Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

infected with the cryptowall

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: infected with the cryptowall

Unread postby heyoka05 » October 4th, 2014, 9:23 pm

Sorry that this is becoming more difficult for you , but I sure do appreciate
your tenacity

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultExecMenuItems]
"tWhiteList"="Close|GeneralInfo|Quit|FirstPage|PrevPage|NextPage|LastPage|ActualSize|FitPage|FitWidth|FitHeight|SinglePage|OneColumn|TwoPages|TwoColumns|ZoomViewIn|ZoomViewOut|ShowHideBookmarks|ShowHideThumbnails|Print|GoToPage|ZoomTo|GeneralPrefs|SaveAs|FullScreen|OpenOrganizer|Scan|Web2PDF:OpnURL|AcroSendMail:SendMail|Spelling:Check Spelling|PageSetup|Find|FindSearch|GoBack|GoForward|FitVisible|ShowHideToolbarEditing|ShowHideToolbarCommenting|ShowHideToolbarEdit|ShowHideToolbarFile|ShowHideToolbarFind|ShowHideToolbarForms|ShowHideToolbarMeasuring|ShowHideToolbarData|ShowHideToolbarPageDisplay|ShowHideToolbarNavigation|ShowHideToolbarPrintProduction|ShowHideToolbarRedaction|ShowHideToolbarBasicTools|ShowHideToolbarTasks|ShowHideToolbarTypewriter|PropertyToolbar|ShowHideArticles|ShowHideFileAttachment|ShowHideAnnotManager|ShowHideFields|ShowHideOptCont|ShowHideModelTree|ShowHideSignatures|InsertPages|ExtractPages|ReplacePages|DeletePages|CropPages|RotatePages|AddFileAttachment|FindCurrentBookmark|BookmarkShowLocation|GoBackDoc|GoForward|DocHelpUserGuide|HelpReader|rolReadPage|HandMenuItem|ZoomDragMenuItem|Annots:Tool:InkMenuItem|CollectionHome|CollectionDetails|CollectionPreview|CollectionShowRoot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultLaunchAttachmentPerms]
"tBuiltInPermList"="version:1|.ade:3|.adp:3|.app:3|.arc:3|.arj:3|.asp:3|.bas:3|.bat:3|.bz:3|.bz2:3|.cab:3|.chm:3|.class:3|.cmd:3|.com:3|.command:3|.cpl:3|.crt:3|.csh:3|.desktop:3|.dll:3|.exe:3|.fxp:3|.gz:3|.hex:3|.hlp:3|.hqx:3|.hta:3|.inf:3|.ini:3|.ins:3|.isp:3|.its:3|.job:3|.js:3|.jse:3|.ksh:3|.lnk:3|.lzh:3|.mad:3|.maf:3|.mag:3|.mam:3|.maq:3|.mar:3|.mas:3|.mat:3|.mau:3|.mav:3|.maw:3|.mda:3|.mdb:3|.mde:3|.mdt:3|.mdw:3|.mdz:3|.msc:3|.msi:3|.msp:3|.mst:3|.ocx:3|.ops:3|.pcd:3|.pi:3|.pif:3|.prf:3|.prg:3|.pst:3|.rar:3|.reg:3|.scf:3|.scr:3|.sct:3|.sea:3|.shb:3|.shs:3|.sit:3|.tar:3|.taz:3|.tgz:3|.tmp:3|.url:3|.vb:3|.vbe:3|.vbs:3|.vsmacros:3|.vss:3|.vst:3|.vsw:3|.webloc:3|.ws:3|.wsc:3|.wsf:3|.wsh:3|.z:3|.zip:3|.zlo:3|.zoo:3|.pdf:2|.fdf:2|.jar:3|.pkg:3|.tool:3|.term:3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultLaunchURLPerms]
"tFlashContentSchemeWhiteList"="http|https|ftp|rtmp|rtmpe|rtmpt|rtmpte|rtmps|mailto"
"tSponsoredContentSchemeWhiteList"="http|https"
"tSchemePerms"="version:2|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1|rlogin:3|javascript:4|data:3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Common Access Service Library Plugins]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Common Access Service Library Plugins\{4788DB03-CFA1-4eb2-9C53-81361E6BDBD3}]
"Path"="C:\\Program Files (x86)\\Hewlett-Packard\\Shared\\CaslWmi.dll"
"SupportedEvents"="SmartAdapter.PluggedIn,Wireless.Changed,LidSwitch.Changed,DockState.Changed"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Common Access Service Library Plugins\{8F61AFD3-1B2E-4c96-8F9E-8E58F992BD56}]
"Path"="C:\\Program Files (x86)\\Hewlett-Packard\\Shared\\CaslSmBios.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Software Framework\{41290DB4-0C21-46ad-9A12-C40FD90E1B0B}]
"NetworkDeviceCount"=dword:00000002
"Wireless.GlobalChanged"=""
"Wireless.GlobalChanged.2.0"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\HP Wireless Assistant]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Hewlett-Packard\hpDrvMntSvc]
"HpToolsVolumeName"="\\\\?\\Volume{ce1633fd-9017-11e0-8242-806e6f6e6963}"
"HpToolsSize"=dword:00000800

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet]
"Disabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections]
"NC_PersonalFirewallConfig"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"authenticodeenabled"=dword:00000000
"TransparentEnabled"=dword:00000001
"DefaultLevel"=dword:00040000
"PolicyScope"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{0eb88dd4-86d6-4379-b46f-a635a34ca160}]
"LastModified"=hex(b):c6,a6,ee,43,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,d0,01,00,00,00,00,00
"ItemData"=hex:f5,7d,18,8c,46,67,fa,b4,62,08,39,6a,f2,0b,ad,d2
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{0eb88dd4-86d6-4379-b46f-a635a34ca160}\SHA256]
"ItemData"=hex:87,83,04,de,96,55,6e,d3,40,f1,90,a9,d8,b5,65,0d,c7,15,12,ee,d4,\
21,06,76,56,0f,c4,1e,7a,c4,85,7c
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{1b1e1e2b-714f-400f-a617-27fcf98d11e2}]
"LastModified"=hex(b):16,69,47,c9,56,ab,cf,01
"Description"="Cryptolocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):9b,c7,0a,00,00,00,00,00
"ItemData"=hex:e8,9f,09,fd,de,d7,77,ce,ba,64,12,d5,5c,e9,d3,bc
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{1b1e1e2b-714f-400f-a617-27fcf98d11e2}\SHA256]
"ItemData"=hex:b3,c9,2d,7a,9d,ea,d6,01,1f,3c,99,82,9c,74,5c,38,4d,d7,76,d8,8f,\
57,bb,d6,0b,c4,f9,d6,66,41,81,9b
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{28ee6f34-4dda-41ec-9cd9-330a341c4524}]
"LastModified"=hex(b):b2,2b,e0,50,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,ca,05,00,00,00,00,00
"ItemData"=hex:d3,aa,11,84,67,97,42,de,18,58,78,97,6b,13,f7,e6
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{28ee6f34-4dda-41ec-9cd9-330a341c4524}\SHA256]
"ItemData"=hex:22,df,18,3c,ff,c6,55,fb,97,7f,ff,bd,de,1a,1c,09,a0,e2,b3,54,31,\
b0,66,67,17,17,16,dd,cf,ac,c0,da
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{335b1b4d-2afb-499d-8774-67be32b7abd8}]
"LastModified"=hex(b):22,d8,bf,3a,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):20,d1,1f,00,00,00,00,00
"ItemData"=hex:b4,c2,bb,78,af,06,14,90,8d,7f,19,96,22,57,bf,73
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{335b1b4d-2afb-499d-8774-67be32b7abd8}\SHA256]
"ItemData"=hex:19,5a,50,e7,21,7b,61,71,c0,3b,3e,f7,7f,6a,f6,38,c3,21,01,03,81,\
1a,79,16,63,44,64,ff,15,51,14,e3
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{45a23524-ce0e-48c9-8ec5-6ad01f7156cd}]
"LastModified"=hex(b):e4,06,a6,41,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,60,03,00,00,00,00,00
"ItemData"=hex:6b,a7,0c,fa,8b,02,2c,a0,06,a3,52,b2,09,58,9f,53
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{45a23524-ce0e-48c9-8ec5-6ad01f7156cd}\SHA256]
"ItemData"=hex:9f,7e,4a,d0,f5,e1,49,99,f3,5e,76,e4,5d,a4,65,28,46,c4,a8,f7,8a,\
15,cc,ca,bc,ea,ed,34,2f,1a,b3,ac
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{55deba9a-3a43-434b-a514-413a841b7f03}]
"LastModified"=hex(b):5c,a5,8f,32,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,0a,06,00,00,00,00,00
"ItemData"=hex:44,21,7c,15,f3,05,38,a1,fb,df,61,4c,97,85,c9,b7
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{55deba9a-3a43-434b-a514-413a841b7f03}\SHA256]
"ItemData"=hex:62,f1,99,de,df,ff,ef,4e,b7,1c,33,bd,f2,2f,4a,9b,32,76,f8,a8,31,\
99,97,88,05,91,63,fa,e4,3d,b4,8e
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{67550d89-9788-4a64-ad67-8631876adb11}]
"LastModified"=hex(b):30,8e,dc,3c,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,1a,02,00,00,00,00,00
"ItemData"=hex:81,fd,32,f8,34,83,99,0f,aa,5f,9f,ca,7a,12,d1,79
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{67550d89-9788-4a64-ad67-8631876adb11}\SHA256]
"ItemData"=hex:36,e4,2f,a7,92,06,1b,b1,e4,60,0f,18,04,64,a2,56,f8,79,ce,0f,b8,\
ea,4d,e9,93,e1,dd,0b,18,05,ed,80
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{6f9798af-08bc-459b-9963-d596cba743c3}]
"LastModified"=hex(b):30,b6,47,2b,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,04,01,00,00,00,00,00
"ItemData"=hex:e1,6c,35,20,9f,78,c3,40,06,9d,5f,ae,f6,dc,22,d9
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{6f9798af-08bc-459b-9963-d596cba743c3}\SHA256]
"ItemData"=hex:61,1c,dc,30,ca,b2,b1,49,7c,e3,11,ce,40,2f,f5,03,07,b9,a7,a8,17,\
4d,88,93,7f,27,a7,8e,50,f3,d5,82
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{766ee197-043e-4270-908f-9a89bf0b1462}]
"LastModified"=hex(b):bd,25,43,c3,56,ab,cf,01
"Description"="Cryptolocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):9b,c7,0a,00,00,00,00,00
"ItemData"=hex:e8,9f,09,fd,de,d7,77,ce,ba,64,12,d5,5c,e9,d3,bc
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{766ee197-043e-4270-908f-9a89bf0b1462}\SHA256]
"ItemData"=hex:b3,c9,2d,7a,9d,ea,d6,01,1f,3c,99,82,9c,74,5c,38,4d,d7,76,d8,8f,\
57,bb,d6,0b,c4,f9,d6,66,41,81,9b
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{81fe8108-f04a-47b6-88b7-7e348692fd5c}]
"LastModified"=hex(b):48,b1,41,74,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,9a,0d,00,00,00,00,00
"ItemData"=hex:e9,3a,f5,04,28,fc,c7,4a,f9,31,bf,ed,7a,1d,c1,b2
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{81fe8108-f04a-47b6-88b7-7e348692fd5c}\SHA256]
"ItemData"=hex:19,01,30,92,dd,66,f7,87,e2,f8,b3,23,6f,83,5e,d4,db,a3,19,e9,09,\
eb,dc,cd,c6,45,4a,ea,c6,53,00,05
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{8838bd20-11aa-4bf1-8a67-8d3dfd78a696}]
"LastModified"=hex(b):7a,40,cc,69,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,78,0c,00,00,00,00,00
"ItemData"=hex:eb,8d,bb,59,f9,cd,56,85,81,76,74,f1,04,05,71,cb
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{8838bd20-11aa-4bf1-8a67-8d3dfd78a696}\SHA256]
"ItemData"=hex:4b,5d,1c,16,8f,72,5d,81,3a,5e,38,d4,03,c8,71,14,36,62,92,79,0b,\
0c,90,96,5e,0b,4f,fd,95,6c,2c,51
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{8dcd1059-dd29-4e1a-ba8e-060cb029b7c4}]
"LastModified"=hex(b):2c,61,fc,1b,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,28,02,00,00,00,00,00
"ItemData"=hex:cb,74,03,1a,44,91,17,79,ba,94,4d,9f,f5,61,37,b1
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{8dcd1059-dd29-4e1a-ba8e-060cb029b7c4}\SHA256]
"ItemData"=hex:e1,fd,36,5b,b3,08,12,6d,dc,ce,b5,df,5b,82,10,4f,54,20,0b,84,d4,\
5e,29,f8,28,58,55,7b,0b,34,1a,aa
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{8f1566de-b0f8-4ec8-85e7-aef06786f004}]
"LastModified"=hex(b):d6,e8,ff,35,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,d0,0c,00,00,00,00,00
"ItemData"=hex:96,ed,d9,b5,a6,be,e8,fe,a1,60,0f,9b,44,e3,ee,f3
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{8f1566de-b0f8-4ec8-85e7-aef06786f004}\SHA256]
"ItemData"=hex:be,86,c0,6c,fb,48,d1,69,44,af,a5,63,b0,fa,2a,3f,2d,3a,35,55,32,\
fb,f8,ba,ce,4d,7d,ff,cd,52,47,f1
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{91d95e2b-c462-49ac-9929-2f92bbde258b}]
"LastModified"=hex(b):b6,78,7c,30,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):ba,4e,00,00,00,00,00,00
"ItemData"=hex:a2,98,96,7f,94,14,70,f2,f3,5d,58,85,94,d4,ae,11
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{91d95e2b-c462-49ac-9929-2f92bbde258b}\SHA256]
"ItemData"=hex:ce,b7,1f,47,6d,50,0a,74,f6,cb,8b,cd,a1,2a,50,09,45,45,15,33,78,\
03,64,68,54,d5,69,17,a1,4f,d4,b2
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{9485a075-9660-4946-b3b6-3aed8c1236da}]
"LastModified"=hex(b):a0,26,1d,48,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,46,03,00,00,00,00,00
"ItemData"=hex:d4,3a,be,f5,a6,2b,46,a6,60,a5,12,83,30,07,04,79
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{9485a075-9660-4946-b3b6-3aed8c1236da}\SHA256]
"ItemData"=hex:00,99,51,00,27,ec,f6,82,b7,6d,b6,a8,85,c9,fa,8c,22,70,f6,c8,e6,\
ef,de,d2,f5,2c,88,60,71,4d,0e,26
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{968d68c7-f0d7-4970-ba05-dc32d19c49ab}]
"LastModified"=hex(b):b6,0a,7b,4f,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,2c,01,00,00,00,00,00
"ItemData"=hex:cd,e1,a9,6c,7d,1f,c4,fd,04,d4,f0,76,b9,36,e9,a0
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{968d68c7-f0d7-4970-ba05-dc32d19c49ab}\SHA256]
"ItemData"=hex:49,13,33,50,42,19,24,72,76,25,8b,06,91,a7,9e,4c,cf,bc,41,62,99,\
9f,9f,37,25,12,c3,37,41,8e,75,7e
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{aa9e80ee-f622-4ed0-a171-e843dca553cf}]
"LastModified"=hex(b):b4,8e,cf,96,54,aa,cf,01
"Description"="Cryptolocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):e0,6f,0a,00,00,00,00,00
"ItemData"=hex:a6,92,95,b1,db,8d,21,2e,ee,08,de,8a,2e,93,95,45
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{aa9e80ee-f622-4ed0-a171-e843dca553cf}\SHA256]
"ItemData"=hex:4f,67,67,83,fb,6a,50,ba,09,4f,c7,63,9b,bb,cf,fb,fd,b8,bc,03,90,\
1e,8b,db,6e,37,e3,f7,92,b2,df,66
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{af3b6474-db30-4641-abec-4dbbd8977d5f}]
"LastModified"=hex(b):36,98,b2,5b,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,fc,03,00,00,00,00,00
"ItemData"=hex:02,46,bb,54,72,3b,d4,a4,94,44,aa,4c,a2,54,84,5a
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{af3b6474-db30-4641-abec-4dbbd8977d5f}\SHA256]
"ItemData"=hex:8c,f5,0a,e2,47,44,5d,e2,e5,70,f1,97,05,23,6e,d4,b1,e1,9f,75,ca,\
15,34,5e,5f,00,85,72,43,bc,0e,9b
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{ca31e631-ac26-46a5-8eec-3a842aa4baf0}]
"LastModified"=hex(b):3a,63,81,4a,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,20,02,00,00,00,00,00
"ItemData"=hex:28,9d,3f,d4,d0,87,d8,19,e7,64,18,17,97,ec,fa,2e
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{ca31e631-ac26-46a5-8eec-3a842aa4baf0}\SHA256]
"ItemData"=hex:44,6d,d6,84,7f,44,e0,f6,46,eb,ae,f7,65,06,2d,43,ab,e1,c7,17,17,\
a3,12,7d,1f,84,18,7b,4f,dd,f2,fc
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{cea0f56d-0b91-48d4-9268-96efbbbffa2f}]
"LastModified"=hex(b):f6,87,be,63,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,2c,03,00,00,00,00,00
"ItemData"=hex:b6,c7,94,3c,05,6a,ce,59,11,b9,5d,36,ff,06,e0,e4
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{cea0f56d-0b91-48d4-9268-96efbbbffa2f}\SHA256]
"ItemData"=hex:d5,a7,0b,a5,a1,94,ab,73,7f,c5,2b,9f,42,83,ce,9d,32,f0,90,59,0a,\
ea,34,22,4f,7e,a9,ec,63,55,7a,4f
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d2b218d9-9f98-4d85-9f63-08d4b56403da}]
"LastModified"=hex(b):8e,07,e9,26,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,d0,04,00,00,00,00,00
"ItemData"=hex:ec,b6,05,1f,92,fe,0c,05,51,a9,d2,41,c6,24,83,ea
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d2b218d9-9f98-4d85-9f63-08d4b56403da}\SHA256]
"ItemData"=hex:f0,9b,2a,3c,71,28,87,5b,45,68,59,8d,26,c0,3f,44,94,c0,67,f1,00,\
df,6c,3f,58,53,ce,6a,04,a8,28,85
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d3a94cd3-cebd-43ab-8122-bce7f82ad3bb}]
"LastModified"=hex(b):16,56,35,90,58,aa,cf,01
"Description"="Cryptolocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):9b,c7,0a,00,00,00,00,00
"ItemData"=hex:e8,9f,09,fd,de,d7,77,ce,ba,64,12,d5,5c,e9,d3,bc
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d3a94cd3-cebd-43ab-8122-bce7f82ad3bb}\SHA256]
"ItemData"=hex:b3,c9,2d,7a,9d,ea,d6,01,1f,3c,99,82,9c,74,5c,38,4d,d7,76,d8,8f,\
57,bb,d6,0b,c4,f9,d6,66,41,81,9b
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d4a055af-a988-4999-a457-cb4f5e773b5b}]
"LastModified"=hex(b):3e,17,f5,6e,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,7c,02,00,00,00,00,00
"ItemData"=hex:c1,ea,1a,c1,34,f5,41,2a,f5,55,e8,b7,ea,8a,8a,54
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d4a055af-a988-4999-a457-cb4f5e773b5b}\SHA256]
"ItemData"=hex:3d,46,b8,aa,7a,55,90,f0,e2,75,4f,db,53,60,33,7f,90,de,ce,4f,2f,\
17,3d,23,b5,23,c9,54,30,e2,18,ce
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d7dba1f5-92ea-42e9-820e-ee101908cf94}]
"LastModified"=hex(b):b0,98,1b,27,8f,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,e8,0a,00,00,00,00,00
"ItemData"=hex:bb,b4,45,90,1d,3e,c2,80,95,1a,c1,21,32,af,d8,7c
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{d7dba1f5-92ea-42e9-820e-ee101908cf94}\SHA256]
"ItemData"=hex:ed,95,b1,a8,88,71,0f,3c,a4,ac,ac,b4,92,50,fb,6c,21,72,2e,28,82,\
e3,17,84,bd,20,49,d1,5f,97,d4,de
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{eaf8e670-d189-487f-b315-95026acfd0ff}]
"LastModified"=hex(b):8c,05,71,57,8e,7d,cf,01
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):00,ec,03,00,00,00,00,00
"ItemData"=hex:82,9d,de,70,15,c3,2d,7d,77,d8,12,86,65,39,0d,ab
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{eaf8e670-d189-487f-b315-95026acfd0ff}\SHA256]
"ItemData"=hex:52,91,23,2b,29,7d,fc,b5,6f,88,b0,20,ec,7b,89,67,28,f1,39,b9,8c,\
ef,7a,b3,3d,4f,84,c8,5a,06,d5,53
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{ef8d1f8a-866a-4193-b5b9-c72ffaf9e10a}]
"LastModified"=hex(b):82,5e,d2,83,58,aa,cf,01
"Description"="Cryptolocker Prevention"
"SaferFlags"=dword:00000000
"ItemSize"=hex(b):e0,6f,0a,00,00,00,00,00
"ItemData"=hex:a6,92,95,b1,db,8d,21,2e,ee,08,de,8a,2e,93,95,45
"HashAlg"=dword:00008003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Hashes\{ef8d1f8a-866a-4193-b5b9-c72ffaf9e10a}\SHA256]
"ItemData"=hex:4f,67,67,83,fb,6a,50,ba,09,4f,c7,63,9b,bb,cf,fb,fd,b8,bc,03,90,\
1e,8b,db,6e,37,e3,f7,92,b2,df,66
"HashAlg"=dword:0000800c

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{016bddcb-bf4a-462d-80f0-63edf8785932}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,53,00,74,00,61,00,72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,\
72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,\
00,75,00,70,00,5c,00,2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{022642cb-67c1-4ff0-9d9a-090b50d1598e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,66,00,69,00,\
6c,00,65,00,73,00,28,00,78,00,38,00,36,00,29,00,25,00,5c,00,2a,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{03852523-3fab-428c-8567-ca5daac28c1b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,74,00,66,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{049c3c85-e8a4-416f-9864-2bb1de41b495}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{05a8ebdb-94d4-46bc-86b5-95dff43b7bb1}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,6c,00,6c,00,75,00,73,00,65,00,72,00,73,00,70,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,25,00,5c,00,2a,00,2e,00,73,00,63,00,72,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{06a1a58e-2002-404b-a759-dc05031a9643}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,2e,00,70,00,69,00,\
66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{07241e0a-317a-476c-bd6b-1f1bba78a3b0}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,33,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{07677820-027e-4f68-8034-dc086538638a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,53,00,74,00,61,00,72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,\
72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,\
00,75,00,70,00,5c,00,2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{079ba4cc-78a8-4dda-884a-30b924dc8512}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,33,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0a47a4c2-46e2-440a-afcd-712257583ffa}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,6c,00,6c,00,75,00,73,00,65,00,72,00,73,00,70,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,25,00,5c,00,2a,00,2e,00,70,00,69,00,66,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0b530e2f-73ab-42a8-94b4-ed5591287a6b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,2a,\
00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0c21d308-1161-4648-8743-3e9a61e43831}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,64,00,61,00,\
74,00,61,00,25,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,53,00,74,00,61,00,\
72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,72,00,6f,00,67,00,72,\
00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,00,75,00,70,00,5c,00,\
2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0ed35116-5375-4591-a24e-deab0189854e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,37,00,7a,00,2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0f199ce1-9334-4c09-b66d-ecfdefab977d}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,69,00,76,00,78,00,2a,00,2e,00,73,00,63,00,\
72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0f29c4b9-57d7-4eea-85ee-1d618c80b283}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0f998007-8b3b-4bb5-9bb8-7a01edcf8700}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,64,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,49,00,45,00,55,00,70,00,64,00,61,00,74,00,65,00,5c,00,2a,00,2e,00,65,00,\
78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{15375e02-21d4-45fe-b03c-13260b3c05d8}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1883bea9-354a-490b-b014-6031a56e2e13}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1a7041ef-b20e-4a1e-89ff-0c9d046b4700}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,2a,00,\
2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b0c36a3-d941-4930-8110-ea9664fbcff1}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,74,00,78,00,74,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1b667de2-fe53-4062-a09b-794cf3dc1a74}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,2a,00,\
2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1ddeb7a4-bedb-4773-9a46-a9698ae0b99e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1f663c47-7a20-4803-95a4-ad43393c62f6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,3a,00,5c,00,24,00,52,00,65,00,63,00,79,00,63,00,6c,00,\
65,00,2e,00,42,00,69,00,6e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1fc9d3af-6891-4670-851c-2239451408e2}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,66,00,69,00,\
6c,00,65,00,73,00,25,00,5c,00,2a,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,\
00,74,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{2087ddd9-5612-4b35-bec4-e0fe559c2e90}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,64,00,61,00,\
74,00,61,00,25,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,53,00,74,00,61,00,\
72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,72,00,6f,00,67,00,72,\
00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,00,75,00,70,00,5c,00,\
2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{20aeaf6d-6ebb-481e-9399-49d49445fc10}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,67,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{22cbdb09-9384-454b-877f-7e6e5f1e736a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,64,00,61,00,\
74,00,61,00,25,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,53,00,74,00,61,00,\
72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,72,00,6f,00,67,00,72,\
00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,00,75,00,70,00,5c,00,\
2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{23e895ff-e21d-473c-b37c-c387d43b5d41}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,65,00,67,00,2a,00,2e,00,70,00,69,00,\
66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{242d6028-9fd5-4af2-bbbb-be5c812f99bb}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,3a,00,5c,00,24,00,52,00,65,00,63,00,79,00,63,00,6c,00,\
65,00,2e,00,42,00,69,00,6e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{24daa97d-b258-44ba-b5c2-a4aad468505f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{275f29c7-8054-4980-9ab9-7650618093cf}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,6c,00,6c,00,75,00,73,00,65,00,72,00,73,00,70,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,25,00,5c,00,2a,00,2e,00,65,00,78,00,65,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{280a3c2f-782b-4cf5-bdcf-5cb9b2a17dab}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,7a,00,69,00,70,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{2a33772a-ebdb-482f-a87a-2e768db79e5b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{2c5d3e08-6778-46a7-b176-8da87fb02497}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,53,00,74,00,61,00,72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,\
72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,\
00,75,00,70,00,5c,00,2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{2cfe909f-345f-40f3-a411-b2e130ef3237}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{32bfe2ef-ab03-487f-920d-7dd3ceb44498}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,75,00,62,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{34f57cd2-40bb-4388-90f9-82ccab670998}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,61,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{3552ce99-487b-4a0a-a08c-13c61f69e6ab}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,33,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{358d6f9c-b876-4370-b4be-9f2c4d4dc24a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,61,00,72,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{3797a0c3-e229-4c9a-b911-65ad00732b87}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,\
73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,\
00,53,00,74,00,61,00,72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,\
72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,\
00,75,00,70,00,5c,00,2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{3ad870e3-b39f-4f58-a631-13988df291cd}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):6c,00,73,00,61,00,73,00,73,00,76,00,72,00,74,00,64,00,62,00,\
6b,00,73,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{3ffae832-f12d-4c3d-b940-ab5a29ebe739}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):76,00,73,00,73,00,61,00,64,00,6d,00,69,00,6e,00,2e,00,65,00,\
78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{400cd214-c703-4ecb-8695-6756981d8c47}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,2a,\
00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{44ef9d49-e998-4eb0-944b-14e570f8641f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,62,00,6d,00,70,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{46f781cf-5318-4d9e-b8f0-255ee1d7898f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{46ff1a6d-6993-40e6-aaea-f8f843f2ccd7}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,61,00,76,00,69,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4a3af8e4-f67d-4d7e-ae85-e86658b9afaa}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,61,00,76,00,69,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4a4785f4-c8ad-44f0-81fc-5cab120e7c7e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4c54dfd2-6b60-4156-8ef8-dcc96d43da3e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,78,00,2a,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4df76f2d-c2cd-445f-ba29-1e1ec2abdd5a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,64,00,61,00,\
74,00,61,00,25,00,5c,00,2a,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,\
00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4e42fd9b-bb81-4a6d-a5bc-da9e0169de8b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,76,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{50cc07f5-c8d4-40b9-8374-8189cf4b13c0}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,74,00,78,00,74,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{5196450d-7990-40bb-a5e1-b926a9f469e2}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,74,00,66,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{528e0050-fc34-4bfc-a67b-ea0c27cd9f9a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,74,00,66,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{5493fc45-c079-4233-ac26-ea54a681a70a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,5c,00,2a,00,2e,00,63,00,\
6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{575c430a-a5ee-4a09-b564-86f7f519ca18}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,64,00,72,00,69,00,\
76,00,65,00,25,00,5c,00,2a,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,\
00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{57f9b53c-9e93-453d-b694-11230bf0b0dd}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{588412f4-01df-4d8f-a278-ed044b7cb81f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,5c,00,2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{588fed64-ab83-47b9-99c1-adb108c937e9}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,61,00,76,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{5a65332a-0745-496d-934a-6630ad9930bf}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,2a,\
00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{5bc568c7-0884-4851-b62d-d10cabc31c1c}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,67,00,69,00,66,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{5cd01b05-1450-42d7-a083-c20cd47c549d}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,78,00,2a,00,2e,00,63,00,6f,00,\
6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{5d71e2bd-85ad-41cc-9376-41eac7606196}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,62,00,6d,00,70,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6297f064-9036-4f8e-a8b5-a719e17dcd9e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,78,00,2a,00,2e,00,73,00,63,00,\
72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{632e3c2c-6c3f-440e-a591-a9f38e571901}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{64195c2d-9189-4559-8d50-8534d1218161}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,5c,00,2a,00,2e,00,\
73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{65cd1afd-c7ea-4682-973d-38ec0fe700c1}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,34,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6600c46b-e567-4809-82a1-d499715e456b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,2e,00,73,00,63,00,\
72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{66e308c3-43bb-4ce1-b335-f2c058b2decb}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,62,00,6d,00,70,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6717d72f-65d5-438a-bf8e-f68eab729c83}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,37,00,7a,00,2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{675de905-470b-4cd1-92a8-e89da6ea52aa}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,61,00,76,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{68a1ebbf-2cc3-4580-8611-371b246a8bc6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,3a,00,5c,00,24,00,52,00,65,00,63,00,79,00,63,00,6c,00,\
65,00,2e,00,42,00,69,00,6e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6a0582a8-639a-4b31-8af6-44e37f8277a1}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6b0fe0c2-6031-4afd-a546-3bc863664858}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,7a,00,69,00,70,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6c14faee-bc23-44be-b106-971ce203058a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,65,00,67,00,2a,00,2e,00,63,00,6f,00,\
6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6c3ab28b-56d9-4085-ac01-9d92320f3486}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,78,00,2a,00,2e,00,63,00,6f,00,\
6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6ca7cf6a-2441-498f-b654-5c55cb21895b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,61,00,76,00,69,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6d6b9889-662a-453e-8a3e-31668025d1be}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"="*‮*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{7060e40d-24fc-4f3c-aa49-d2e7015a0b16}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,67,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{72e03dca-f1d8-433d-b590-0b84f42a3b13}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,78,00,2a,00,2e,00,73,00,63,00,\
72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{7446e69f-f32a-4540-a18b-505ce8f9a8b7}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,5c,00,2a,00,2e,00,70,00,\
69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{7609ce26-5f63-4839-8948-d3613501767f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,61,00,72,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{76f06475-78fe-4803-a323-5abd15b74bee}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,34,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{76fe4054-9fee-47e3-9dc6-546eafed9360}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,61,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{7eb48062-de30-40b8-ac37-e829dfd22cb8}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{7f317018-0a93-48f1-b9ae-1d50e817092b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,6e,00,67,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{80083a2c-1026-4267-a6ef-b07492ed4735}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,6c,00,6c,00,75,00,73,00,65,00,72,00,73,00,70,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,25,00,5c,00,2a,00,2e,00,63,00,6f,00,6d,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{80ea2007-4e1a-4e64-8087-06aed180cba9}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,78,00,2a,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{81479e6e-14d5-464e-bdf0-19c5c76380ea}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,78,00,2a,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8310b1c8-62e9-4fdb-862b-8cbca3f0c613}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,34,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{83251cf3-9aee-4f37-a447-f2c644d08456}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,67,00,69,00,66,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{83488f72-7eb1-473d-84e9-1bf5b1b01aba}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):73,00,63,00,73,00,76,00,73,00,65,00,72,00,76,00,2e,00,65,00,\
78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{834a40d0-cf59-4325-92c0-3f9d31f8b553}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{83810982-a4de-452b-97c2-c87e27897736}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{83c6e097-63c0-4fa2-9318-a8ca89ca71e4}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,62,00,6d,00,70,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{84e126e0-09a2-412d-affb-9f237ec8cfb7}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,6e,00,67,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{874168b9-5d19-4ed6-a1c8-a99e7d06b060}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,75,00,62,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8b8b4d87-996f-47ce-a12a-ef299ef7ce8a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,61,00,72,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8f102d35-a436-4472-9915-4a3627d0d863}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,2a,00,\
2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8f4337f7-7463-49e8-b202-94a817fc6609}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,2e,00,63,00,6f,00,\
6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8f7d5504-61bf-4537-bad7-8226ce7fb895}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,61,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9186d841-ec5e-4c67-be68-7e7c8454665b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,64,00,66,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{939cfe89-0f54-443f-a07a-6317e2b0cedf}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,5c,00,2a,00,2e,00,\
70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{94d5e7db-13d7-4e66-a1a7-ceb090f8c235}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,5c,00,2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{99a3b63c-cb41-41b0-b532-64c5fd45cedc}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,5c,00,2a,00,2e,00,\
65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9a0c9aa6-e4fe-4676-9b51-7cc01a301fe0}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):6c,00,73,00,61,00,73,00,73,00,77,00,38,00,36,00,73,00,2e,00,\
65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9afc5a68-5eb8-460a-9657-a769feacc623}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9d60b2a7-32c9-4846-947a-4cf4b8281ee0}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,75,00,62,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9db66e40-2f37-4a48-8a97-cba30794a307}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,76,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9fdcc76c-f831-4a74-bfb6-8b7fda277eb8}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,61,00,72,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{a0fd1c5c-4b4b-47e8-abd4-c46a2ae5f205}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,78,00,2a,00,2e,00,73,00,63,00,\
72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{a1966dec-92e8-483a-b600-c46a6d8d37f1}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,78,00,2a,00,2e,00,70,00,69,00,\
66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{a1f1becc-484b-49dd-85a2-a43753b2dcc2}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,76,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{a2fabaab-7d03-4f52-a664-63ddc0edb41d}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,78,00,2a,00,2e,00,70,00,69,00,\
66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{a51fb2a4-fc3d-4cb3-a3b3-12649a71da6c}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,64,00,61,00,\
74,00,61,00,25,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,53,00,74,00,61,00,\
72,00,74,00,20,00,4d,00,65,00,6e,00,75,00,5c,00,50,00,72,00,6f,00,67,00,72,\
00,61,00,6d,00,73,00,5c,00,53,00,74,00,61,00,72,00,74,00,75,00,70,00,5c,00,\
2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ab86b346-c81c-46bc-ab60-e03a0fd83b49}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,7a,00,69,00,70,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{abc31616-9d24-4308-b745-4a89d75dd87c}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,61,00,76,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{aed939eb-646a-41b2-be81-063954077cd7}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,5c,00,2a,00,2e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b01bb509-4dc4-4c22-835f-fcd8083a07f6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,75,00,62,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b25e7096-625c-43de-9385-37d220ad6b33}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,61,00,76,00,69,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b37fde0f-a007-4648-a09c-a067c83d4d65}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,6e,00,67,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b46f29a8-1a69-4098-b5ff-c6f6624467f7}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,67,00,69,00,66,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b4da34e1-50cb-4bde-8846-9a6151b89b51}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,5c,00,2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b6d1e8cc-1bbc-4bee-9e82-1edf30199f06}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,37,00,7a,00,2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b89faefb-b4ce-4186-afc6-ad683910caa3}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,34,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b8cbe8df-1e79-459b-822b-e8898590a36c}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,64,00,66,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b8d21cae-770a-43ae-8f4a-13bc626055dd}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,5c,00,2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c0a44e9d-2b57-4080-b5af-36ead06e33b6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c2d953cd-8eec-43da-99cc-a5b125f1f618}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,5c,00,2a,00,2e,00,65,00,\
78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c4276ed8-9fc6-4c40-b027-8a1a8a845130}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,65,00,67,00,2a,00,2e,00,73,00,63,00,\
72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c7253870-c9ed-435c-ad15-5d2ae8aaeb75}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,74,00,78,00,74,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c9f08cbc-979f-4045-8a0a-6ea90a675386}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,64,00,66,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{cb57c2cb-4673-441f-9a6a-7faa0c4e9dfe}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,6f,00,63,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{cbf24773-e69c-4e02-9409-dfbc781d15c6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,69,00,76,00,78,00,2a,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ccec4937-ef0b-4e0f-a52a-ce8ef98db100}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,61,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{cd18dbbd-0d86-4656-8280-31b898b60b11}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,2a,00,5c,00,2a,00,2e,00,\
63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{cf5ac9c2-ae06-415f-956b-c5f25d2227d6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,72,00,74,00,66,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d04f430b-fbfc-44e1-8d97-f7277ce6732c}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,67,00,69,00,66,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d1ad67ad-963f-4ff5-9e42-c13d0af0f025}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,67,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d28e7ae9-cdca-408e-bffd-c2736d1d68e8}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,67,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d2ccd283-6061-4651-9dd0-1575590f60f4}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,37,00,7a,00,2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d2ea4236-557d-488d-a0f0-e02e599bd003}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,5c,00,2a,00,2e,00,63,00,6f,00,6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d554ac7a-dd41-4005-ab97-b26cb2050d89}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d5d66180-c6eb-4241-9b2a-c13cfcfdae56}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,61,00,76,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d818d51e-668a-489c-ba76-8031384f373d}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d82bc922-4594-4519-8d42-c62afd3159e2}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):63,00,69,00,70,00,68,00,65,00,72,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d9b53ee6-c8ac-40f6-9dd9-bc9017add55f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,3a,00,5c,00,24,00,52,00,65,00,63,00,79,00,63,00,6c,00,\
65,00,2e,00,42,00,69,00,6e,00,70,00,69,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{da103fdd-5a7f-4be0-960b-0b390b618a4e}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,78,00,6c,00,73,00,78,00,2a,00,2e,00,70,00,69,00,\
66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{dade84fe-5329-4d20-b805-e9e312a4e7a6}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,64,00,66,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{dc5954c2-9c30-44b7-b433-7e06cd434a20}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{e0b85de9-1820-484e-9e4a-7200a40d06a0}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,74,00,78,00,74,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{e16211d1-d99b-47cf-9557-fe310741df3a}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{e17b168e-cf4f-4713-b794-9cffdadbf401}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6d,00,70,00,33,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{e3ddff23-9a22-4fdb-a8a1-22388f29197f}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,69,00,76,00,78,00,2a,00,2e,00,70,00,69,00,\
66,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{e521a3a4-aafb-49ad-8aca-9b1da9c58ebe}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,77,00,6d,00,76,00,2a,00,2e,00,73,00,63,00,72,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{e680e07f-7078-43a8-922f-8195c8beffc3}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,7a,00,69,00,70,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ec195e7b-f6d9-4925-a031-f28802ff3f4b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
2a,00,5c,00,2a,00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ec3a9c29-7f4f-47f3-ab2b-8374e0f4b559}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,2e,00,63,00,6f,00,6d,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ec464574-8fc4-43cb-a54b-e165df12decf}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,70,00,74,00,78,00,2a,00,2e,00,63,00,6f,00,\
6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ec67ebd4-c892-4c41-8f27-39c4ccd5f334}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):73,00,79,00,73,00,6b,00,65,00,79,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ef672106-c871-4532-944b-029a716fc2f3}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,6a,00,70,00,65,00,67,00,2a,00,2e,00,65,00,78,00,\
65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{efaba9ed-6b25-44ff-88b8-80b7de71edfa}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,2a,\
00,2e,00,73,00,63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f07bf77e-cbd0-428a-97ba-e5ccd53853bd}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,70,00,6e,00,67,00,2a,00,2e,00,70,00,69,00,66,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f44d4fa8-2605-4736-bec9-2e38695d284c}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,5c,00,2a,00,2e,00,73,00,\
63,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f50c2c90-319d-4b02-bff9-ce007860f50b}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):2a,00,2e,00,64,00,69,00,76,00,78,00,2a,00,2e,00,63,00,6f,00,\
6d,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f7032217-4265-4177-b220-d35aabb4c716}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,2a,00,2e,00,65,00,78,00,65,00,\
00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f8f134b6-f564-4c72-b82c-8444790eacf9}]
"Description"="CryptoLocker Prevention"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,5c,00,2a,00,2e,00,65,00,78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{29eb3a15-257e-4cd9-894a-ec7a52556f9a}]
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,5c,00,61,00,72,00,63,00,65,00,65,00,65,00,32,00,\
2e,00,74,00,6d,00,70,00,5c,00,73,00,73,00,74,00,69,00,6e,00,73,00,74,00,61,\
00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{2e5fc520-558d-4377-a439-a99ca5d50dbe}]
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,61,00,72,00,63,00,37,00,\
31,00,33,00,61,00,2e,00,74,00,6d,00,70,00,5c,00,73,00,73,00,74,00,69,00,6e,\
00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{8f07bfd6-e55e-4fd7-8f76-932a86a1749f}]
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
61,00,72,00,63,00,37,00,31,00,33,00,61,00,2e,00,74,00,6d,00,70,00,5c,00,73,\
00,73,00,74,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,\
65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{9684dbca-c91d-4aab-a7ef-7ba512313155}]
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,5c,00,61,00,72,00,63,00,37,00,31,00,33,00,61,00,\
2e,00,74,00,6d,00,70,00,5c,00,73,00,73,00,74,00,69,00,6e,00,73,00,74,00,61,\
00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{9cd8adfc-624c-4c33-becb-a652613fb557}]
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,61,00,72,00,63,00,37,00,31,00,\
33,00,61,00,2e,00,74,00,6d,00,70,00,5c,00,73,00,73,00,74,00,69,00,6e,00,73,\
00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{a14bf91e-e5bc-4f93-b5db-b590b47c0322}]
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,\
00,6f,00,63,00,61,00,6c,00,4c,00,6f,00,77,00,5c,00,61,00,72,00,63,00,65,00,\
65,00,65,00,32,00,2e,00,74,00,6d,00,70,00,5c,00,73,00,73,00,74,00,69,00,6e,\
00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{d4e08cd6-0379-471b-90d6-46720b0e53e2}]
"ItemData"=hex(2):25,00,75,00,73,00,65,00,72,00,70,00,72,00,6f,00,66,00,69,00,\
6c,00,65,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,52,\
00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,61,00,72,00,63,00,65,00,65,00,\
65,00,32,00,2e,00,74,00,6d,00,70,00,5c,00,73,00,73,00,74,00,69,00,6e,00,73,\
00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\262144\Paths\{e0615c1d-a08b-42b9-aaae-6ed2bb8d0e9f}]
"ItemData"=hex(2):25,00,61,00,70,00,70,00,64,00,61,00,74,00,61,00,25,00,5c,00,\
61,00,72,00,63,00,65,00,65,00,65,00,32,00,2e,00,74,00,6d,00,70,00,5c,00,73,\
00,73,00,74,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,2e,00,\
65,00,78,00,65,00,00,00
"SaferFlags"=dword:00000000
"Description"="CryptoLocker Prevention"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WSDAPI]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WSDAPI\Discovery Proxies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
"KnownDllList"="nlhtml.dll"
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am
Advertisement
Register to Remove

Re: infected with the cryptowall

Unread postby wannabeageek » October 5th, 2014, 12:26 am

Hi heyoka05,

What I was looking for was not in the first scan so we get to do it again.

Create a batch file
  1. Open Notepad.
  2. Copy/paste the following text into the empty Notepad window.
    • To make this easy, click the "select all" button then hover over the highlighted text and right mouse click to select copy.
    Code: Select all
    @echo off
    reg.exe export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies  C:\Users\bigdog\Desktop\look.reg
    ren C:\Users\bigdog\Desktop\look.reg look.txt
    Notepad.exe %userprofile%\Desktop\look.txt
    Del look.txt
    Del %0
    
  3. Save the file as look.bat on your desktop. Save it with the file type... all types *.*.
  4. Right click on the file look.bat select "Run As Administrator" to run it. If prompted by UAC, please allow it.


Post the results found in look.txt.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: infected with the cryptowall

Unread postby heyoka05 » October 5th, 2014, 9:27 am

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoAddingComponents"=dword:00000001
"NoComponents"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"ScanWithAntiVirus"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableUIADesktopToggle"=dword:00000000
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000000
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar]
"TurnOffSidebar"=dword:00000001
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby wannabeageek » October 5th, 2014, 6:02 pm

Hi heyoka05,

I've still not found what I am looking for.
Please run the following:

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Right-click SystemLook.exe and select " Run as administrator " to run it.
  • Copy the content of the following codebox into the main textfield: Do not include the word Code
  • To make this easy, click the "select all" button then hover over the highlighted text and right mouse click to select copy.
    Code: Select all
    :filefind
    *GroupPolicyUsers*
    *GroupPolicy*
    
    :folderfind
    *GroupPolicyUsers*
    *GroupPolicy*
    
    :Regfind
    GroupPolicyUsers
    GroupPolicy
    

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: infected with the cryptowall

Unread postby heyoka05 » October 5th, 2014, 9:25 pm

SystemLook 30.07.11 by jpshortstuff
Log created at 21:16 on 05/10/2014 by bigdog
Administrator - Elevation successful

========== filefind ==========

Searching for "*GroupPolicyUsers*"
No files found.

