEN SECURITY_ANONYMOUS)
Open File: C:WINDOWSfonts ()
Find File: C:WINDOWSFontsservices.exe
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temptmp0,7055475.bat
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temptmp0,7055475.bat
Get File Attributes: C:WINDOWSSystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32MSWINSCK.OCX (OPEN_EXISTING)
Get File Attributes: C:WINDOWSHELPMSWNSK98.chm Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:ProgrammeInternet ExplorerIEXPLORE.EXE (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ieframe.dll (OPEN_EXISTING)
Get File Attributes: C:ProgrammeSkypeToolbarsInternet Explorerfavicon.ico Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32xpsp3res.dll (OPEN_EXISTING)
Get File Attributes: C:ProgrammeMessengermsmsgs.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32de-DEieframe.dll.mui (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: “C:jktyket108.bat” Flags: (SECURITY_ANONYMOUS)
Find File: C:jktyket108.bat
Open File: C:jktyket108.bat (OPEN_EXISTING)
Get File Attributes: c:WINC.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:WINC.exe
Delete File: c:WINC.exe
Get File Attributes: C:jktyket108.bat Flags: (SECURITY_ANONYMOUS)
Delete File: C:jktyket108.bat
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temptmp0.*
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temptmp0
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
unwise_.exe %FontsDir%unwise_.exe 5 103 616 bytes
917ded.exe %Windir%temp917ded.exe 233 472 bytes
917ded.exe %Temp%917ded.exe 233 472 bytes
* There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
svchost.exe %System%svchost.exe 5 124 096 bytes
svchost.exe %System%svchost.exe 974 848 bytes
svchost.exe %System%svchost.exe 974 848 bytes
* The following module was loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
3.tmp %Windir%TEMP3.tmp Process name: spoolsv.exe
Process filename: %System%spoolsv.exe
Address space: 0xF60000 – 0xF79000
* There was a new service created in the system:
Service Name Display Name Status Service Filename
Windows Hosts Controller Windows Hosts Controller “Running” “%FontsDir%unwise_.exe”
* The following system services were modified:
Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
RemoteRegistry Remote Registry “Stopped” %System%svchost.exe -k LocalService
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs