Skip to main content

Trojan.Win32.Swrort.3_074edc4761


Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 074edc4761cdd65c1a1acfe5b741c6f9

SHA1: a6bcbedaef717e2d3690b6613148d3f6d99a6506

SHA256: 95c8ac10344cd90e9d0912fe0d5713c9e66e681028f1cc54cda3b744e120face

SSDeep: 98304:hNn57GPdaNfEHOC6ocg/RcG6orUled5z7UKZKyAPNN/mGvjymJ1AkxIKkKvVtTiX:hNZGPdMEHKocg/R5X2ed5z7HDWjyTkK1

Size: 5822800 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: AutoPCBackup

Created at: 2015-05-08 17:12:10

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

cxHighIn.exe:348
cxbarsvc.exe:1592
cxbarsvc.exe:1748
cxbarsvc.exe:1808
%original file name%.exe:1068
TPIManagerConsole.exe:1452
ngen.exe:1276
{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028
0000042cT8SETUP.EXE:224
irsetup.exe:1900

The Trojan injects its code into the following process(es):

AppIntegrator.exe:240
mscorsvw.exe:1056

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1068 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EXE (196915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EX_ (39950 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EX_ (0 bytes)

The process TPIManagerConsole.exe:1452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (145 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe (694617 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)

The Trojan deletes the following file(s):

%Program Files%\AutoPCBackup_cx\bar\1.bin\{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe (0 bytes)

The process ngen.exe:1276 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen.log (1398 bytes)

The process {0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process mscorsvw.exe:1056 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)

The process 0000042cT8SETUP.EXE:224 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
%Program Files%\AutoPCBackup_cx\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxPlugin.dll (82 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmedint.exe (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdatact.dll (171 bytes)
%Program Files%\AutoPCBackup_cx\bar\Message\COMMON.T8S (106 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxregfft.dll (85 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll (121 bytes)
%System%\config (200 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR.DLL (1681 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll (98 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\installKeys.js (207 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%System%\config\SOFTWARE.LOG (39433 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
%Program Files%\AutoPCBackup_cx\bar\Settings\s_pid.dat (8 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe (13 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CREXT.DLL (6424 bytes)
%System%\config\system (3777 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll (145 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbarsvc.exe (90 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CrExtPcx.exe (7386 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
%Program Files%\AutoPCBackup_cx\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxregiet.dll (87 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\chrome\cxffxtbr.jar (1829 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll (179 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskplay.exe (55 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll (5442 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6744 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegrator64.exe (265 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxscript.dll (104 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll (151 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll (214 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll (146 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll (121 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%System%\config\software (34365 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8RES.DLL (198 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll (212 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk64.dll (147 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxidle.dll (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR64.DLL (1800 bytes)

The process irsetup.exe:1900 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.BMP (1209 bytes)
%Documents and Settings%\%current user%\Desktop\AutoPCBackup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\AfterInstalling.html (1 bytes)
%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe (4277 bytes)
%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe.config (195 bytes)
%Program Files%\Mindspark\AutoPCBackup\Microsoft.Expression.Interactions.dll (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\LogicNP.FileView.WPF.dll (6275 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.dat (14600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_3.jpg (3 bytes)
%Program Files%\Mindspark\AutoPCBackup\lua5.1.dll (2902 bytes)
%Program Files%\Mindspark\AutoPCBackup\System.Windows.Interactivity.dll (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_complete.jpg (3 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.xml (1224 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.BMP (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Styles.css (429 bytes)
%Program Files%\Mindspark\AutoPCBackup\LogicNP.FolderView.WPF.dll (4440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.PNG (4 bytes)
%Program Files%\Mindspark\AutoPCBackup\DesktopSdk.dll (6514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\BeforeInstalling.html (1 bytes)
%Program Files%\Mindspark\AutoPCBackup\UnifiedLogging.dll (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (8671 bytes)
%Program Files%\Mindspark\AutoPCBackup\RebootRequired.exe (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uni1.tmp (19233 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AutoPCBackup\AutoPCBackup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoPCBackup Setup Log.txt (6542 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.BMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Styles.css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\AfterInstalling.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\BeforeInstalling.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_3.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_complete.jpg (0 bytes)

Registry activity

The process cxHighIn.exe:348 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 53 D0 24 A6 9A 7E CA D6 69 B4 D8 7A A4 62 C4"

The process cxbarsvc.exe:1592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE AD 7D 2E E9 FB BE 55 26 C3 F8 06 A5 A3 23 ED"

The process cxbarsvc.exe:1748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 60 2B 4D B1 4A 8D EA DE 8D B6 21 2B 16 E2 95"

The process cxbarsvc.exe:1808 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 D9 5D 33 AA 34 7A 10 E9 5B 9C F6 61 32 76 E7"

The process %original file name%.exe:1068 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 12 1B 5C CF B4 9A 92 24 AF E1 FF 4E FC 64 22"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"ffTabs" = "0"
"nodns" = "0"

[HKCU\Software\AutoPCBackup_cx\Events\EventData]
"00000000_5" = "01 00 00 00 55 10 7C 55 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 55 10 7C 55 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 55 10 7C 55 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"OToIData" = "001"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"OToIData"

The process TPIManagerConsole.exe:1452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies]
"dependencymanagerpath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"is64bit" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"FriendlyName" = "AutoPCBackup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A A5 88 AF 59 2D 28 10 8E A7 EE BB 9C 5E B1 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"uninstall" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\Mindspark\AutoPCBackup\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\Mindspark\AutoPCBackup\Uninstall\uninstall.xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ngen.exe:1276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 6B 5F 37 9E 27 B0 4D 12 2A A5 30 61 0F 05 A1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/Mindspark/AutoPCBackup/AutoPCBackup.exe\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/Mindspark/AutoPCBackup/AutoPCBackup.exe]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/Mindspark/AutoPCBackup/AutoPCBackup.exe\0]
"Scenario" = "0"

The process {0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 CD 9C AE BA 79 77 B7 2D B3 68 9A 91 F0 12 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process AppIntegrator.exe:240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 FD A2 5B 29 A2 FF F5 6F FE 19 71 C2 CF 4E 85"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process mscorsvw.exe:1056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 F3 8B 0C 69 57 7E 3B E6 F6 9F DE 36 3F 5E 91"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

The process 0000042cT8SETUP.EXE:224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\TypeLib]
"(Default)" = "{1dfc15ca-3f18-4208-9538-5d624c0ae165}"

[HKCR\AutoPCBackup_cx.ScriptButton.1\CLSID]
"(Default)" = "{c9aee132-2b0e-4bb8-9e8a-428d865a1809}"

[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\TypeLib]
"(Default)" = "{1dfc15ca-3f18-4208-9538-5d624c0ae165}"

[HKCR\AutoPCBackup_cx.ToolbarProtector\CurVer]
"(Default)" = "AutoPCBackup_cx.ToolbarProtector.1"

[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}]
"(Default)" = "ITemplateBarMenu"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}]
"(Default)" = ""

[HKCR\AutoPCBackup_cx.SettingsPlugin]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin\MimeTypes\application/x-autopcbackup_cxplugin]
"Suffixes" = "cx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"

[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"HiddenToolbarReminder.dll" = ""

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"tiec" = "208976"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"UninstallString" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe cxbar.dll,O uninstalltype=IE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\TypeLib]
"(Default)" = "{EFD7FCF3-CD02-44C4-A571-6097755E3326}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"ID" = "02064214-778C-43DD-A77C-1325778F5D31"
"DeletedCustomizations" = "1"

[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\ProgID]
"(Default)" = "AutoPCBackup_cx.PseudoTransparentPlugin.1"

[HKCU\Software\Classes\CLSID\{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}]
"(Default)" = ""

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"ToolbarGuard.dll" = ""

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"dir" = "%Program Files%\AutoPCBackup_cx\bar\"

[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}]
"(Default)" = ""

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"lidate" = "2015-06-13T11:13:22Z"

[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{bf93b40f-222c-4072-bacc-86e3a8c785d9}"

[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtPcx.exe" = "0"

[HKCR\AutoPCBackup_cx.ToolbarProtector]
"(Default)" = "ProtectorControl Class"

[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.PseudoTransparentPlugin"

[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}]
"(Default)" = "Disable Addon Rebuttal Control"

[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\MiscStatus]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.ThirdPartyInstaller"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\ProgID]
"(Default)" = "AutoPCBackup_cx.SettingsPlugin.1"

[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\TypeLib]
"Version" = "1.0"

[HKCR\AutoPCBackup_cx.HTMLPanel.1\CLSID]
"(Default)" = "{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=781B6542&p2=^BVA&ptb=02064214-778C-43DD-A77C-1325778F5D31"

[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.FeedManager\CurVer]
"(Default)" = "AutoPCBackup_cx.FeedManager.1"

[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\TypeLib]
"(Default)" = "{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}"

[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\626"

[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}]
"(Default)" = "IThirdPartyInstaller"

[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"

[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}]
"(Default)" = "IDataCtrl"

[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"vendor" = "AutoPCBackup_cx"

[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}]
"(Default)" = "POPUPMENU_INTERFACE"

[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\TypeLib]
"(Default)" = "{CE214850-70BB-4FA4-997D-2170966D4CC3}"

[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}]
"(Default)" = "SKINSETTINGS_INTERFACE"

[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\TypeLib]
"(Default)" = "{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}"

[HKCR\AutoPCBackup_cx.MultipleButton.1]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"cxSrcAs.dll" = "0"

[HKCR\AutoPCBackup_cx.SettingsPlugin.1]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bc1159d3-e09b-4f9e-8264-a93c4f0da153}]
"AppName" = "AppIntegrator.exe"

[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdatact.dll"

[HKCR\AutoPCBackup_cx.FeedManager.1]
"(Default)" = ""

[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.HTMLPanel\CurVer]
"(Default)" = "AutoPCBackup_cx.HTMLPanel.1"

[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\TypeLib]
"(Default)" = "{5A194A36-36C0-477A-802E-8E975BDBB610}"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}]
"(Default)" = "AutoPCBackup_cx HTML"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"SettingsDir" = "%Program Files%\AutoPCBackup_cx\bar\Settings\"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}]
"(Default)" = "SEARCHSCOPE_INTERFACE"

[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.SettingsPlugin"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"

[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin\MimeTypes\application/x-autopcbackup_cxplugin]
"Description" = "AutoPCBackup Plugin"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\AutoPCBackup_cx\bar\1.bin\cxBar.dll,O mindsparktoolbarkey=AutoPCBackup_cx uninstalltype=IE"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0685523-6ebe-4fb5-ba5e-985de7cbfb88}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ad018020-0295-45e3-846a-198beaca6665}]
"AppName" = "cxSlSrch.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2be6c90-b519-41ce-8e6c-c7b167cb6106}]
"AppName" = "cxmedint.exe"

[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}]
"(Default)" = "AutoPCBackup_cx HTML Menu"

[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}]
"(Default)" = "Search Assistant BHO"

[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\ProgID]
"(Default)" = "AutoPCBackup_cx.HTMLMenu.1"

[HKCU\Software\Classes\CLSID\{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll"

[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}]
"(Default)" = "IDisableAddonRebuttal"

[HKCR\AutoPCBackup_cx.MultipleButton\CurVer]
"(Default)" = "AutoPCBackup_cx.MultipleButton.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"

[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\TypeLib]
"(Default)" = "{5a194a36-36c0-477a-802e-8e975bdbb610}"

[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}]
"(Default)" = "IHttpControl"

[HKCR\AutoPCBackup_cx.HTMLMenu\CurVer]
"(Default)" = "AutoPCBackup_cx.HTMLMenu.1"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"PartnerPixelNotSet" = ""

[HKCR\AutoPCBackup_cx.ThirdPartyInstaller.1]
"(Default)" = "AutoPCBackup Third Party Installer"

[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll"

[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.ScriptButton.1]
"(Default)" = ""

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"UninstallFFString" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe cxbar.dll,O uninstalltype=FF"

[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\TypeLib]
"(Default)" = "{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}"

[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0]
"(Default)" = "TYPELIB_NAME"

[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"

[HKCR\AutoPCBackup_cx.MultipleButton.1\CLSID]
"(Default)" = "{caf8c658-43b4-4633-af39-71e19188aa79}"

[HKLM\SOFTWARE\AutoPCBackup_cx\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"

[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\TypeLib]
"(Default)" = "{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}"

[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1406"

[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"

[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"un" = "AutoPCBackup"

[HKCR\CLSID\{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c401ed53-7842-45d3-aac0-cad287067bfd}]
"(Default)" = ""

[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1506"

[HKCR\AutoPCBackup_cx.ToolbarProtector.1\CLSID]
"(Default)" = "{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}"

[HKCR\AutoPCBackup_cx.HTMLMenu.1\CLSID]
"(Default)" = "{1448EE35-A6C6-4AF6-8AB8-D015938567CF}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"Build" = "102.20593"

[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\TypeLib]
"(Default)" = "{48157e3e-f8e1-481a-a0e4-2c2f93094be0}"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll"

[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\AutoPCBackup_cx\bar\1.bin\cxBar.dll,O mindsparktoolbarkey=AutoPCBackup_cx uninstalltype=FF"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"(Default)" = "Skin Settings"

[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"

[HKCR\CLSID\{848d8086-b611-4ecb-a501-639851083359}\InprocServer32]
"(Default)" = "C:\PROGRA~1\AUTOPC~1\bar\1.bin\cxbar.dll"

[HKCR\AutoPCBackup_cx.ScriptButton\CurVer]
"(Default)" = "AutoPCBackup_cx.ScriptButton.1"

[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2be6c90-b519-41ce-8e6c-c7b167cb6106}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\ProgID]
"(Default)" = "AutoPCBackup_cx.ToolbarProtector.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ad018020-0295-45e3-846a-198beaca6665}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"Description" = "AutoPCBackup Plugin"

[HKCR\AutoPCBackup_cx.SettingsPlugin.1\CLSID]
"(Default)" = "{8198f7e2-d249-4fea-8309-d93b4b06cbaf}"

[HKCR\AutoPCBackup_cx.ThirdPartyInstaller\CLSID]
"(Default)" = "{c401ed53-7842-45d3-aac0-cad287067bfd}"

[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"PluginPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\"

[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\ProgID]
"(Default)" = "AutoPCBackup_cx.ScriptButton.1"

[HKCR\CLSID\{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}]
"(Default)" = "AutoPCBackup"

[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{c401ed53-7842-45d3-aac0-cad287067bfd}"

[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\TypeLib]
"(Default)" = "{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}"

[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\TypeLib]
"(Default)" = "{936A6725-C9B9-47B8-A0E7-C9F34535B820}"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}]
"(Default)" = "IIEInstalledToolbar"

[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\TypeLib]
"(Default)" = "{CE214850-70BB-4FA4-997D-2170966D4CC3}"

[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.ToolbarProtector"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"hpp" = "0"

[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\TypeLib]
"(Default)" = "{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0685523-6ebe-4fb5-ba5e-985de7cbfb88}]
"AppName" = "CrExtPcx.exe"

[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.FeedManager]
"(Default)" = ""

[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"

[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"

[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.MultipleButton"

[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"cxSrcAs.dll" = ""

[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}]
"(Default)" = "Pseudo Transparent Plugin"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2be6c90-b519-41ce-8e6c-c7b167cb6106}]
"Policy" = "3"

[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\625"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"nd" = "0"

[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"RegisteredWithFirefox" = "1"

[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"

[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin\CLSID]
"(Default)" = "{bf93b40f-222c-4072-bacc-86e3a8c785d9}"

[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}" = ""

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll"

[HKCR\CLSID\{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll"

[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}]
"(Default)" = "IProtectorControl"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\TypeLib]
"(Default)" = "{e99bb286-e393-429e-a620-e146ed98cb77}"

[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}]
"(Default)" = "_IDataCtrlEvents"

[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ad018020-0295-45e3-846a-198beaca6665}]
"Policy" = "3"

[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.HTMLPanel"

[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}]
"(Default)" = "IHttpControlEvents"

[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1104"

[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\TypeLib]
"(Default)" = "{5A194A36-36C0-477A-802E-8E975BDBB610}"

[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1604"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll"

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll"

[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}]
"(Default)" = "HTMLPANEL_INTERFACE"

[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\AUTOPC~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\ProgID]
"(Default)" = "AutoPCBackup_cx.HTMLPanel.1"

[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"au" = "1"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"Version" = "1.1.1.1"

[HKCR\AutoPCBackup_cx.FeedManager\CLSID]
"(Default)" = "{141c1180-299a-4c21-92aa-10b514dd9274}"

[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bc1159d3-e09b-4f9e-8264-a93c4f0da153}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\100"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\TypeLib]
"(Default)" = "{1dfc15ca-3f18-4208-9538-5d624c0ae165}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"cxDlgHk.dll" = ""

[HKCR\AutoPCBackup_cx.ThirdPartyInstaller]
"(Default)" = "AutoPCBackup Third Party Installer"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}" = ""

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\TypeLib]
"Version" = "1.0"

[HKCR\AutoPCBackup_cx.ThirdPartyInstaller\CurVer]
"(Default)" = "AutoPCBackup_cx.ThirdPartyInstaller.1"

[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0]
"(Default)" = "HTML 1.0 Type Library"

[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}]
"(Default)" = "DataCtrl Class"

[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"Maximized" = "1"
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"

[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}]
"(Default)" = "ITemplateBarSettings"

[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}]
"(Default)" = "AutoPCBackup Third Party Installer"

[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}]
"(Default)" = "ITemplateBarControl"

[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"

[HKCR\AutoPCBackup_cx.HTMLMenu.1]
"(Default)" = "AutoPCBackup_cx HTML Menu"

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\905"

[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"od" = "1"

[HKCR\AutoPCBackup_cx.ScriptButton]
"(Default)" = ""

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"ok" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0685523-6ebe-4fb5-ba5e-985de7cbfb88}]
"Policy" = "3"

[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.ScriptButton"

[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\TypeLib]
"(Default)" = "{936a6725-c9b9-47b8-a0e7-c9f34535b820}"

[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"

[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}]
"(Default)" = "ISessionData"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"AssistMonitor.dll" = ""

[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}]
"(Default)" = "ITemplateHTMLMenu"

[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll"

[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}\TypeLib]
"(Default)" = "{3bd2225f-2f0f-42c9-bf65-7eb07a5ebdcb}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"Policy" = "3"

[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\ProgID]
"(Default)" = "AutoPCBackup_cx.MultipleButton.1"

[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}]
"(Default)" = "IIEInstalledToolbars"

[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}]
"(Default)" = "SKINWINDOW_INTERFACE"

[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"sr" = "0"

[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}]
"(Default)" = "Popup Menu Plugin"

[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}]
"(Default)" = "ProtectorControl Class"

[HKCR\AutoPCBackup_cx.SettingsPlugin\CLSID]
"(Default)" = "{8198f7e2-d249-4fea-8309-d93b4b06cbaf}"

[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}]
"(Default)" = "ITemplateBarButtonRect"

[HKCR\AutoPCBackup_cx.MultipleButton\CLSID]
"(Default)" = "{caf8c658-43b4-4633-af39-71e19188aa79}"

[HKCR\AutoPCBackup_cx.ToolbarProtector\CLSID]
"(Default)" = "{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}"

[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}\TypeLib]
"(Default)" = "{efd7fcf3-cd02-44c4-a571-6097755e3326}"

[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin\CurVer]
"(Default)" = "AutoPCBackup_cx.PseudoTransparentPlugin.1"

[HKCR\AutoPCBackup_cx.HTMLMenu]
"(Default)" = "AutoPCBackup_cx HTML Menu"

[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\TypeLib]
"(Default)" = "{936A6725-C9B9-47B8-A0E7-C9F34535B820}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}]
"(Default)" = ""

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\ProgID]
"(Default)" = "AutoPCBackup_cx.FeedManager.1"

[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\TypeLib]
"(Default)" = "{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}"

[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\ProgID]
"(Default)" = "AutoPCBackup_cx.ThirdPartyInstaller.1"

[HKCU\Software\Classes\CLSID\{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\TypeLib]
"(Default)" = "{EFD7FCF3-CD02-44C4-A571-6097755E3326}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll"

[HKLM\SOFTWARE\AutoPCBackup_cx\SkinTools]
"PlayerPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSkPlay.exe"

[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxscript.dll"

[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"Path" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\NPcxStub.dll"

[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"

[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}\TypeLib]
"(Default)" = "{e554852a-1a28-4c1b-bd52-1bce7711c9ad}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"

[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 51 A1 3A 1E 03 CF 92 CA 47 49 B6 C2 22 91 DC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}]
"(Default)" = ""

[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bf93b40f-222c-4072-bacc-86e3a8c785d9}]
"(Default)" = ""

[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}]
"(Default)" = "_ITemplateBarSettingsEvents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"ua" = "0"

[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}]
"(Default)" = ""

[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}]
"(Default)" = ""

[HKCR\CLSID\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AutoPCBackup_cx.HTMLMenu\CLSID]
"(Default)" = "{1448EE35-A6C6-4AF6-8AB8-D015938567CF}"

[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}]
"(Default)" = "BARFEED_INTERFACE"

[HKCR\AutoPCBackup_cx.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"

[HKCR\AutoPCBackup_cx.MultipleButton]
"(Default)" = ""

[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\AutoPCBackup_cx.FeedManager.1\CLSID]
"(Default)" = "{141c1180-299a-4c21-92aa-10b514dd9274}"

[HKCR\AutoPCBackup_cx.HTMLPanel.1]
"(Default)" = "AutoPCBackup_cx HTML Panel"

[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\TypeLib]
"(Default)" = "{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"AppName" = "cxSkPlay.exe"

[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\TypeLib]
"(Default)" = "{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}"

[HKCR\AutoPCBackup_cx.HTMLPanel\CLSID]
"(Default)" = "{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}"

[HKCR\CLSID\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll"

[HKCR\CLSID\{848d8086-b611-4ecb-a501-639851083359}]
"(Default)" = "Toolbar BHO"

[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}]
"(Default)" = "ITemplatePopupMenu"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"Visible" = "1"

[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\405"

[HKCR\AutoPCBackup_cx.HTMLPanel]
"(Default)" = "AutoPCBackup_cx HTML Panel"

[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"PID" = "^BVA"

[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}]
"(Default)" = "HttpControl Class"

[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0]
"(Default)" = "Skin 1.0 Type Library"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"nk" = "0"

[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.HTMLMenu"

[HKCR\AutoPCBackup_cx.ScriptButton\CLSID]
"(Default)" = "{c9aee132-2b0e-4bb8-9e8a-428d865a1809}"

[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"

[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"

[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bc1159d3-e09b-4f9e-8264-a93c4f0da153}]
"Policy" = "3"

[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1807"

[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AutoPCBackup_cx.SettingsPlugin\CurVer]
"(Default)" = "AutoPCBackup_cx.SettingsPlugin.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"DisplayName" = "AutoPCBackup Toolbar & Supporting Application"

[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}]
"(Default)" = "_IThirdPartyInstallerEvents"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"

[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.FeedManager"

[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKCR\CLSID\{848d8086-b611-4ecb-a501-639851083359}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"CurInstall" = "1"
"pl" = "9"

[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\TypeLib]
"(Default)" = "{c9c9d133-69c2-42bc-ac1f-0e896b7f821e}"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup AppIntegrator 32-bit" = "C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe"

"AutoPCBackup" = "rundll32 C:\PROGRA~1\AUTOPC~1\bar\1.bin\cxbar.dll,S"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{848d8086-b611-4ecb-a501-639851083359}]
"(Default)" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"pid2"
"ConfigDateStamp"
"un"

The process irsetup.exe:1900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"DisplayName" = "AutoPCBackup Supporting Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"Publisher" = "Mindspark Interactive Network"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"URLInfoAbout" = "http://www.mindspark.com"

"UninstallString" = "%Program Files%\Mindspark\AutoPCBackup\uninstall.exe /U:%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"HelpLink" = "http://www.mindspark.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"DisplayIcon" = "%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"Contact" = "Mindspark Interactive Network Support Department"
"DisplayVersion" = "1.0.370b25ea5bd72be9ccd77691bfb0880521c9a771.192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 B3 9C 91 FB E9 10 69 D6 CE 63 FF 78 69 17 2F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\Mindspark\AutoPCBackup"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup" = "%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe /AutoRestart"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
f0c2c3d183a087b51dbe88dd773126b6c:\Program Files\AutoPCBackup_cx\bar\1.bin\APPINTEGRATOR.EXE
3d6b337517336594470f070bbc7188ddc:\Program Files\AutoPCBackup_cx\bar\1.bin\APPINTEGRATORSTUB.DLL
36194eb9cf8c55d41ce917beb9d0cd61c:\Program Files\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR.DLL
ef0439594263d5e3ee0a0b87717d8f30c:\Program Files\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR64.DLL
cf182742aa4f29b44dfd95779c3a79d0c:\Program Files\AutoPCBackup_cx\bar\1.bin\AppIntegrator64.exe
0da866b437db8560d9bb83f1c14b2e79c:\Program Files\AutoPCBackup_cx\bar\1.bin\AppIntegratorStub64.dll
ed0259fd945476d3e1f5175a22a5281ac:\Program Files\AutoPCBackup_cx\bar\1.bin\CREXT.DLL
b3e27442407095a8fcee6e827b87baf6c:\Program Files\AutoPCBackup_cx\bar\1.bin\CrExtPcx.exe
b7887260ed97aa7474c22e0409ec20bac:\Program Files\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL
bf22cfcd99cacfd5cc557196593a429bc:\Program Files\AutoPCBackup_cx\bar\1.bin\FF-NativeMessagingDispatcher.dll
9e6225a6deab5b28d8971ea09a57881dc:\Program Files\AutoPCBackup_cx\bar\1.bin\HKFXMGR.DLL
258974b87536c176f852bed3df551146c:\Program Files\AutoPCBackup_cx\bar\1.bin\HKFXMGR64.DLL
fdb44ebf6a36cb1cd99401e209f53b6ac:\Program Files\AutoPCBackup_cx\bar\1.bin\HiddenToolbarReminder.dll
99e6d5152ec5ebee8575ae94cd4801ebc:\Program Files\AutoPCBackup_cx\bar\1.bin\INSTALLENABLER.DLL
a4a441ebd83fd66d03f10895419fadb7c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8EPMSUP.DLL
c69ec2b5d9e89d5c8e05be1d482e7f82c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8EXTEX.DLL
6bc6e9db38a9cfea465b64177606e66dc:\Program Files\AutoPCBackup_cx\bar\1.bin\T8EXTPEX.DLL
32f857d34001b795a898f7c50651af6bc:\Program Files\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL
e4dd6a5325848bc353c0d441ac29b283c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8RES.DLL
9294b3d8e5052ecf3c23d31eecab8f07c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8TICKER.DLL
b273c99560d26fb5a08e3cebf47e5bb1c:\Program Files\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD.DLL
5d16b944c42a8468f9cf59b96947c917c:\Program Files\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD64.DLL
7040b23a128b49a97ca8f8d93c451677c:\Program Files\AutoPCBackup_cx\bar\1.bin\TPIMANAGERCONSOLE.EXE
eb4aa26e1a5c3cd6256a48b3c88c0059c:\Program Files\AutoPCBackup_cx\bar\1.bin\VERIFY.DLL
84960b155e9ff6c931cd21798ce217b2c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER.DLL
267202f1663f579b55e3fcb177fd2a77c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER64.DLL
994ef00fad9a8e289c9ce0a7c085bfc2c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\ASSIST.EXE
58cb372449dab3a2c798e4c2454bee91c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\ASSIST.EXE
cbfdb354f658af062be791b6914eb25ac:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL
2205c3df09c286a6059415c16023c6e7c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL
e999b0d00082accdf9514b9b18cf27f2c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE
9389f5b1c2c2684adb948a1fb161f0cbc:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER.DLL
c1285334ce13d734083fc8f5bd0f9a66c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER64.DLL
143678734dbbf30ff73b2a1e182970d6c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxPlugin.dll
feaa90789a41e01caefcb5b02cefede9c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll
99cc9f1e159d11f08cae0e3ae8726011c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxbar.dll
09c2c30e15dcb3c1d197208e51e8a8f4c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxbarsvc.exe
c0d2405e4d44656a1729b0a8b29123dbc:\Program Files\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll
629ea085462a9832c8e1d4804c9131a1c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxdatact.dll
5b723723a3b15807efb90dbfbf9989ecc:\Program Files\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll
c120998d06bf3198dc39a6f6b48a636dc:\Program Files\AutoPCBackup_cx\bar\1.bin\cxdlghk64.dll
cf959830a291941bb68b228492442da5c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll
cfcf18eda229d24d880b4eefb2eeaa09c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxhighin.exe
0358525c385bd4246bcbd5cb52c25d84c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll
ba0b181aa48ed4d50ea2fc9e957630d8c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll
f5e0a300d3c344cbf20538ea61915dcac:\Program Files\AutoPCBackup_cx\bar\1.bin\cxidle.dll
70dc4406538aa6508f51a9b91150082cc:\Program Files\AutoPCBackup_cx\bar\1.bin\cxmedint.exe
787f17d71fb75e9539244194bf352fe5c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll
0d05671b86d96031a8a46cde84a0ea16c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxregfft.dll
541a039e3b5f3859117efe498b062cccc:\Program Files\AutoPCBackup_cx\bar\1.bin\cxregiet.dll
09325e2140cd35d9f2e303f2943ec075c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxscript.dll
b9892a2d0e2550615db1f7ff60bc7008c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxskin.dll
18804f338e38b8720ba1538e31c97cc0c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxskplay.exe
cf0646bb879911192c833e314e0afc57c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll
daf13c8e9544549a83cc2f5ae58516b1c:\Program Files\Mindspark\AutoPCBackup\AutoPCBackup.exe
b5200c231609c2d619e5b6c77b9b790fc:\Program Files\Mindspark\AutoPCBackup\DesktopSdk.dll
4370c5093c1f9dead07c96c10c9dd8e1c:\Program Files\Mindspark\AutoPCBackup\LogicNP.FileView.WPF.dll
4b81657378341213e57cf8f2ceea7865c:\Program Files\Mindspark\AutoPCBackup\LogicNP.FolderView.WPF.dll
da0c4a024f87e44eb868b785968f7be1c:\Program Files\Mindspark\AutoPCBackup\Microsoft.Expression.Interactions.dll
d076db892606f419d5a0e9674875961bc:\Program Files\Mindspark\AutoPCBackup\RebootRequired.exe
e14a3a5e0c83811e7f7cea720f089c17c:\Program Files\Mindspark\AutoPCBackup\System.Windows.Interactivity.dll
9026e5d3a8c36fc5f711afc78cb8f7a7c:\Program Files\Mindspark\AutoPCBackup\UnifiedLogging.dll
8c0b6838878f3dd76135f999ddb1c900c:\Program Files\Mindspark\AutoPCBackup\lua5.1.dll
eb87773cf10284a6db7dfb1638705769c:\Program Files\Mindspark\AutoPCBackup\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cxHighIn.exe:348
    cxbarsvc.exe:1592
    cxbarsvc.exe:1748
    cxbarsvc.exe:1808
    %original file name%.exe:1068
    TPIManagerConsole.exe:1452
    ngen.exe:1276
    {0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028
    0000042cT8SETUP.EXE:224
    irsetup.exe:1900

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EXE (196915 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EX_ (39950 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (145 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe (694617 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen.log (1398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL (202 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
    %Program Files%\AutoPCBackup_cx\bar\gen1\COMMON.T8S (1 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxPlugin.dll (82 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxmedint.exe (12 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxdatact.dll (171 bytes)
    %Program Files%\AutoPCBackup_cx\bar\Message\COMMON.T8S (106 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALL.RDF (2 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxregfft.dll (85 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll (121 bytes)
    %System%\config (200 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR.DLL (1681 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll (98 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\VERIFY.DLL (70 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\installKeys.js (207 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL (218 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
    %System%\config\SOFTWARE.LOG (39433 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
    %Program Files%\AutoPCBackup_cx\bar\Settings\s_pid.dat (8 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\LOGO.BMP (10 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\T8TICKER.DLL (171 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\BOOTSTRAP.JS (20 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe (13 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\CREXT.DLL (6424 bytes)
    %System%\config\system (3777 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll (145 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxbarsvc.exe (90 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\CrExtPcx.exe (7386 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
    %Program Files%\AutoPCBackup_cx\bar\assists\COMMON.T8S (138 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
    %System%\config\SYSTEM.LOG (5001 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxregiet.dll (87 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\chrome\cxffxtbr.jar (1829 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll (179 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxskplay.exe (55 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll (5442 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegrator64.exe (265 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxscript.dll (104 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll (151 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTPEX.DLL (108 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll (214 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll (146 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll (121 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\T8EPMSUP.DLL (79 bytes)
    %System%\config\software (34365 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\CHROME.MANIFEST (1 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\T8RES.DLL (198 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll (212 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk64.dll (147 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTEX.DLL (102 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\cxidle.dll (61 bytes)
    %Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.BMP (1209 bytes)
    %Documents and Settings%\%current user%\Desktop\AutoPCBackup.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\AfterInstalling.html (1 bytes)
    %Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe (4277 bytes)
    %Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe.config (195 bytes)
    %Program Files%\Mindspark\AutoPCBackup\Microsoft.Expression.Interactions.dll (1137 bytes)
    %Program Files%\Mindspark\AutoPCBackup\LogicNP.FileView.WPF.dll (6275 bytes)
    %Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.dat (14600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_3.jpg (3 bytes)
    %Program Files%\Mindspark\AutoPCBackup\lua5.1.dll (2902 bytes)
    %Program Files%\Mindspark\AutoPCBackup\System.Windows.Interactivity.dll (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_complete.jpg (3 bytes)
    %Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.xml (1224 bytes)
    %Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.BMP (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Styles.css (429 bytes)
    %Program Files%\Mindspark\AutoPCBackup\LogicNP.FolderView.WPF.dll (4440 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
    %Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.PNG (4 bytes)
    %Program Files%\Mindspark\AutoPCBackup\DesktopSdk.dll (6514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\BeforeInstalling.html (1 bytes)
    %Program Files%\Mindspark\AutoPCBackup\UnifiedLogging.dll (1137 bytes)
    %Program Files%\Mindspark\AutoPCBackup\uninstall.exe (9213 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (8671 bytes)
    %Program Files%\Mindspark\AutoPCBackup\RebootRequired.exe (1137 bytes)
    %Program Files%\Mindspark\AutoPCBackup\Uninstall\uni1.tmp (19233 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\AutoPCBackup\AutoPCBackup.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AutoPCBackup Setup Log.txt (6542 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AutoPCBackup AppIntegrator 32-bit" = "C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AutoPCBackup" = "rundll32 C:\PROGRA~1\AUTOPC~1\bar\1.bin\cxbar.dll,S"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AutoPCBackup" = "%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe /AutoRestart"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: AutoPCBackup
Product Name: AutoPCBackup
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: cxSetup.exe
Internal Name: cxSetup
File Version: 2, 0, 5, 6
File Description: AutoPCBackup
Comments:
Language: Language Neutral

Company Name: AutoPCBackupProduct Name: AutoPCBackupProduct Version: 2, 0, 5, 6Legal Copyright: Copyright (c) 2009 - 2014Legal Trademarks: Original Filename: cxSetup.exeInternal Name: cxSetupFile Version: 2, 0, 5, 6File Description: AutoPCBackupComments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096779081924.273372025105e80249339871a8364b9d6462e
.rdata122888748122881.93802572d1e8b7ed8ad6d42375759a3f883bf
.data24576212640961.237291c7e0ea211faa299dbdfeafcd23371b5
.rsrc28672578610457876485.42465b5659df67a9d9018b876cf171b3240fd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://a728.g2.akamai.net/images/nocache/vicinio/executable-packages/AutoPCBackup/1428078127515/AutoPCBackupSetup.exe
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl
hxxp://ak.dl.autopcbackup.com/images/nocache/vicinio/executable-packages/AutoPCBackup/1428078127515/AutoPCBackupSetup.exe194.146.191.104
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl23.43.133.163
hxxp://crl.verisign.com/pca3-g5.crl23.43.133.163
hxxp://crl.thawte.com/ThawteTimestampingCA.crl23.43.133.163
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl23.43.133.163
anx.mindspark.com74.113.233.187

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tss-ca-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: ts-crl.ws.symantec.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "ccfb395c271afc099abec1e2735f53b6:1434186400"

Last-Modified: Sat, 13 Jun 2015 09:06:40 GMT

Date: Sat, 13 Jun 2015 11:13:33 GMT

Content-Length: 477

Connection: keep-alive

Content-Type: application/pkix-crl

0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..150613090115Z..150623090115Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......y0...*.H..............]..'..m...>.i........JN22.Y...2.c ...y....#"..=..h.]PTI.=uN;P...z.P.:...Z._..u.z1.vW}~.{Q....Q....mx]L.S^..K.....$x.8....@=.?....).EDC.....@.......F.n.L.q..9#...[...46..<.}.6...#K.|....@<.!. ..-.1)...k./.rY......bq$.....z;M"...<)...9..;2wHC.p~......\_..8.HTTP/1.1 200 OK..Server: Apache..ETag: "ccfb395c271afc099abec1e2735f53b6:1434186400"..Last-Modified: Sat, 13 Jun 2015 09:06:40 GMT..Date: Sat, 13 Jun 2015 11:13:33 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..150613090115Z..150623090115Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......y0...*.H..............]..'..m...>.i........JN22.Y...2.c ...y....#"..=..h.]PTI.=uN;P...z.P.:...Z._..u.z1.vW}~.{Q....Q....mx]L.S^..K.....$x.8....@=.?....).EDC.....@.......F.n.L.q..9#...[...46..<.}.6...#K.|....@<.!. ..-.1)...k./.rY......bq$.....z;M"...<)...9..;2wHC.p~......\_..8...

GET /ThawteTimestampingCA.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.thawte.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "02e277383c1ef089951c3afe285accbd:1427488519"

Last-Modified: Fri, 27 Mar 2015 20:35:19 GMT

Date: Sat, 13 Jun 2015 11:13:33 GMT

Content-Length: 341

Connection: keep-alive

Content-Type: application/pkix-crl

0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..150318000000Z..150630235959Z0...*.H..............-0.u.f..0.C..O. ..._....m....V......Zb.=.!`...@..[.Q.c...#..}b...Q..c...q....X.....}u}........K..}A(...bQ@.w.y.[........P9G^..HTTP/1.1 200 OK..Server: Apache..ETag: "02e277383c1ef089951c3afe285accbd:1427488519"..Last-Modified: Fri, 27 Mar 2015 20:35:19 GMT..Date: Sat, 13 Jun 2015 11:13:33 GMT..Content-Length: 341..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..150318000000Z..150630235959Z0...*.H..............-0.u.f..0.C..O. ..._....m....V......Zb.=.!`...@..[.Q.c...#..}b...Q..c...q....X.....}u}........K..}A(...bQ@.w.y.[........P9G^....

GET /CSC3-2010.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2010-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "fb62b9f08064a10d3509e3cac5d5c994:1434186316"

Last-Modified: Sat, 13 Jun 2015 09:05:16 GMT

Date: Sat, 13 Jun 2015 11:13:33 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl

00006000..0..9.0..8....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..150613090004Z..150627090004Z0..7u0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.

<<< skipped >>>

GET /images/nocache/vicinio/executable-packages/AutoPCBackup/1428078127515/AutoPCBackupSetup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ak.dl.autopcbackup.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Fri, 03 Apr 2015 16:22:28 GMT

ETag: "17993e3-3d38c8-512d45ab91900"

Accept-Ranges: bytes

Content-Length: 4012232

Cache-Control: max-age=309244151

Expires: Sat 02 Apr 1977 17:15:00 GMT

Pragma: no-cache

Content-Type: application/x-msdownload

Date: Sat, 13 Jun 2015 11:13:16 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L......R.................X...........).......p....@..........................P.......,>...@.................................<...d........n..........h.=.`....0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....n.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A............

<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "97b93bbbb813910cb8bfc80753e88aff:1427247319"

Last-Modified: Wed, 25 Mar 2015 01:35:19 GMT

Date: Sat, 13 Jun 2015 11:13:33 GMT

Content-Length: 533

Connection: keep-alive

Content-Type: application/pkix-crl

0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150318000000Z..150630235959Z0...*.H.............R.`Ts.......... .p.....V,..E...n]...T....R.....5.....j.I*J.:q.......^..2...p..3...!)Oo6[...D.............|..$......R$.......<(........Ohl.....'...C......X.......r......c.........G.....K.j/.L....7O<G....X..4s....2.J.1.8`......?....-(#h.i.p.Z..HB;.-g#...#q..HTTP/1.1 200 OK..Server: Apache..ETag: "97b93bbbb813910cb8bfc80753e88aff:1427247319"..Last-Modified: Wed, 25 Mar 2015 01:35:19 GMT..Date: Sat, 13 Jun 2015 11:13:33 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150318000000Z..150630235959Z0...*.H.............R.`Ts.......... .p.....V,..E...n]...T....R.....5.....j.I*J.:q.......^..2...p..3...!)Oo6[...D.............|..$......R$.......<(........Ohl.....'...C......X.......r......c.........G.....K.j/.L....7O<G....X..4s....2.J.1.8`......?....-(#h.i.p.Z..HB;.-g#...#q....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

AppIntegrator.exe_240:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

operator

operator

GetProcessWindowStation

GetProcessWindowStation

SHELL32.dll

SHELL32.dll

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

MaxPolicyElementKey

MaxPolicyElementKey

AppIntegrator.cpp

AppIntegrator.cpp

Application.cpp

Application.cpp

IAC::AppIntegrator::CApplication::SetupWindowsHook

IAC::AppIntegrator::CApplication::SetupWindowsHook

C Exception thrown in %s: %s

C Exception thrown in %s: %s

ATL Exception thrown in %s: 0xX

ATL Exception thrown in %s: 0xX

Unknown exception thrown in %s

Unknown exception thrown in %s

RegOpenKeyTransactedW

RegOpenKeyTransactedW

E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb

E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb

KERNEL32.dll

KERNEL32.dll

UnhookWindowsHookEx

UnhookWindowsHookEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

SetWindowsHookExW

SetWindowsHookExW

USER32.dll

USER32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

SHRegOpenUSKeyW

SHRegOpenUSKeyW

SHRegCloseUSKey

SHRegCloseUSKey

SHRegCreateUSKeyW

SHRegCreateUSKeyW

SHLWAPI.dll

SHLWAPI.dll

USERENV.dll

USERENV.dll

VERSION.dll

VERSION.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

AppIntegrator.exe

AppIntegrator.exe

zcÁ

zcÁ

.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@

.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@

.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@

.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@

.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@

.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@

.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@

.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

;(;7;

;(;7;

0#0'0 0/030:0

0#0'0 0/030:0

:&;.;6;>;~;

:&;.;6;>;~;

6 6$6(6,6064686

6 6$6(6,6064686

> >$>(>,>0>4>8>@>

> >$>(>,>0>4>8>@>

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

KERNEL32.DLL

KERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

ieframe.dll

ieframe.dll

Failed to enable heap terminate-on-corruption with LastError %u

Failed to enable heap terminate-on-corruption with LastError %u

Error: %S

Error: %S

Error: 0x%0x

Error: 0x%0x

%s:AppIntegratorShutdown

%s:AppIntegratorShutdown

Already running! %s

Already running! %s

The %s event cannot be created (%u)

The %s event cannot be created (%u)

\AppIntegratorStub.dll

\AppIntegratorStub.dll

Error calling GetProcAddress %u

Error calling GetProcAddress %u

Error calling CApplicationBase::SetWindowsHookEx %u

Error calling CApplicationBase::SetWindowsHookEx %u

TraceLogUnitTest.exe

TraceLogUnitTest.exe

TraceLog.cfg

TraceLog.cfg

).csv

).csv

\StringFileInfo\XX\OriginalFilename

\StringFileInfo\XX\OriginalFilename

@t8res.dll

@t8res.dll

Advapi32.dll

Advapi32.dll

C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe

C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe

C:\PROGRA~1\AUTOPC~1\bar\1.bin

C:\PROGRA~1\AUTOPC~1\bar\1.bin

@C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe

@C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe

1.0.7.247

1.0.7.247

2.5.15.15

2.5.15.15

mscorsvw.exe_1056:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

EX_CATCH line %d

EX_CATCH line %d

CACHE_S_FORMATETC_NOTSUPPORTED

CACHE_S_FORMATETC_NOTSUPPORTED

CTL_E_GETNOTSUPPORTEDATRUNTIME

CTL_E_GETNOTSUPPORTEDATRUNTIME

CTL_E_GETNOTSUPPORTED

CTL_E_GETNOTSUPPORTED

CTL_E_SETNOTSUPPORTEDATRUNTIME

CTL_E_SETNOTSUPPORTEDATRUNTIME

CTL_E_SETNOTSUPPORTED

CTL_E_SETNOTSUPPORTED

CO_E_SERVER_EXEC_FAILURE

CO_E_SERVER_EXEC_FAILURE

MK_E_INTERMEDIATEINTERFACENOTSUPPORTED

MK_E_INTERMEDIATEINTERFACENOTSUPPORTED

REGDB_E_KEYMISSING

REGDB_E_KEYMISSING

OLE_E_ADVISENOTSUPPORTED

OLE_E_ADVISENOTSUPPORTED

CO_E_INIT_SCM_EXEC_FAILURE

CO_E_INIT_SCM_EXEC_FAILURE

EX_THROW Type = 0x%x HR = 0x%x, line %d

EX_THROW Type = 0x%x HR = 0x%x, line %d

ThrowHR: HR = %x

ThrowHR: HR = %x

mscorsvw.pdb

mscorsvw.pdb

_amsg_exit

_amsg_exit

_acmdln

_acmdln

MSVCR100_CLR0400.dll

MSVCR100_CLR0400.dll

_crt_debugger_hook

_crt_debugger_hook

RegCloseKey

RegCloseKey

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

ADVAPI32.dll

ADVAPI32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

GetCPInfo

GetCPInfo

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

USER32.dll

USER32.dll

mscoree.dll

mscoree.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

.PAVException@@

.PAVException@@

v1.0.3705

v1.0.3705

.PAVOutOfMemoryException@@

.PAVOutOfMemoryException@@

.PAVHRException@@

.PAVHRException@@

7 7$7(7,7074787

7 7$7(7,7074787

6$6,686\6|6

6$6,686\6|6

advapi32.dll

advapi32.dll

Wtsapi32.dll

Wtsapi32.dll

kernel32.dll

kernel32.dll

mscorsvc.dll

mscorsvc.dll

Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service has been uninstalled

Microsoft .NET Runtime Optimization Service has been uninstalled

Failed to uninstall Microsoft .NET Runtime Optimization Service

Failed to uninstall Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service has been installed

Microsoft .NET Runtime Optimization Service has been installed

Failed to install Microsoft .NET Runtime Optimization Service

Failed to install Microsoft .NET Runtime Optimization Service

Failed to retrieve Microsoft .NET Runtime Optimization Service interface

Failed to retrieve Microsoft .NET Runtime Optimization Service interface

Set service status to %d

Set service status to %d

Service control handler op %u, event type %u

Service control handler op %u, event type %u

\ndpsetup.bat

\ndpsetup.bat

Created repair process in session %d, process ID %d

Created repair process in session %d, process ID %d

Unable to create repair process, error %d

Unable to create repair process, error %d

Microsoft.NET\NETFXRepair.exe

Microsoft.NET\NETFXRepair.exe

Error changing token session ID, error %d

Error changing token session ID, error %d

Error duplicating current process token, error %d

Error duplicating current process token, error %d

Error getting current process token, error %d

Error getting current process token, error %d

Session %u has become active.

Session %u has become active.

Aborting repair due to unexpected wait status %u

Aborting repair due to unexpected wait status %u

Found active session %u

Found active session %u

Aborting repair due to error %u from WTSEnumerateSessions

Aborting repair due to error %u from WTSEnumerateSessions

StartServiceCtrlDispatcher failed with error %d. Will try slow path

StartServiceCtrlDispatcher failed with error %d. Will try slow path

\fusion.localgac

\fusion.localgac

\v2.0.50727

\v2.0.50727

SOFTWARE\Microsoft\.NetFramework

SOFTWARE\Microsoft\.NetFramework

v4.0.0

v4.0.0

SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default

SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default

SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default

SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default

ngenrootstorelock.dat

ngenrootstorelock.dat

ngenservicelock.dat

ngenservicelock.dat

FastStartupCheck(isPrivateRuntime=%d)

FastStartupCheck(isPrivateRuntime=%d)

yKERNEL32.DLL

yKERNEL32.DLL

Software\Microsoft\.NETFramework

Software\Microsoft\.NETFramework

RestrictedGCStressExe

RestrictedGCStressExe

EnableInternetHREFexes

EnableInternetHREFexes

NGENServiceWaitPassiveWork

NGENServiceWaitPassiveWork

NGENServicePassiveWorkWaitTimeout

NGENServicePassiveWorkWaitTimeout

NGENServicePassiveHardDiskIdleTimeout

NGENServicePassiveHardDiskIdleTimeout

NGENServicePassiveExceptInputTimeout

NGENServicePassiveExceptInputTimeout

MD_ForceNoColDesSharing

MD_ForceNoColDesSharing

UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException

UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException

DbgTransportProxyAddress

DbgTransportProxyAddress

DbgRedirectCreateCmd

DbgRedirectCreateCmd

DbgRedirectCommonCmd

DbgRedirectCommonCmd

DbgRedirectAttachCmd

DbgRedirectAttachCmd

mscorrc.dll

mscorrc.dll

v4.0.30319

v4.0.30319

.NET Runtime Optimization Service

.NET Runtime Optimization Service

4.0.30319.1 (RTMRel.030319-0100)

4.0.30319.1 (RTMRel.030319-0100)

mscorsvw.exe

mscorsvw.exe

.NET Framework

.NET Framework

4.0.30319.1

4.0.30319.1