Searching for "*GroupPolicy*"
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat --a---- 14144 bytes [23:51 10/06/2011] [19:07 20/11/2010] 2B130EB8BAD16AE4D6E76E53A2B41D54
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum --a---- 1284 bytes [23:51 10/06/2011] [18:40 20/11/2010] ECC607C85D5C191F48F7B26FE47D0F56
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat --a---- 35620 bytes [23:51 10/06/2011] [20:36 20/11/2010] 60F120B058AABA36699189A7865C8783
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum --a---- 1231 bytes [23:51 10/06/2011] [20:22 20/11/2010] BE1405F4C6991D92E8BF50225828DDCB
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat --a---- 108891 bytes [23:51 10/06/2011] [19:07 20/11/2010] 9A30A2BE3595BCA974BEABB8813BD181
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum --a---- 1655 bytes [23:51 10/06/2011] [18:40 20/11/2010] A9A10AABD124DF5F6D8CB96088A80EE9
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat --a---- 122673 bytes [23:51 10/06/2011] [20:36 20/11/2010] 3D5D53EADE46E375761A9467C691B118
C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum --a---- 1596 bytes [23:51 10/06/2011] [20:22 20/11/2010] 62CD84ED625D5E41ED2943D0FF47EFAF
C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe --a---- 8192 bytes [00:03 11/06/2011] [13:25 20/11/2010] 4E1073B674746EEA0B2EA0F4775EA6A4
C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll --a---- 12288 bytes [00:06 11/06/2011] [13:27 20/11/2010] 04D4A3C86479841A8D8740DB3E9AA43C
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat ----s-- 14144 bytes [23:51 10/06/2011] [19:07 20/11/2010] 2B130EB8BAD16AE4D6E76E53A2B41D54
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat ----s-- 35620 bytes [23:51 10/06/2011] [20:36 20/11/2010] 60F120B058AABA36699189A7865C8783
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat ----s-- 108891 bytes [23:51 10/06/2011] [19:07 20/11/2010] 9A30A2BE3595BCA974BEABB8813BD181
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat ----s-- 122673 bytes [23:51 10/06/2011] [20:36 20/11/2010] 3D5D53EADE46E375761A9467C691B118
C:\Windows\System32\en-US\TsUsbRedirectionGroupPolicyExtension.dll.mui --a---- 2560 bytes [00:03 11/06/2011] [12:56 20/11/2010] 2C7FDD789220916D2A083C2A3E9F2FBA
C:\Windows\System32\migwiz\dlmanifests\GroupPolicy-Admin-Gpedit-DL.man --a---- 1444 bytes [20:39 10/06/2009] [20:39 10/06/2009] 4C1989692F01B80E3D8835B9576AB8D7
C:\Windows\System32\migwiz\dlmanifests\GroupPolicy-Admin-Gpedit-Snapin-DL.man --a---- 1454 bytes [20:30 13/07/2009] [20:39 10/06/2009] BC18582D8C7CCB4D60E1FFF11ED880C1
C:\Windows\System32\migwiz\dlmanifests\GroupPolicy-CSE-SoftwareInstallation-DL.man --a---- 1923 bytes [20:39 10/06/2009] [20:39 10/06/2009] 12E02F00D7A917554F5BBAB7BF495848
C:\Windows\System32\spp\tokens\ppdlic\GroupPolicy-License-ppdlic.xrm-ms --a---- 3184 bytes [01:53 14/07/2009] [01:53 14/07/2009] FA5086F58E8F932241C11AA95793E2C1
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx --a---- 4198400 bytes [00:58 07/09/2009] [12:34 05/10/2014] 1AA819FDE4E3B8B718917CC84EDD6C98
C:\Windows\SysWOW64\migwiz\dlmanifests\GroupPolicy-Admin-Gpedit-DL.man --a---- 1444 bytes [21:21 10/06/2009] [21:21 10/06/2009] 4C1989692F01B80E3D8835B9576AB8D7
C:\Windows\SysWOW64\migwiz\dlmanifests\GroupPolicy-Admin-Gpedit-Snapin-DL.man --a---- 1454 bytes [20:38 13/07/2009] [21:21 10/06/2009] BC18582D8C7CCB4D60E1FFF11ED880C1
C:\Windows\SysWOW64\migwiz\dlmanifests\GroupPolicy-CSE-SoftwareInstallation-DL.man --a---- 1923 bytes [21:21 10/06/2009] [21:21 10/06/2009] 12E02F00D7A917554F5BBAB7BF495848
C:\Windows\SysWOW64\spp\tokens\ppdlic\GroupPolicy-License-ppdlic.xrm-ms --a---- 3184 bytes [01:25 14/07/2009] [01:25 14/07/2009] 33B91D1D83C99F4F172A80792DE08696
C:\Windows\winsxs\amd64_microsoft-windows-g..-admfiles.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bac93a5f7499a27f\GroupPolicy.adml --a---- 47802 bytes [05:35 14/07/2009] [02:28 14/07/2009] 6263729EE2D174772AEEC9D13164CEC5
C:\Windows\winsxs\amd64_microsoft-windows-g..licy-admin-admfiles_31bf3856ad364e35_6.1.7600.16385_none_beabfc5b1399cd8e\GroupPolicy.admx --a---- 23507 bytes [21:44 13/07/2009] [20:42 10/06/2009] 83BB65E6B2337BB08CDC107D67B03C0A
C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-license_31bf3856ad364e35_6.1.7600.16385_none_91d5eda96e27b8a8\GroupPolicy-License-ppdlic.xrm-ms --a---- 3184 bytes [01:53 14/07/2009] [01:53 14/07/2009] FA5086F58E8F932241C11AA95793E2C1
C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\GroupPolicy-Admin-Gpedit-DL.man --a---- 1444 bytes [20:39 10/06/2009] [20:39 10/06/2009] 4C1989692F01B80E3D8835B9576AB8D7
C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\GroupPolicy-Admin-Gpedit-Snapin-DL.man --a---- 1454 bytes [20:30 13/07/2009] [20:39 10/06/2009] BC18582D8C7CCB4D60E1FFF11ED880C1
C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\GroupPolicy-CSE-SoftwareInstallation-DL.man --a---- 1923 bytes [20:39 10/06/2009] [20:39 10/06/2009] 12E02F00D7A917554F5BBAB7BF495848
C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_en-us_4a55d4b395dfbf87\TsUsbRedirectionGroupPolicyExtension.dll.mui --a---- 2560 bytes [00:03 11/06/2011] [12:56 20/11/2010] 2C7FDD789220916D2A083C2A3E9F2FBA
C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17514_none_7df14b591094e7ec\TsUsbRedirectionGroupPolicyControl.exe --a---- 8192 bytes [00:03 11/06/2011] [13:25 20/11/2010] 4E1073B674746EEA0B2EA0F4775EA6A4
C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17514_none_7df14b591094e7ec\TsUsbRedirectionGroupPolicyExtension.dll --a---- 12288 bytes [00:06 11/06/2011] [13:27 20/11/2010] 04D4A3C86479841A8D8740DB3E9AA43C
C:\Windows\winsxs\amd64_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e8c84f834fb466a2\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll --a---- 90112 bytes [05:35 14/07/2009] [02:32 14/07/2009] 36FC4413674DEE77D586535E7075ACB4
C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\Microsoft.GroupPolicy.AdmTmplEditor.dll --a---- 196096 bytes [00:03 11/06/2011] [13:44 20/11/2010] 6E1F814CEEFC54E14DDBA66415823CFE
C:\Windows\winsxs\amd64_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_2001b9c0d3b12e90\Microsoft.GroupPolicy.Interop.dll --a---- 151040 bytes [00:04 11/06/2011] [13:44 20/11/2010] 63A87E4AEF8F906BABEF2612C2A00586
C:\Windows\winsxs\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046.manifest --a---- 130857 bytes [10:39 13/06/2011] [02:52 13/06/2011] E0284AB6BFC059C869984B5F342A17EA
C:\Windows\winsxs\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046_gpapi.dll_868dd225 --a---- 96768 bytes [10:39 13/06/2011] [02:52 13/06/2011] 9C9307C95671AC962F3D6EB3A4A89BAE
C:\Windows\winsxs\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046_gpsvc.dll_970be02b --a---- 777728 bytes [10:39 13/06/2011] [02:52 13/06/2011] 277BBC7E1AA1EE957F573A10ECA7EF3A
C:\Windows\winsxs\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7.manifest --a---- 60362 bytes [02:59 14/07/2009] [02:59 14/07/2009] 4480558949DE24C3A4FBB96C649955C9
C:\Windows\winsxs\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7_gpapi.dll_868dd225 --a---- 79872 bytes [02:59 14/07/2009] [02:59 14/07/2009] 1097F3035BAF46CED8B332B3564C5108
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-blb-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_489a9cfa1badc4c5.manifest --a---- 2735 bytes [02:18 14/07/2009] [02:18 14/07/2009] 767089322AE389B0D56AF715A27A7A9E
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-e..storage-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_56ae7a348640808a.manifest --a---- 1143 bytes [02:34 14/07/2009] [02:11 14/07/2009] B7DE4A2F3875EB86DBC497250D87ED3C
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-base-mof_31bf3856ad364e35_6.1.7600.16385_none_4eb927112be23dff.manifest --a---- 3858 bytes [02:33 14/07/2009] [02:25 14/07/2009] F0EC7803CA9D3F095F80746A6CB5CD76
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046.manifest ------- 130857 bytes [23:32 10/06/2011] [10:40 20/11/2010] E0284AB6BFC059C869984B5F342A17EA
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-gpmc-api_31bf3856ad364e35_6.1.7600.16385_none_ce2150803ecebc37.manifest --a---- 8062 bytes [02:23 14/07/2009] [02:11 14/07/2009] 21DE17A4D3985DF676B1AD8B1A87F7D8
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-gpmc_31bf3856ad364e35_6.1.7600.16385_none_81887404025658c2.manifest --a---- 3838 bytes [02:15 14/07/2009] [02:11 14/07/2009] 2697794A1DFAE9170B5E9D3F10F37A7F
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_6.1.7600.16385_none_9344be31a8b7d6bd.manifest --a---- 7079 bytes [02:33 14/07/2009] [02:15 14/07/2009] EC25DAD298454419F6F0738CDFC82EE1
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-license_31bf3856ad364e35_6.1.7600.16385_none_91d5eda96e27b8a8.manifest --a---- 2373 bytes [02:33 14/07/2009] [02:14 14/07/2009] CDB8B1C582DD3CF8238959AAB20F0249
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_c10c2a29895d4994.manifest --a---- 5613 bytes [02:25 14/07/2009] [02:25 14/07/2009] 34416A0313A1818C88B234EA9541D3A7
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_6.1.7600.16385_none_5beaaa2baeec35ea.manifest --a---- 5994 bytes [02:34 14/07/2009] [02:27 14/07/2009] 8F0B73E38547DA06BDEF4C7C66490D7A
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..rovider-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_b66f27da44d832be.manifest --a---- 2823 bytes [02:33 14/07/2009] [02:17 14/07/2009] 1C2698770EA0B12A17DF12943827780F
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-sensors-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_a65035cf2051eb10.manifest --a---- 1082 bytes [02:19 14/07/2009] [02:11 14/07/2009] 8AB351789F8A5AAF6F267DD5A2C5071D
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-shell-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_71af9b5b0a86e6b7.manifest --a---- 12047 bytes [02:12 14/07/2009] [02:12 14/07/2009] 9CFE19A0DFD29A049A6A3C8A9914BCCA
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-sideshow-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_3d672af801b65f41.manifest --a---- 1102 bytes [02:18 14/07/2009] [02:11 14/07/2009] 4FF5D17A819E2BB66E5A2501D61F43BA
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-winre-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_b3d6d249d258c32e.manifest --a---- 2765 bytes [02:34 14/07/2009] [02:26 14/07/2009] B80A0F9EA71D7604C92FE23798A2884A
C:\Windows\winsxs\Manifests\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47.manifest ------- 2410 bytes [23:32 10/06/2011] [10:15 20/11/2010] D2DE584CEE4EE36C0C8B79D8B0C3CD0D
C:\Windows\winsxs\Manifests\amd64_microsoft.grouppolicy.gpmgmtlib_31bf3856ad364e35_6.1.7600.16385_none_19f17f3901e25c5e.manifest --a---- 2428 bytes [02:24 14/07/2009] [02:11 14/07/2009] 82B23658F87EBD139DD4E23326127915
C:\Windows\winsxs\Manifests\amd64_microsoft.grouppolicy.interop.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a36c985d3a17dcf.manifest --a---- 823 bytes [05:35 14/07/2009] [02:42 14/07/2009] BED5C2BC6AF88178F3171B3E69BB3DE6
C:\Windows\winsxs\Manifests\amd64_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_2001b9c0d3b12e90.manifest ------- 2393 bytes [23:32 10/06/2011] [10:20 20/11/2010] A0C9472E6F53CEB97186FFAD33CBAA41
C:\Windows\winsxs\Manifests\amd64_microsoft.grouppolicy.mtedit-nonmsil_31bf3856ad364e35_6.1.7600.16385_none_35b6188b4cf21f5f.manifest --a---- 1655 bytes [02:26 14/07/2009] [02:11 14/07/2009] 77C6F8FB3B473821B36B49DF5706531B
C:\Windows\winsxs\Manifests\amd64_microsoft.grouppolicy.private.gpmgmtplib_31bf3856ad364e35_6.1.7600.16385_none_0139a8fb7a7b5659.manifest --a---- 2448 bytes [02:17 14/07/2009] [02:11 14/07/2009] 0152E19753A7E7AAC73E530C6B2E90C5
C:\Windows\winsxs\Manifests\msil_microsoft.grouppolicy.gpoadmingrid_31bf3856ad364e35_6.1.7600.16385_none_d095ac5cf782e82f.manifest --a---- 1983 bytes [01:52 14/07/2009] [01:44 14/07/2009] B0BC1907CE7869CAC9A8F51C1B15A0B0
C:\Windows\winsxs\Manifests\msil_microsoft.grouppolicy.mtedit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a61ecdf84733e968.manifest --a---- 1001 bytes [05:35 14/07/2009] [02:42 14/07/2009] F4CEE346C19EE7FECA5A2C6690F68976
C:\Windows\winsxs\Manifests\msil_microsoft.grouppolicy.mtedit_31bf3856ad364e35_6.1.7600.16385_none_ff9852c3b090b469.manifest --a---- 1998 bytes [02:19 14/07/2009] [02:11 14/07/2009] 2FF333828C0E4B4C8645571142323BC5
C:\Windows\winsxs\Manifests\msil_microsoft.grouppolicy.reporting_31bf3856ad364e35_6.1.7601.17514_none_4c14798809666596.manifest ------- 2860 bytes [23:31 10/06/2011] [09:03 20/11/2010] 5A85F6C19DB99A894A4E3C64C21C0AB1
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7.manifest --a---- 60362 bytes [02:33 14/07/2009] [01:44 14/07/2009] 4480558949DE24C3A4FBB96C649955C9
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_6.1.7600.16385_none_663f547de34cf7e5.manifest --a---- 5992 bytes [02:34 14/07/2009] [01:43 14/07/2009] 74D53B650AB2BC3A7065D84232585312
C:\Windows\winsxs\Manifests\x86_microsoft-windows-grouppolicy-gpmc-api_31bf3856ad364e35_6.1.7600.16385_none_7202b4fc86714b01.manifest --a---- 8054 bytes [01:54 14/07/2009] [01:44 14/07/2009] D4FDF70600092B667DAEAA8876513A28
C:\Windows\winsxs\Manifests\x86_microsoft-windows-grouppolicy-gpmc_31bf3856ad364e35_6.1.7600.16385_none_2569d88049f8e78c.manifest --a---- 3832 bytes [01:50 14/07/2009] [01:44 14/07/2009] 97AD677480BECF5CE3F244C5FCC10F19
C:\Windows\winsxs\Manifests\x86_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_6.1.7600.16385_none_372622adf05a6587.manifest --a---- 7073 bytes [02:33 14/07/2009] [01:49 14/07/2009] 1A52D7CF7FF510A16584E7E5D80C0FA0
C:\Windows\winsxs\Manifests\x86_microsoft-windows-grouppolicy-license_31bf3856ad364e35_6.1.7600.16385_none_35b75225b5ca4772.manifest --a---- 2371 bytes [02:33 14/07/2009] [01:48 14/07/2009] 9CBE92895D5CB7C5F29EF94A626EFE8E
C:\Windows\winsxs\Manifests\x86_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_64ed8ea5d0ffd85e.manifest --a---- 5609 bytes [01:55 14/07/2009] [01:55 14/07/2009] 12702FAE70A3614D11F47F18BFEC2DD6
C:\Windows\winsxs\Manifests\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11.manifest ------- 2406 bytes [23:32 10/06/2011] [09:04 20/11/2010] C258A009D955A8084660F1F995DB40E9
C:\Windows\winsxs\Manifests\x86_microsoft.grouppolicy.gpmgmtlib_31bf3856ad364e35_6.1.7600.16385_none_bdd2e3b54984eb28.manifest --a---- 2424 bytes [01:55 14/07/2009] [01:45 14/07/2009] C6E79C51C71D6F412181C4A76EDB606A
C:\Windows\winsxs\Manifests\x86_microsoft.grouppolicy.interop.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ce182e021b440c99.manifest --a---- 821 bytes [05:35 14/07/2009] [02:28 14/07/2009] 7A3EE376C0F6DCC57118B946D6359E4C
C:\Windows\winsxs\Manifests\x86_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_c3e31e3d1b53bd5a.manifest ------- 2389 bytes [23:32 10/06/2011] [09:09 20/11/2010] 419965799CEE9F76410E660E8AACD2F0
C:\Windows\winsxs\Manifests\x86_microsoft.grouppolicy.mtedit-nonmsil_31bf3856ad364e35_6.1.7600.16385_none_d9977d079494ae29.manifest --a---- 1653 bytes [01:57 14/07/2009] [01:45 14/07/2009] CA79ECA0A922FDAE981EA735ACD8453C
C:\Windows\winsxs\Manifests\x86_microsoft.grouppolicy.private.gpmgmtplib_31bf3856ad364e35_6.1.7600.16385_none_a51b0d77c21de523.manifest --a---- 2444 bytes [01:51 14/07/2009] [01:45 14/07/2009] E928152D3841CE0CD983B85ABE7F0547
C:\Windows\winsxs\msil_microsoft.grouppoli..reporting.resources_31bf3856ad364e35_6.1.7601.17514_en-us_eb21d606d8cd36b7\Microsoft.GroupPolicy.Reporting.Resources.dll --a---- 471040 bytes [00:03 11/06/2011] [12:19 20/11/2010] C00F50A3A8D15F2F050A0A9838D99E97
C:\Windows\winsxs\msil_microsoft.grouppolicy.reporting_31bf3856ad364e35_6.1.7601.17514_none_4c14798809666596\Microsoft.GroupPolicy.Reporting.dll --a---- 1851392 bytes [00:04 11/06/2011] [12:35 20/11/2010] C21EB170F553EAD23D02B519A338F03B
C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-license_31bf3856ad364e35_6.1.7600.16385_none_35b75225b5ca4772\GroupPolicy-License-ppdlic.xrm-ms --a---- 3184 bytes [01:25 14/07/2009] [01:25 14/07/2009] 33B91D1D83C99F4F172A80792DE08696
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\GroupPolicy-Admin-Gpedit-DL.man --a---- 1444 bytes [21:21 10/06/2009] [21:21 10/06/2009] 4C1989692F01B80E3D8835B9576AB8D7
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\GroupPolicy-Admin-Gpedit-Snapin-DL.man --a---- 1454 bytes [20:38 13/07/2009] [21:21 10/06/2009] BC18582D8C7CCB4D60E1FFF11ED880C1
C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\GroupPolicy-CSE-SoftwareInstallation-DL.man --a---- 1923 bytes [21:21 10/06/2009] [21:21 10/06/2009] 12E02F00D7A917554F5BBAB7BF495848
C:\Windows\winsxs\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ca9b3ff9756f56c\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll --a---- 90112 bytes [05:35 14/07/2009] [02:12 14/07/2009] 7643FE2D5D8DC339868BD4D952E0F385
C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\Microsoft.GroupPolicy.AdmTmplEditor.dll --a---- 189952 bytes [00:03 11/06/2011] [12:35 20/11/2010] 38D88B9F15909C5EB12543B9ADD60665
C:\Windows\winsxs\x86_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_c3e31e3d1b53bd5a\Microsoft.GroupPolicy.Interop.dll --a---- 145920 bytes [00:04 11/06/2011] [12:35 20/11/2010] 7473DCFFD01F73BA2B2621555B02E09A

========== folderfind ==========

Searching for "*GroupPolicyUsers*"
C:\Windows\System32\GroupPolicyUsers d--h--- [03:20 14/07/2009]
C:\Windows\SysWOW64\GroupPolicyUsers d------ [03:20 14/07/2009]

Searching for "*GroupPolicy*"
C:\Windows\System32\GroupPolicy d--h--- [03:20 14/07/2009]
C:\Windows\System32\GroupPolicyUsers d--h--- [03:20 14/07/2009]
C:\Windows\SysWOW64\GroupPolicy d------ [03:20 14/07/2009]
C:\Windows\SysWOW64\GroupPolicyUsers d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-blb-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_489a9cfa1badc4c5 d------ [05:30 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-base-mof_31bf3856ad364e35_6.1.7600.16385_none_4eb927112be23dff d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046 d------ [23:43 10/06/2011]
C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_6.1.7600.16385_none_9344be31a8b7d6bd d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-license_31bf3856ad364e35_6.1.7600.16385_none_91d5eda96e27b8a8 d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_c10c2a29895d4994 d------ [05:30 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_6.1.7600.16385_none_5beaaa2baeec35ea d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-r..rovider-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_b66f27da44d832be d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-shell-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_71af9b5b0a86e6b7 d------ [05:30 14/07/2009]
C:\Windows\winsxs\amd64_microsoft-windows-winre-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_b3d6d249d258c32e d------ [03:20 14/07/2009]
C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47 d------ [02:47 13/06/2011]
C:\Windows\winsxs\amd64_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_2001b9c0d3b12e90 d------ [02:47 13/06/2011]
C:\Windows\winsxs\msil_microsoft.grouppolicy.reporting_31bf3856ad364e35_6.1.7601.17514_none_4c14798809666596 d------ [02:47 13/06/2011]
C:\Windows\winsxs\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7 d------ [03:20 14/07/2009]
C:\Windows\winsxs\wow64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_6.1.7600.16385_none_663f547de34cf7e5 d------ [03:20 14/07/2009]
C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_6.1.7600.16385_none_372622adf05a6587 d------ [03:20 14/07/2009]
C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-license_31bf3856ad364e35_6.1.7600.16385_none_35b75225b5ca4772 d------ [03:20 14/07/2009]
C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_64ed8ea5d0ffd85e d------ [05:30 14/07/2009]
C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11 d------ [02:48 13/06/2011]
C:\Windows\winsxs\x86_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_c3e31e3d1b53bd5a d------ [02:48 13/06/2011]

========== Regfind ==========

Searching for "GroupPolicyUsers"
No data found.

Searching for "GroupPolicy"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0]
"FileSysPath"="C:\Windows\System32\GroupPolicy\User"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7E37D5E7-263D-45CF-842B-96A95C63E46C}]
@="IGroupPolicyObject2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E37D5E7-263D-45CF-842B-96A95C63E46C}]
@="IGroupPolicyObject2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~ar-SA~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~bg-BG~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~cs-CZ~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~da-DK~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~de-DE~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~el-GR~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~es-ES~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~et-EE~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~fi-FI~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~fr-FR~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~he-IL~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~hr-HR~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~hu-HU~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~it-IT~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~ja-JP~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~ko-KR~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~lt-LT~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~lv-LV~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~nb-NO~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~nl-NL~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~pl-PL~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~pt-BR~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~pt-PT~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~ro-RO~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~ru-RU~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~sk-SK~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~sl-SI~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~sr-LATN-CS~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~sv-SE~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~th-TH~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~tr-TR~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~uk-UA~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~zh-CN~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~zh-HK~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~zh-TW~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageIndex\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~0.0.0.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514]
"InstallName"="Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514]
"InstallName"="Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514]
"InstallName"="Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514]
"InstallName"="Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-e..storage-grouppolicy_31bf3856ad364e35_none_34b5f228c326e4d5]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-grouppolicy-base-mof_31bf3856ad364e35_none_2b2f2f9b944dcfc8]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_none_b161cf710ae13543]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_none_3049cf314d8b697a]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-grouppolicy-license_31bf3856ad364e35_none_ccc1fa118cf0c227]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_none_105c01a2a2304275]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-r..rovider-grouppolicy_31bf3856ad364e35_none_4821884aca6b5f41]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-sensors-grouppolicy_31bf3856ad364e35_none_c93e68e8075dd8ff]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-sideshow-grouppolicy_31bf3856ad364e35_none_93492e5a6019cc16]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-winre-grouppolicy_31bf3856ad364e35_none_6ad9f35e655d1651]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_none_bbb679c33f41f73e]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_none_1ab0abf4d6910470]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-grouppolicy-gptext_31bf3856ad364e35_none_d42b33ad952df844]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-grouppolicy-license_31bf3856ad364e35_none_70a35e8dd49350f1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-GroupPolicy/Operational]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}]
@="Microsoft-Windows-GroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}\ChannelReferences\1]
@="Microsoft-Windows-GroupPolicy/Operational"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{bd2f4252-5e1e-49fc-9a30-f3978ad89ee2}]
@="Microsoft-Windows-GroupPolicyTriggerProvider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
"ProcessGroupPolicyEx"="ProcessWLANPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
"GenerateGroupPolicy"="GenerateWLANPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]
"DllName"="%SystemRoot%\System32\TsUsbRedirectionGroupPolicyExtension.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]
"DisplayName"="@%SystemRoot%\System32\TsUsbRedirectionGroupPolicyExtension.dll,-100"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
"GenerateGroupPolicy"="GenerateLANPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
"GenerateGroupPolicy"="GenerateIPSECPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
"ProcessGroupPolicy"="ProcessEQoSPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
"ProcessGroupPolicyEx"="ProcessWLANPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
"GenerateGroupPolicy"="GenerateWLANPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
"GenerateGroupPolicy"="GenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
"ProcessGroupPolicy"="PrinterProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]
"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
"GenerateGroupPolicy"="GenerateLANPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]
"ProcessGroupPolicy"="ProcessTCPIPPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
"GenerateGroupPolicy"="GenerateIPSECPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]
"ProcessGroupPolicy"="ProcessEQoSPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]
"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{7E37D5E7-263D-45CF-842B-96A95C63E46C}]
@="IGroupPolicyObject2"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\Microsoft-Windows-GroupPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Parameters]
"ServiceMain"="GroupPolicyClientServiceMain"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\System\Microsoft-Windows-GroupPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\gpsvc\Parameters]
"ServiceMain"="GroupPolicyClientServiceMain"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Microsoft-Windows-GroupPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gpsvc\Parameters]
"ServiceMain"="GroupPolicyClientServiceMain"
[HKEY_USERS\S-1-5-21-3725795197-1872689522-2498876610-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0]
"FileSysPath"="C:\Windows\System32\GroupPolicy\User"

-= EOF =-
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby wannabeageek » October 7th, 2014, 12:03 am

Hi heyoka05,

Still not finding the info I need. Please run this again. Only the one log will be produced.

