Gen.Variant.Adware.Dropper.101_fdf0c51840
not-a-virus:HEUR:AdWare.Script.Generic (Kaspersky), Gen:Variant.Adware.Dropper.101 (B) (Emsisoft), Gen:Variant.Adware.Dropper.101 (AdAware)
Behaviour: Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: fdf0c51840b110284159a64958453bfa
SHA1: 2faf60f92eaeb5a83e24de99bcf5efaeee4448c1
SHA256: c363ec4fe13867c060b3e8a9184fc2a91fc90d41e6d18d8ee22fa147c25a045b
SSDeep: 49152:yN2oe2pLoGg2wVgnaxpIjUB0QiDKoEg0tM8:yNTpLoz2wVgaxWUSQiDKO8
Size: 1624112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Lorenzi Davide (hexagora.com)
Created at: 2013-09-29 16:07:44
Analyzed on: WindowsXP SP3 32-bit
Summary:
Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Payload
No specific payload has been found.
Process activity
The PUP creates the following process(es):
regsvr32.exe:432
%original file name%.exe:1332
sgl8Il8F3X.exe:396
The PUP injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1332 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\LK_jdpvhhMK.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected] (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\install.rdf (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\sgl8Il8F3X.exe (1775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\sqlite.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.x64.dll (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\lsdb.js (559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\content.js (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\content\bg.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\manifest.json (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\background.html (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\chrome.manifest (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.dll (1706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\sgl8Il8F3X.dat (3 bytes)
The PUP deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\content (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\LK_jdpvhhMK.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.tlb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\sgl8Il8F3X.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\sqlite.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.x64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\lsdb.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\content.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\content\bg.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\manifest.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\background.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\bootstrap.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\sgl8Il8F3X.dat (0 bytes)
The process sgl8Il8F3X.exe:396 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files%\surFF aunnD keEp\lZ2c7raA0.dll (14440 bytes)
%Documents and Settings%\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.dat (259 bytes)
%Documents and Settings%\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.exe (17200 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.dat (259 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.x64.dll (16544 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\surFF aunnD keEp.2.6.dat (294 bytes)
%Documents and Settings%\All Users\Application Data\f362fc35c4a3dbfb\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78} (76 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.tlb (259 bytes)
Registry activity
The process regsvr32.exe:432 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A B4 F2 AB F5 2C 56 4A A0 A0 D2 91 25 A8 5D 0A"
The process sgl8Il8F3X.exe:396 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"UninstallString" = "%Documents and Settings%\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib]
"(Default)" = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"
[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib]
"Version" = "1.0"
"(Default)" = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\ProgID]
"(Default)" = "surff and! kkeep.2.19"
[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}]
"(Default)" = "IIEPluginMain"
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}]
"(Default)" = "surFF aunnD keEp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"Publisher" = "surff and! kkeep"
[HKCR\kkEEp\CurVer]
"(Default)" = "surff and! kkeep.2.19"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"DisplayName" = "surFF aunnD keEp"
"_In" = "20150830"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\kkEEp]
"(Default)" = "surFF aunnD keEp"
[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\kkeep.2.19\CLSID]
"(Default)" = "{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}"
[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}]
"(Default)" = "ILocalStorage"
[HKCU\Software\RegisteredApplicationsEx]
"e503ff3363743b08b4be8ef4998d7890" = "1"
[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
"(Default)" = "%Program Files%\surFF aunnD keEp\lZ2c7raA0.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"DisplayVersion" = "3.3.0.1377"
[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}]
"(Default)" = "IRegistry"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"NoRepair" = "1"
"InstallDate" = "20121127"
[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"
[HKCR\kkEEp\CLSID]
"(Default)" = "{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"CategoryName" = "SurfKeep"
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\InprocServer32]
"(Default)" = "%Program Files%\surFF aunnD keEp\lZ2c7raA0.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"URLInfoAbout" = "http://surfandkeep.info/"
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\VersionIndependentProgID]
"(Default)" = "surff and! kkeep"
[HKCR\kkeep.2.19]
"(Default)" = "surFF aunnD keEp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 A2 5F A0 AA 5F 61 6A 46 72 28 99 B0 C4 0D 29"
[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0]
"(Default)" = "IEPluginLib"
[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib]
"(Default)" = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"URLUpdateInfo" = "http://surfandkeep.info/"
"SilentUninstall" = "%Documents and Settings%\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
"(Default)" = "%Program Files%\surFF aunnD keEp"
[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78}]
"NoModify" = "1"
[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}]
"NoExplorer" = "1"
"(Default)" = "surFF aunnD keEp"
The PUP deletes the following registry key(s):
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\VersionIndependentProgID]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}]
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\InprocServer32]
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\Programmable]
[HKCR\CLSID\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}]
Dropped PE files
| MD5 | File path |
|---|---|
| 2f21b030acc94619252a33d36dc2694c | c:\Documents and Settings\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.exe |
| b5e8219112f5de28e71487fd8c367b8f | c:\Program Files\surFF aunnD keEp\lZ2c7raA0.dll |
| 51869d78edfbeb04d0805522d9232518 | c:\Program Files\surFF aunnD keEp\lZ2c7raA0.x64.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 128249 | 128512 | 4.37182 | 12f1d4f9728c149a960f386522eb2c19 |
| .rdata | 135168 | 32912 | 33280 | 3.24524 | 3dc31cf6bf057bf6a63f0c46763ee09b |
| .data | 172032 | 14524 | 6656 | 3.33124 | e1433d6a8fe92de3a31705d2819499a6 |
| .rsrc | 188416 | 5792 | 6144 | 2.94521 | c2c9e9775968ba5d9b3de85957d8ca86 |
| .reloc | 196608 | 18566 | 18944 | 2.0542 | f59edc8a14a01c262d921a748a193232 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 916
71172668f41dafa5bb37de3fe167410c
cba1965908c66e257a9048d9fad6eb02
c2368a6e450f7a3390555d49529471b7
53e57af2ffd9c8e4a5f1573a58dbaf24
461cfc158dad7ccf9827fd7dddf62af5
92d654ce1e5a6633931cf3e684987df9
f33cbfe74fac3744606fe6c1b35aae0c
402bdd48c8608c21b716bd75bc7eb888
2f246b2f8d2018b57328986cfa47f458
c48d94f400f37d0c2e76e4684a0a9113
8046a810f03b834223557865e5421f17
7388d8f70928799c2fe35f285fe31834
6ccaf563164dcd115e94708f43905667
634ab0940a996cf570e99b6a55e08f09
58295a3f6240c0178149e20332a6b8c1
20b8edaf2505363c8fa529b7d48ee6fd
52de300045a9a2f12df442dfb52d2c8d
4d2b75a7754d66c21215243d5462f95f
2b2fe155ff43455b4ef8a37d1720f6bc
29c0914a2dd45ade8992499c1284fdfe
921c1d577f22e966e82caba248cfd535
5dcf4fc9a3fb2a4e31cec3c920ef46d8
f315e700516771316cc4ae5dc7606d58
eeae71e7a8b125b9467bd6780272219a
de2a88b7f5268506c7581efa8f93a89a
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The PUP connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:432
%original file name%.exe:1332
sgl8Il8F3X.exe:396 - Delete the original PUP file.
- Delete or disinfect the following files created/modified by the PUP:
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\LK_jdpvhhMK.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected] (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\install.rdf (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\sgl8Il8F3X.exe (1775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\sqlite.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.x64.dll (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\lsdb.js (559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\content.js (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\content\bg.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\manifest.json (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\bimommeihjcepmhfjimmipikabfddhbc\background.html (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\[email protected]\chrome.manifest (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\lZ2c7raA0.dll (1706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00294823\sgl8Il8F3X.dat (3 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.dll (14440 bytes)
%Documents and Settings%\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.dat (259 bytes)
%Documents and Settings%\All Users\Application Data\surFF aunnD keEp\sgl8Il8F3X.exe (17200 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.dat (259 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.x64.dll (16544 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\{A4700059-3A4A-FB8A-44F2-5BD9ABC122E8}\surFF aunnD keEp.2.6.dat (294 bytes)
%Documents and Settings%\All Users\Application Data\f362fc35c4a3dbfb\{A35CA8FF-CB7D-8361-1CB9-83219CD11C78} (76 bytes)
%Program Files%\surFF aunnD keEp\lZ2c7raA0.tlb (259 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