FRST - Farbar Recovery Scanner Tool for Vista-W7/8 Image should still be on your Desktop.
  1. Right click on FRST64.exe select "Run As Administrator" to run it. If prompted by UAC, please allow it. When the tool opens click Yes to disclaimer.
  2. Press Scan button. ... A log will be created FRST.txt in the same directory the tool is run.
  3. Please copy/paste FRST.txt it to your reply.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: infected with the cryptowall

Unread postby heyoka05 » October 7th, 2014, 9:29 pm

Hi wannabeageek,
Hope you are well and fine

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-10-2014 01
Ran by bigdog (administrator) on BIGDOG-HP on 07-10-2014 21:25:25
Running from C:\Users\bigdog\Desktop
Loaded Profile: bigdog (Available profiles: bigdog & lindi & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
(Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(BillP Studios) C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2799912 2011-10-25] (Synaptics Incorporated)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-07-21] (Hewlett-Packard Company)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-10-25] (IDT, Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [111640 2010-07-23] ()
HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [336440 2011-06-13] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [587320 2011-06-14] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [WinPatrol] => C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe [328800 2012-02-24] (BillP Studios)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-07-31] (AVAST Software)
HKLM\...\RunOnce: [NCPluginUpdater] => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe [21720 2014-09-26] (Hewlett-Packard)
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binscr <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binexe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bincom <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *‮* <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binpif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\arceee2.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\arc713a.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\arc713a.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\arc713a.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\arc713a.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\arceee2.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\arceee2.tmp\sstinstaller.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\arceee2.tmp\sstinstaller.exe <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3725795197-1872689522-2498876610-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-3725795197-1872689522-2498876610-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-18\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2011-03-04] (Hewlett-Packard Company)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
GroupPolicyUsers\S-1-5-21-3725795197-1872689522-2498876610-1271\User: Group Policy restriction detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://us-mg6.mail.yahoo.com/neo/launc ... 9dma1mpn54
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572 ... com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572 ... com/?_nkw={searchTerms}
SearchScopes: HKCU - DefaultScope {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
SearchScopes: HKCU - {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.co ... 4.24.0.cab
DPF: HKLM-x32 {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.motive.com/wizlet/DS ... ller64.cab
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

FireFox:
========
FF ProfilePath: C:\Users\bigdog\AppData\Roaming\Mozilla\Firefox\Profiles\xf2x1qqs.default
FF NewTab: hxxp://www.google.com/firefox
FF DefaultSearchEngine: Google
FF SearchEngineOrder.1: Google
FF SelectedSearchEngine: Yahoo
FF Homepage: https://login.yahoo.com/config/login?.s ... hoo.com%2F
FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_33 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @Motive.com/NpMotive,version=1.0 -> C:\Program Files (x86)\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: facebook.com/fbDesktopPlugin -> C:\Users\bigdog\AppData\Local\Facebook\Messenger\2.1.4814.0\npFbDesktopPlugin.dll (Facebook, Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-06-06]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-07-30]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-30] (AVAST Software)
R2 EpsonBidirectionalService; C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed]
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [86528 2012-09-27] (Hewlett-Packard Company) [File not signed]
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2011-03-04] (Hewlett-Packard Company) [File not signed]
R2 McciCMService; C:\Program Files (x86)\Common Files\Motive\McciCMService.exe [319488 2010-04-30] (Alcatel-Lucent) [File not signed]
R2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-04-30] (Alcatel-Lucent) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-30] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-30] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-30] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-30] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-30] ()
R3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-04-30] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-07 21:25 - 2014-10-07 21:25 - 00000000 ____D () C:\Users\bigdog\Desktop\FRST-OlderVersion
2014-10-05 21:16 - 2014-10-05 21:21 - 00095526 _____ () C:\Users\bigdog\Desktop\SystemLook.txt
2014-10-05 21:15 - 2014-10-05 21:15 - 00165376 _____ () C:\Users\bigdog\Desktop\SystemLook_x64.exe
2014-10-02 11:48 - 2014-10-02 11:48 - 00000246 _____ () C:\Users\bigdog\Desktop\gggg.txt
2014-10-01 23:06 - 2014-10-01 23:06 - 00000000 ____D () C:\Users\bigdog\Desktop\blendcache_dynamic paint
2014-10-01 23:06 - 2014-10-01 23:06 - 00000000 ____D () C:\Users\bigdog\Desktop\blendcache_dynamic paint
2014-10-01 22:56 - 2014-10-01 22:56 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-BIGDOG-HP-Microsoft-Windows-7-Home-Premium-(64-bit).dat
2014-10-01 22:55 - 2014-10-01 22:55 - 00000000 ____D () C:\RegBackup
2014-10-01 22:54 - 2014-10-01 22:54 - 00002199 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-10-01 22:54 - 2014-10-01 22:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-10-01 22:53 - 2014-10-01 22:53 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-09-29 21:19 - 2014-09-29 21:19 - 00028259 _____ () C:\Users\bigdog\Desktop\Addition.txt
2014-09-29 21:18 - 2014-10-07 21:25 - 00030548 _____ () C:\Users\bigdog\Desktop\FRST.txt
2014-09-29 21:18 - 2014-10-07 21:25 - 00000000 ____D () C:\FRST
2014-09-29 21:17 - 2014-10-07 21:25 - 02109952 _____ (Farbar) C:\Users\bigdog\Desktop\FRST64.exe
2014-09-29 21:15 - 2014-09-29 21:15 - 00103060 _____ () C:\Users\bigdog\Desktop\JRT.txt
2014-09-29 21:10 - 2014-09-29 21:10 - 00000000 ____D () C:\Windows\ERUNT
2014-09-29 21:09 - 2014-09-29 21:09 - 01699276 _____ (Thisisu) C:\Users\bigdog\Desktop\JRT.exe
2014-09-29 21:07 - 2014-09-29 21:07 - 00005832 _____ () C:\Users\bigdog\Desktop\AdwCleaner[S0].txt
2014-09-29 21:02 - 2014-09-29 21:05 - 00000000 ____D () C:\AdwCleaner
2014-09-29 21:01 - 2014-09-29 21:01 - 01373475 _____ () C:\Users\bigdog\Desktop\AdwCleaner.exe
2014-09-28 20:24 - 2014-09-28 20:24 - 00009728 _____ () C:\Users\lindi\Desktop\Boye 2.wps
2014-09-28 20:15 - 2014-09-28 20:15 - 00009728 _____ () C:\Users\lindi\Desktop\Boye 1.wps
2014-09-28 20:00 - 2014-10-01 12:37 - 00000160 _____ () C:\Users\lindi\AppData\Roaming\wklnhst.dat
2014-09-28 20:00 - 2014-09-28 20:00 - 00000000 ____D () C:\Users\lindi\AppData\Roaming\Template
2014-09-27 17:41 - 2014-09-27 17:41 - 00053248 _____ () C:\Windows\SysWOW64\zlib.dll
2014-09-27 17:41 - 2014-09-27 17:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foolish IT
2014-09-27 17:41 - 2014-09-27 17:41 - 00000000 ____D () C:\ProgramData\Foolish IT
2014-09-27 17:41 - 2014-09-27 17:41 - 00000000 ____D () C:\Program Files (x86)\Foolish IT
2014-09-26 23:04 - 2014-08-19 14:05 - 00374968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-26 23:04 - 2014-08-19 13:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-09-26 23:04 - 2014-08-18 19:01 - 23591424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-26 23:04 - 2014-08-18 18:29 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-26 23:04 - 2014-08-18 18:29 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-26 23:04 - 2014-08-18 18:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-09-26 23:04 - 2014-08-18 18:20 - 02793984 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-26 23:04 - 2014-08-18 18:19 - 05833728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-26 23:04 - 2014-08-18 18:15 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-26 23:04 - 2014-08-18 18:15 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-26 23:04 - 2014-08-18 18:14 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-26 23:04 - 2014-08-18 18:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-26 23:04 - 2014-08-18 18:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-09-26 23:04 - 2014-08-18 18:08 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-26 23:04 - 2014-08-18 18:08 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-26 23:04 - 2014-08-18 18:05 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-26 23:04 - 2014-08-18 18:03 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-26 23:04 - 2014-08-18 18:03 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-26 23:04 - 2014-08-18 18:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-26 23:04 - 2014-08-18 17:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-09-26 23:04 - 2014-08-18 17:56 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-26 23:04 - 2014-08-18 17:51 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-26 23:04 - 2014-08-18 17:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-09-26 23:04 - 2014-08-18 17:45 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-26 23:04 - 2014-08-18 17:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-09-26 23:04 - 2014-08-18 17:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-09-26 23:04 - 2014-08-18 17:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-09-26 23:04 - 2014-08-18 17:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-09-26 23:04 - 2014-08-18 17:40 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-26 23:04 - 2014-08-18 17:39 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-26 23:04 - 2014-08-18 17:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-09-26 23:04 - 2014-08-18 17:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-09-26 23:04 - 2014-08-18 17:38 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-26 23:04 - 2014-08-18 17:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-09-26 23:04 - 2014-08-18 17:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-09-26 23:04 - 2014-08-18 17:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-09-26 23:04 - 2014-08-18 17:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-09-26 23:04 - 2014-08-18 17:25 - 00727040 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-26 23:04 - 2014-08-18 17:25 - 00707072 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-26 23:04 - 2014-08-18 17:23 - 02104832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-26 23:04 - 2014-08-18 17:23 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-26 23:04 - 2014-08-18 17:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-26 23:04 - 2014-08-18 17:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-09-26 23:04 - 2014-08-18 17:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-09-26 23:04 - 2014-08-18 17:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-09-26 23:04 - 2014-08-18 17:16 - 13588480 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-26 23:04 - 2014-08-18 17:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-09-26 23:04 - 2014-08-18 17:15 - 02310656 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-26 23:04 - 2014-08-18 17:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-09-26 23:04 - 2014-08-18 17:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-09-26 23:04 - 2014-08-18 17:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-09-26 23:04 - 2014-08-18 16:55 - 01447424 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-26 23:04 - 2014-08-18 16:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-09-26 23:04 - 2014-08-18 16:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-09-26 23:04 - 2014-08-18 16:38 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-26 23:04 - 2014-08-18 16:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-09-26 21:27 - 2014-07-06 22:06 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-26 21:27 - 2014-07-06 22:06 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-26 21:27 - 2014-07-06 21:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-09-26 21:27 - 2014-07-06 21:40 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-09-26 21:27 - 2014-07-06 21:39 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-09-24 22:51 - 2014-09-24 22:51 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2014-09-24 22:51 - 2014-09-24 22:51 - 00000000 ____D () C:\Program Files (x86)\Kaspersky Lab
2014-09-24 21:16 - 2014-09-24 21:16 - 00000000 ____D () C:\Users\lindi\AppData\Local\Apple
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\lindi\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\lindi\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\lindi\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\lindi\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\Guest\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00008216 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\lindi\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\lindi\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\lindi\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\lindi\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\Guest\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00004152 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\lindi\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\lindi\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\lindi\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\lindi\AppData\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\Guest\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\Users\DECRYPT_INSTRUCTION.URL
2014-09-23 22:47 - 2014-09-23 22:47 - 00000276 _____ () C:\DECRYPT_INSTRUCTION.URL
2014-09-23 22:46 - 2014-09-23 22:46 - 00008216 _____ () C:\Users\Guest\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:46 - 2014-09-23 22:46 - 00008216 _____ () C:\Users\Guest\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:46 - 2014-09-23 22:46 - 00008216 _____ () C:\Users\Guest\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:46 - 2014-09-23 22:46 - 00008216 _____ () C:\Users\bigdog\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:46 - 2014-09-23 22:46 - 00004152 _____ () C:\Users\Guest\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:46 - 2014-09-23 22:46 - 00004152 _____ () C:\Users\Guest\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:46 - 2014-09-23 22:46 - 00004152 _____ () C:\Users\Guest\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:46 - 2014-09-23 22:46 - 00004152 _____ () C:\Users\bigdog\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:46 - 2014-09-23 22:46 - 00000276 _____ () C:\Users\Guest\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-09-23 22:46 - 2014-09-23 22:46 - 00000276 _____ () C:\Users\Guest\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-23 22:46 - 2014-09-23 22:46 - 00000276 _____ () C:\Users\Guest\AppData\DECRYPT_INSTRUCTION.URL
2014-09-23 22:46 - 2014-09-23 22:46 - 00000276 _____ () C:\Users\bigdog\DECRYPT_INSTRUCTION.URL
2014-09-23 22:39 - 2014-09-23 22:39 - 00008216 _____ () C:\Users\bigdog\Downloads\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:39 - 2014-09-23 22:39 - 00004152 _____ () C:\Users\bigdog\Downloads\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:39 - 2014-09-23 22:39 - 00000276 _____ () C:\Users\bigdog\Downloads\DECRYPT_INSTRUCTION.URL
2014-09-23 22:09 - 2014-09-23 22:09 - 00008216 _____ () C:\Users\bigdog\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:09 - 2014-09-23 22:09 - 00008216 _____ () C:\Users\bigdog\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:09 - 2014-09-23 22:09 - 00008216 _____ () C:\Users\bigdog\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:09 - 2014-09-23 22:09 - 00004152 _____ () C:\Users\bigdog\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:09 - 2014-09-23 22:09 - 00004152 _____ () C:\Users\bigdog\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:09 - 2014-09-23 22:09 - 00004152 _____ () C:\Users\bigdog\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:09 - 2014-09-23 22:09 - 00000276 _____ () C:\Users\bigdog\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-09-23 22:09 - 2014-09-23 22:09 - 00000276 _____ () C:\Users\bigdog\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-23 22:09 - 2014-09-23 22:09 - 00000276 _____ () C:\Users\bigdog\AppData\DECRYPT_INSTRUCTION.URL
2014-09-23 22:04 - 2014-09-23 22:04 - 00008216 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-09-23 22:04 - 2014-09-23 22:04 - 00004152 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-09-23 22:04 - 2014-09-23 22:04 - 00000276 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-07 21:24 - 2009-07-14 01:13 - 01434440 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-07 16:27 - 2014-07-22 22:35 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForbigdog
2014-10-07 16:27 - 2014-07-22 22:35 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForbigdog.job
2014-10-07 16:26 - 2011-10-27 06:58 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-10-07 16:26 - 2011-06-09 17:57 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-10-07 16:22 - 2011-05-13 05:00 - 01134070 _____ () C:\Windows\WindowsUpdate.log
2014-10-07 16:22 - 2009-07-14 00:45 - 00026192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-07 16:22 - 2009-07-14 00:45 - 00026192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-07 16:15 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-07 16:15 - 2009-07-14 00:51 - 00116609 _____ () C:\Windows\setupact.log
2014-10-07 16:14 - 2011-05-13 05:05 - 00807400 _____ () C:\Windows\PFRO.log
2014-10-06 21:46 - 2011-06-13 12:10 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBIGDOG-HP$
2014-10-06 21:46 - 2011-06-13 12:10 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForBIGDOG-HP$.job
2014-10-05 23:50 - 2011-06-10 18:57 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\SoftGrid Client
2014-10-05 15:57 - 2011-06-06 01:42 - 00075184 _____ () C:\Users\bigdog\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-05 09:58 - 2011-07-13 12:34 - 00000000 ____D () C:\Users\bigdog\Documents\Estimates
2014-10-03 11:08 - 2011-07-24 21:06 - 00000000 ____D () C:\Users\bigdog\Documents\Invoices
2014-10-03 11:04 - 2009-07-14 01:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-10-01 12:43 - 2014-04-11 15:07 - 00000000 ____D () C:\Users\lindi\AppData\Roaming\Adobe
2014-10-01 12:36 - 2012-07-11 01:49 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2014-09-29 17:16 - 2014-08-26 07:45 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-27 17:41 - 2014-04-11 15:04 - 00000632 __RSH () C:\Users\bigdog\ntuser.pol
2014-09-27 17:41 - 2011-06-06 01:39 - 00000000 ____D () C:\Users\bigdog
2014-09-27 14:02 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-09-26 23:03 - 2013-07-11 00:26 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-26 22:57 - 2011-06-06 09:37 - 101694776 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-26 16:29 - 2014-04-11 15:06 - 00000000 ____D () C:\Users\lindi
2014-09-26 16:29 - 2013-06-06 18:59 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Malwarebytes
2014-09-26 16:29 - 2013-06-06 18:59 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-26 16:29 - 2011-09-05 10:23 - 00000000 ____D () C:\Users\Guest
2014-09-26 16:29 - 2011-01-09 05:52 - 00000000 ____D () C:\ProgramData\RoxioNow
2014-09-26 16:29 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-09-26 16:29 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\AppCompat
2014-09-26 16:29 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-09-26 16:28 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-09-26 16:25 - 2014-02-14 17:14 - 00000000 ____D () C:\Users\bigdog\Documents\wind_chime_1.01_syntrillium
2014-09-26 16:25 - 2013-09-16 21:20 - 00000000 ____D () C:\Users\bigdog\AppData\Local\Facebook
2014-09-26 16:25 - 2012-09-14 12:20 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Mozilla
2014-09-26 16:25 - 2012-06-24 12:29 - 00000000 ____D () C:\Users\bigdog\Documents\Acid loops
2014-09-26 16:25 - 2012-03-06 15:05 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Skype
2014-09-26 16:25 - 2012-01-10 02:42 - 00000000 ____D () C:\Users\Public\Documents\LuxRender
2014-09-26 16:25 - 2011-12-24 19:32 - 00000000 ____D () C:\Users\Guest\AppData\Local\Microsoft Games
2014-09-26 16:25 - 2011-07-07 16:48 - 00000000 ____D () C:\ProgramData\LogiShrd
2014-09-26 16:25 - 2011-06-06 19:24 - 00000000 ____D () C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2014-09-26 16:25 - 2011-06-06 09:50 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-09-26 16:25 - 2011-06-06 01:44 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Adobe
2014-09-26 16:25 - 2011-06-06 00:32 - 00000000 ____D () C:\Users\bigdog\AppData\Local\Microsoft Games
2014-09-26 16:25 - 2011-06-06 00:22 - 00000000 ____D () C:\Users\bigdog\AppData\Local\CyberLink
2014-09-26 16:25 - 2011-06-06 00:16 - 00000000 ____D () C:\ProgramData\Synaptics
2014-09-26 16:25 - 2011-01-09 06:00 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-09-26 16:25 - 2011-01-09 05:52 - 00000000 ____D () C:\ProgramData\Macrovision
2014-09-26 16:25 - 2011-01-09 05:43 - 00000000 ____D () C:\ProgramData\WildTangent
2014-09-26 16:25 - 2009-09-06 20:40 - 00000000 ___HD () C:\SYSTEM.SAV
2014-09-26 16:25 - 2009-09-06 20:40 - 00000000 ____D () C:\SwSetup
2014-09-26 16:24 - 2010-11-22 19:35 - 00000000 ___HD () C:\HP
2014-09-23 22:47 - 2014-04-11 13:28 - 00000000 ____D () C:\Users\Guest\Desktop\New folder
2014-09-23 22:46 - 2014-04-11 13:28 - 00000000 ____D () C:\Users\Guest\Desktop\DCIM
2014-09-23 22:39 - 2012-08-06 10:17 - 00000000 ____D () C:\Users\bigdog\Documents\Loan
2014-09-23 22:39 - 2012-06-17 22:34 - 00000000 ____D () C:\Users\bigdog\Documents\Sony ACID Music Studio 6.0 Projects
2014-09-23 22:38 - 2014-02-11 17:30 - 00000000 ____D () C:\Users\bigdog\Documents\DIY_Wind_Chime_Support_Plate_Calculator
2014-09-23 22:38 - 2012-10-27 09:43 - 00000000 ____D () C:\Users\bigdog\Documents\bansuri
2014-09-23 22:38 - 2012-01-21 10:09 - 00000000 ____D () C:\Users\bigdog\Documents\Freecorder
2014-09-23 22:09 - 2014-08-08 19:41 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\DesktopDPO-d00b9882479ed9b4899926f5c7e44f49
2014-09-23 22:09 - 2013-12-22 20:17 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Sygyt Software
2014-09-23 22:09 - 2012-11-25 11:05 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Cycling '74
2014-09-23 22:09 - 2012-06-17 22:34 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Sony
2014-09-23 22:09 - 2011-11-16 22:31 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Blender Foundation
2014-09-23 22:09 - 2011-06-16 09:43 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\SecondLife
2014-09-23 22:09 - 2011-06-14 22:59 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Real
2014-09-23 22:09 - 2011-06-10 08:26 - 00000000 ____D () C:\Users\bigdog\AppData\Roaming\Blio
2014-09-23 22:08 - 2014-01-08 21:04 - 00000000 ____D () C:\Users\bigdog\AppData\Local\CrazyBump
2014-09-23 22:08 - 2011-06-16 09:43 - 00000000 ____D () C:\Users\bigdog\AppData\Local\SecondLife
2014-09-23 22:08 - 2011-06-06 19:24 - 00000000 ____D () C:\Users\bigdog\AppData\Local\Apple Computer
2014-09-23 22:03 - 2013-05-04 17:28 - 00000000 ____D () C:\ProgramData\BlueStacksSetup
2014-09-23 22:03 - 2011-07-11 18:39 - 00000000 ____D () C:\ProgramData\Motive
2014-09-23 22:03 - 2011-01-09 05:53 - 00000000 ____D () C:\ProgramData\Sonic
2014-09-19 09:11 - 2011-06-10 18:57 - 00000000 ____D () C:\Users\bigdog\AppData\Local\CrashDumps
2014-09-19 09:11 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-09-15 09:06 - 2011-06-05 21:54 - 00278152 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-09-08 08:46 - 2009-07-14 01:08 - 00032580 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

Some content of TEMP:
====================
C:\Users\bigdog\AppData\Local\Temp\Quarantine.exe
C:\Users\bigdog\AppData\Local\Temp\SymCCIS.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-27 13:55

==================== End Of Log ============================
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby wannabeageek » October 8th, 2014, 10:28 am

Hi heyoka05,

Please run the following.
The file created will be 2-3 megabytes in size so posting as open text is out of the question.
You will need to upload it as an attachment.

Create a batch file
  1. Open Notepad.
  2. Copy/paste the following text into the empty Notepad window.
    • To make this easy, click the "select all" button then hover over the highlighted text and right mouse click to select copy.
    Code: Select all
    @echo off
    reg.exe export HKLM  C:\Users\bigdog\Desktop\look.reg
    ren C:\Users\bigdog\Desktop\look.reg look.txt
    Del %0
    
  3. Save the file as look.bat on your desktop. Save it with the file type... all types *.*.
  4. Right click on the file look.bat select "Run As Administrator" to run it. If prompted by UAC, please allow it.


Post the file look.txt as an attachment in your next post.

If it will not upload or you get a "web page" error , post back stating the issue.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: infected with the cryptowall

Unread postby heyoka05 » October 8th, 2014, 3:52 pm

Won't upload to the site .....I keep getting a " can't connect " to the website after about 30 sec. of uploading
According to Windows the file is huge ......435 mb and not 2 or 3
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby wannabeageek » October 9th, 2014, 3:29 pm

Hi heyoka05,

Try this: Right click on the file look.txt
Select "send to" menu item "Compressed zipped folder"
Then try and upload the zipped file.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: infected with the cryptowall

Unread postby heyoka05 » October 9th, 2014, 3:47 pm

Nope ....even with best compression , the file is still just under 28 megs
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby heyoka05 » October 9th, 2014, 5:37 pm

multipart rar .....be patient , there are 21 of them ....the site has a 1 meg limit
You do not have the required permissions to view the files attached to this post.
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby heyoka05 » October 9th, 2014, 5:48 pm

or rather 23 of them lol
You do not have the required permissions to view the files attached to this post.
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby heyoka05 » October 9th, 2014, 5:52 pm

received this error message ......."Sorry, the board attachment quota has been reached"
I'll try to upload the last 3 files in a bit
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am

Re: infected with the cryptowall

Unread postby heyoka05 » October 9th, 2014, 9:02 pm

apparently that's all I can upload ....may have to start an new thread as a workaround ......I have three more rar files to go ........any suggestions?
heyoka05
Regular Member
 
Posts: 72
Joined: July 11th, 2007, 11:48 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware