Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 074edc4761cdd65c1a1acfe5b741c6f9
SHA1: a6bcbedaef717e2d3690b6613148d3f6d99a6506
SHA256: 95c8ac10344cd90e9d0912fe0d5713c9e66e681028f1cc54cda3b744e120face
SSDeep: 98304:hNn57GPdaNfEHOC6ocg/RcG6orUled5z7UKZKyAPNN/mGvjymJ1AkxIKkKvVtTiX:hNZGPdMEHKocg/R5X2ed5z7HDWjyTkK1
Size: 5822800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: AutoPCBackup
Created at: 2015-05-08 17:12:10
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
cxHighIn.exe:348
cxbarsvc.exe:1592
cxbarsvc.exe:1748
cxbarsvc.exe:1808
%original file name%.exe:1068
TPIManagerConsole.exe:1452
ngen.exe:1276
{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028
0000042cT8SETUP.EXE:224
irsetup.exe:1900
The Trojan injects its code into the following process(es):
AppIntegrator.exe:240
mscorsvw.exe:1056
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EXE (196915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EX_ (39950 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EX_ (0 bytes)
The process TPIManagerConsole.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (145 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe (694617 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
The Trojan deletes the following file(s):
%Program Files%\AutoPCBackup_cx\bar\1.bin\{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe (0 bytes)
The process ngen.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen.log (1398 bytes)
The process {0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
The process mscorsvw.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
The process 0000042cT8SETUP.EXE:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
%Program Files%\AutoPCBackup_cx\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxPlugin.dll (82 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmedint.exe (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdatact.dll (171 bytes)
%Program Files%\AutoPCBackup_cx\bar\Message\COMMON.T8S (106 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxregfft.dll (85 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll (121 bytes)
%System%\config (200 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR.DLL (1681 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll (98 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\installKeys.js (207 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%System%\config\SOFTWARE.LOG (39433 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
%Program Files%\AutoPCBackup_cx\bar\Settings\s_pid.dat (8 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe (13 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CREXT.DLL (6424 bytes)
%System%\config\system (3777 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll (145 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbarsvc.exe (90 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CrExtPcx.exe (7386 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
%Program Files%\AutoPCBackup_cx\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxregiet.dll (87 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\chrome\cxffxtbr.jar (1829 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll (179 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskplay.exe (55 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll (5442 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6744 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegrator64.exe (265 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxscript.dll (104 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll (151 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll (214 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll (146 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll (121 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%System%\config\software (34365 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8RES.DLL (198 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll (212 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk64.dll (147 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxidle.dll (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
The process irsetup.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.BMP (1209 bytes)
%Documents and Settings%\%current user%\Desktop\AutoPCBackup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\AfterInstalling.html (1 bytes)
%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe (4277 bytes)
%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe.config (195 bytes)
%Program Files%\Mindspark\AutoPCBackup\Microsoft.Expression.Interactions.dll (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\LogicNP.FileView.WPF.dll (6275 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.dat (14600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_3.jpg (3 bytes)
%Program Files%\Mindspark\AutoPCBackup\lua5.1.dll (2902 bytes)
%Program Files%\Mindspark\AutoPCBackup\System.Windows.Interactivity.dll (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_complete.jpg (3 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.xml (1224 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.BMP (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Styles.css (429 bytes)
%Program Files%\Mindspark\AutoPCBackup\LogicNP.FolderView.WPF.dll (4440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.PNG (4 bytes)
%Program Files%\Mindspark\AutoPCBackup\DesktopSdk.dll (6514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\BeforeInstalling.html (1 bytes)
%Program Files%\Mindspark\AutoPCBackup\UnifiedLogging.dll (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (8671 bytes)
%Program Files%\Mindspark\AutoPCBackup\RebootRequired.exe (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uni1.tmp (19233 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AutoPCBackup\AutoPCBackup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoPCBackup Setup Log.txt (6542 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.BMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Styles.css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\AfterInstalling.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\BeforeInstalling.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_3.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_complete.jpg (0 bytes)
Registry activity
The process cxHighIn.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 53 D0 24 A6 9A 7E CA D6 69 B4 D8 7A A4 62 C4"
The process cxbarsvc.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE AD 7D 2E E9 FB BE 55 26 C3 F8 06 A5 A3 23 ED"
The process cxbarsvc.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 60 2B 4D B1 4A 8D EA DE 8D B6 21 2B 16 E2 95"
The process cxbarsvc.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 D9 5D 33 AA 34 7A 10 E9 5B 9C F6 61 32 76 E7"
The process %original file name%.exe:1068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 12 1B 5C CF B4 9A 92 24 AF E1 FF 4E FC 64 22"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"ffTabs" = "0"
"nodns" = "0"
[HKCU\Software\AutoPCBackup_cx\Events\EventData]
"00000000_5" = "01 00 00 00 55 10 7C 55 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 55 10 7C 55 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 55 10 7C 55 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"OToIData" = "001"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"OToIData"
The process TPIManagerConsole.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies]
"dependencymanagerpath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"is64bit" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"FriendlyName" = "AutoPCBackup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A A5 88 AF 59 2D 28 10 8E A7 EE BB 9C 5E B1 78"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"uninstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\AutoPCBackup_cx\Dependencies\AutoPCBackup]
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\Mindspark\AutoPCBackup\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\Mindspark\AutoPCBackup\Uninstall\uninstall.xml"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ngen.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 6B 5F 37 9E 27 B0 4D 12 2A A5 30 61 0F 05 A1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/Mindspark/AutoPCBackup/AutoPCBackup.exe\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/Mindspark/AutoPCBackup/AutoPCBackup.exe]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/Mindspark/AutoPCBackup/AutoPCBackup.exe\0]
"Scenario" = "0"
The process {0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 CD 9C AE BA 79 77 B7 2D B3 68 9A 91 F0 12 08"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process AppIntegrator.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 FD A2 5B 29 A2 FF F5 6F FE 19 71 C2 CF 4E 85"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The process mscorsvw.exe:1056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 F3 8B 0C 69 57 7E 3B E6 F6 9F DE 36 3F 5E 91"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
The process 0000042cT8SETUP.EXE:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\TypeLib]
"(Default)" = "{1dfc15ca-3f18-4208-9538-5d624c0ae165}"
[HKCR\AutoPCBackup_cx.ScriptButton.1\CLSID]
"(Default)" = "{c9aee132-2b0e-4bb8-9e8a-428d865a1809}"
[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\TypeLib]
"(Default)" = "{1dfc15ca-3f18-4208-9538-5d624c0ae165}"
[HKCR\AutoPCBackup_cx.ToolbarProtector\CurVer]
"(Default)" = "AutoPCBackup_cx.ToolbarProtector.1"
[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}]
"(Default)" = "ITemplateBarMenu"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\Version]
"(Default)" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}]
"(Default)" = ""
[HKCR\AutoPCBackup_cx.SettingsPlugin]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin\MimeTypes\application/x-autopcbackup_cxplugin]
"Suffixes" = "cx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"
[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"HiddenToolbarReminder.dll" = ""
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"tiec" = "208976"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"UninstallString" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe cxbar.dll,O uninstalltype=IE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\TypeLib]
"(Default)" = "{EFD7FCF3-CD02-44C4-A571-6097755E3326}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"ID" = "02064214-778C-43DD-A77C-1325778F5D31"
"DeletedCustomizations" = "1"
[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\ProgID]
"(Default)" = "AutoPCBackup_cx.PseudoTransparentPlugin.1"
[HKCU\Software\Classes\CLSID\{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}]
"(Default)" = ""
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"ToolbarGuard.dll" = ""
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"dir" = "%Program Files%\AutoPCBackup_cx\bar\"
[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}]
"(Default)" = ""
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"lidate" = "2015-06-13T11:13:22Z"
[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{bf93b40f-222c-4072-bacc-86e3a8c785d9}"
[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtPcx.exe" = "0"
[HKCR\AutoPCBackup_cx.ToolbarProtector]
"(Default)" = "ProtectorControl Class"
[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.PseudoTransparentPlugin"
[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}]
"(Default)" = "Disable Addon Rebuttal Control"
[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\MiscStatus]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.ThirdPartyInstaller"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\ProgID]
"(Default)" = "AutoPCBackup_cx.SettingsPlugin.1"
[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\TypeLib]
"Version" = "1.0"
[HKCR\AutoPCBackup_cx.HTMLPanel.1\CLSID]
"(Default)" = "{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=781B6542&p2=^BVA&ptb=02064214-778C-43DD-A77C-1325778F5D31"
[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.FeedManager\CurVer]
"(Default)" = "AutoPCBackup_cx.FeedManager.1"
[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\TypeLib]
"(Default)" = "{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}"
[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\626"
[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}]
"(Default)" = "IThirdPartyInstaller"
[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"
[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}]
"(Default)" = "IDataCtrl"
[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"vendor" = "AutoPCBackup_cx"
[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}]
"(Default)" = "POPUPMENU_INTERFACE"
[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\TypeLib]
"(Default)" = "{CE214850-70BB-4FA4-997D-2170966D4CC3}"
[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}]
"(Default)" = "SKINSETTINGS_INTERFACE"
[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\TypeLib]
"(Default)" = "{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}"
[HKCR\AutoPCBackup_cx.MultipleButton.1]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"cxSrcAs.dll" = "0"
[HKCR\AutoPCBackup_cx.SettingsPlugin.1]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bc1159d3-e09b-4f9e-8264-a93c4f0da153}]
"AppName" = "AppIntegrator.exe"
[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdatact.dll"
[HKCR\AutoPCBackup_cx.FeedManager.1]
"(Default)" = ""
[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.HTMLPanel\CurVer]
"(Default)" = "AutoPCBackup_cx.HTMLPanel.1"
[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\TypeLib]
"(Default)" = "{5A194A36-36C0-477A-802E-8E975BDBB610}"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}]
"(Default)" = "AutoPCBackup_cx HTML"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"SettingsDir" = "%Program Files%\AutoPCBackup_cx\bar\Settings\"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}]
"(Default)" = "SEARCHSCOPE_INTERFACE"
[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.SettingsPlugin"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"
[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin\MimeTypes\application/x-autopcbackup_cxplugin]
"Description" = "AutoPCBackup Plugin"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\AutoPCBackup_cx\bar\1.bin\cxBar.dll,O mindsparktoolbarkey=AutoPCBackup_cx uninstalltype=IE"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0685523-6ebe-4fb5-ba5e-985de7cbfb88}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ad018020-0295-45e3-846a-198beaca6665}]
"AppName" = "cxSlSrch.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2be6c90-b519-41ce-8e6c-c7b167cb6106}]
"AppName" = "cxmedint.exe"
[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}]
"(Default)" = "AutoPCBackup_cx HTML Menu"
[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}]
"(Default)" = "Search Assistant BHO"
[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\ProgID]
"(Default)" = "AutoPCBackup_cx.HTMLMenu.1"
[HKCU\Software\Classes\CLSID\{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll"
[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}]
"(Default)" = "IDisableAddonRebuttal"
[HKCR\AutoPCBackup_cx.MultipleButton\CurVer]
"(Default)" = "AutoPCBackup_cx.MultipleButton.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"
[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\TypeLib]
"(Default)" = "{5a194a36-36c0-477a-802e-8e975bdbb610}"
[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}]
"(Default)" = "IHttpControl"
[HKCR\AutoPCBackup_cx.HTMLMenu\CurVer]
"(Default)" = "AutoPCBackup_cx.HTMLMenu.1"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"PartnerPixelNotSet" = ""
[HKCR\AutoPCBackup_cx.ThirdPartyInstaller.1]
"(Default)" = "AutoPCBackup Third Party Installer"
[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll"
[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.ScriptButton.1]
"(Default)" = ""
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"UninstallFFString" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe cxbar.dll,O uninstalltype=FF"
[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\TypeLib]
"(Default)" = "{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}"
[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0]
"(Default)" = "TYPELIB_NAME"
[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"
[HKCR\AutoPCBackup_cx.MultipleButton.1\CLSID]
"(Default)" = "{caf8c658-43b4-4633-af39-71e19188aa79}"
[HKLM\SOFTWARE\AutoPCBackup_cx\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"
[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\TypeLib]
"(Default)" = "{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}"
[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1406"
[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"
[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"un" = "AutoPCBackup"
[HKCR\CLSID\{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c401ed53-7842-45d3-aac0-cad287067bfd}]
"(Default)" = ""
[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1506"
[HKCR\AutoPCBackup_cx.ToolbarProtector.1\CLSID]
"(Default)" = "{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}"
[HKCR\AutoPCBackup_cx.HTMLMenu.1\CLSID]
"(Default)" = "{1448EE35-A6C6-4AF6-8AB8-D015938567CF}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"Build" = "102.20593"
[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\TypeLib]
"(Default)" = "{48157e3e-f8e1-481a-a0e4-2c2f93094be0}"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll"
[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\AutoPCBackup_cx\bar\1.bin\cxBar.dll,O mindsparktoolbarkey=AutoPCBackup_cx uninstalltype=FF"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"(Default)" = "Skin Settings"
[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"
[HKCR\CLSID\{848d8086-b611-4ecb-a501-639851083359}\InprocServer32]
"(Default)" = "C:\PROGRA~1\AUTOPC~1\bar\1.bin\cxbar.dll"
[HKCR\AutoPCBackup_cx.ScriptButton\CurVer]
"(Default)" = "AutoPCBackup_cx.ScriptButton.1"
[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2be6c90-b519-41ce-8e6c-c7b167cb6106}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\ProgID]
"(Default)" = "AutoPCBackup_cx.ToolbarProtector.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ad018020-0295-45e3-846a-198beaca6665}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"Description" = "AutoPCBackup Plugin"
[HKCR\AutoPCBackup_cx.SettingsPlugin.1\CLSID]
"(Default)" = "{8198f7e2-d249-4fea-8309-d93b4b06cbaf}"
[HKCR\AutoPCBackup_cx.ThirdPartyInstaller\CLSID]
"(Default)" = "{c401ed53-7842-45d3-aac0-cad287067bfd}"
[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"PluginPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\"
[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\ProgID]
"(Default)" = "AutoPCBackup_cx.ScriptButton.1"
[HKCR\CLSID\{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}]
"(Default)" = "AutoPCBackup"
[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{c401ed53-7842-45d3-aac0-cad287067bfd}"
[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\TypeLib]
"(Default)" = "{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}"
[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\TypeLib]
"(Default)" = "{936A6725-C9B9-47B8-A0E7-C9F34535B820}"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}]
"(Default)" = "IIEInstalledToolbar"
[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\TypeLib]
"(Default)" = "{CE214850-70BB-4FA4-997D-2170966D4CC3}"
[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.ToolbarProtector"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"hpp" = "0"
[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\TypeLib]
"(Default)" = "{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0685523-6ebe-4fb5-ba5e-985de7cbfb88}]
"AppName" = "CrExtPcx.exe"
[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.FeedManager]
"(Default)" = ""
[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"
[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"
[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.MultipleButton"
[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"cxSrcAs.dll" = ""
[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{3BD2225F-2F0F-42C9-BF65-7EB07A5EBDCB}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}]
"(Default)" = "Pseudo Transparent Plugin"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2be6c90-b519-41ce-8e6c-c7b167cb6106}]
"Policy" = "3"
[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\625"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"nd" = "0"
[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"RegisteredWithFirefox" = "1"
[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"
[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin\CLSID]
"(Default)" = "{bf93b40f-222c-4072-bacc-86e3a8c785d9}"
[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}" = ""
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll"
[HKCR\CLSID\{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll"
[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}]
"(Default)" = "IProtectorControl"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\TypeLib]
"(Default)" = "{e99bb286-e393-429e-a620-e146ed98cb77}"
[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}]
"(Default)" = "_IDataCtrlEvents"
[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ad018020-0295-45e3-846a-198beaca6665}]
"Policy" = "3"
[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.HTMLPanel"
[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}]
"(Default)" = "IHttpControlEvents"
[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1104"
[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\TypeLib]
"(Default)" = "{5A194A36-36C0-477A-802E-8E975BDBB610}"
[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1604"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll"
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll"
[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}]
"(Default)" = "HTMLPANEL_INTERFACE"
[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\AUTOPC~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\ProgID]
"(Default)" = "AutoPCBackup_cx.HTMLPanel.1"
[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"au" = "1"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"Version" = "1.1.1.1"
[HKCR\AutoPCBackup_cx.FeedManager\CLSID]
"(Default)" = "{141c1180-299a-4c21-92aa-10b514dd9274}"
[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bc1159d3-e09b-4f9e-8264-a93c4f0da153}]
"AppPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{936A6725-C9B9-47B8-A0E7-C9F34535B820}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\100"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\TypeLib]
"(Default)" = "{1dfc15ca-3f18-4208-9538-5d624c0ae165}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"cxDlgHk.dll" = ""
[HKCR\AutoPCBackup_cx.ThirdPartyInstaller]
"(Default)" = "AutoPCBackup Third Party Installer"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4ebfc05e-8ded-4571-8ebe-20edb6f7c72b}" = ""
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\TypeLib]
"Version" = "1.0"
[HKCR\AutoPCBackup_cx.ThirdPartyInstaller\CurVer]
"(Default)" = "AutoPCBackup_cx.ThirdPartyInstaller.1"
[HKCR\Interface\{DB36BCF9-3801-4E90-AADF-3B298395DE03}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0]
"(Default)" = "HTML 1.0 Type Library"
[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}]
"(Default)" = "DataCtrl Class"
[HKCR\CLSID\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"Maximized" = "1"
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"
[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{C9C9D133-69C2-42BC-AC1F-0E896B7F821E}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}]
"(Default)" = "ITemplateBarSettings"
[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}]
"(Default)" = "AutoPCBackup Third Party Installer"
[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}]
"(Default)" = "ITemplateBarControl"
[HKCR\Interface\{964C4821-45CA-4671-ADE3-242164BE2EC7}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"
[HKCR\AutoPCBackup_cx.HTMLMenu.1]
"(Default)" = "AutoPCBackup_cx HTML Menu"
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\905"
[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"od" = "1"
[HKCR\AutoPCBackup_cx.ScriptButton]
"(Default)" = ""
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"ok" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0685523-6ebe-4fb5-ba5e-985de7cbfb88}]
"Policy" = "3"
[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.ScriptButton"
[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\TypeLib]
"(Default)" = "{936a6725-c9b9-47b8-a0e7-c9f34535b820}"
[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"
[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{377A9E39-6697-4CEF-A090-1BA64B1B3E56}]
"(Default)" = "ISessionData"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Integrators]
"AssistMonitor.dll" = ""
[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}]
"(Default)" = "ITemplateHTMLMenu"
[HKCR\Interface\{756E5DAE-EBE3-4525-A3BF-5ED206B82E58}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll"
[HKCR\Interface\{748B2055-654D-4702-8915-39012842F890}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{eed29d6b-4907-4de2-acb6-19b894a337f6}\TypeLib]
"(Default)" = "{3bd2225f-2f0f-42c9-bf65-7eb07a5ebdcb}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"Policy" = "3"
[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}\ProgID]
"(Default)" = "AutoPCBackup_cx.MultipleButton.1"
[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}]
"(Default)" = "IIEInstalledToolbars"
[HKCR\Interface\{25CFB349-A7A1-4C82-8CD2-0D03FFD0AF85}]
"(Default)" = "SKINWINDOW_INTERFACE"
[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"sr" = "0"
[HKCR\CLSID\{522dd483-0d73-427e-9dbe-6e465df7a767}]
"(Default)" = "Popup Menu Plugin"
[HKCR\CLSID\{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}]
"(Default)" = "ProtectorControl Class"
[HKCR\AutoPCBackup_cx.SettingsPlugin\CLSID]
"(Default)" = "{8198f7e2-d249-4fea-8309-d93b4b06cbaf}"
[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}]
"(Default)" = "ITemplateBarButtonRect"
[HKCR\AutoPCBackup_cx.MultipleButton\CLSID]
"(Default)" = "{caf8c658-43b4-4633-af39-71e19188aa79}"
[HKCR\AutoPCBackup_cx.ToolbarProtector\CLSID]
"(Default)" = "{28c33a0c-dbcc-49b0-af2f-9351e72c90a1}"
[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{E99BB286-E393-429E-A620-E146ED98CB77}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}\TypeLib]
"(Default)" = "{efd7fcf3-cd02-44c4-a571-6097755e3326}"
[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\AutoPCBackup_cx.PseudoTransparentPlugin\CurVer]
"(Default)" = "AutoPCBackup_cx.PseudoTransparentPlugin.1"
[HKCR\AutoPCBackup_cx.HTMLMenu]
"(Default)" = "AutoPCBackup_cx HTML Menu"
[HKCR\Interface\{75996809-0010-4623-98F7-4969B66EE2E1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}\TypeLib]
"(Default)" = "{936A6725-C9B9-47B8-A0E7-C9F34535B820}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}]
"(Default)" = ""
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\ProgID]
"(Default)" = "AutoPCBackup_cx.FeedManager.1"
[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\TypeLib]
"(Default)" = "{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}"
[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{EC1400AF-24A4-4DF4-BEE8-B4ACE84EE08F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\ProgID]
"(Default)" = "AutoPCBackup_cx.ThirdPartyInstaller.1"
[HKCU\Software\Classes\CLSID\{134c1b05-a0d1-4cb0-b2fe-3ffb5ba40a76}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\TypeLib]
"(Default)" = "{EFD7FCF3-CD02-44C4-A571-6097755E3326}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll"
[HKLM\SOFTWARE\AutoPCBackup_cx\SkinTools]
"PlayerPath" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSkPlay.exe"
[HKCR\Interface\{555397C5-79E8-44FD-84EB-A5CF41E44757}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{4C1C4DB3-D929-4143-9734-80ABA0A7AC56}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c9aee132-2b0e-4bb8-9e8a-428d865a1809}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxscript.dll"
[HKLM\SOFTWARE\MozillaPlugins\@AutoPCBackup_cx.com/Plugin]
"Path" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\NPcxStub.dll"
[HKCR\CLSID\{bf93b40f-222c-4072-bacc-86e3a8c785d9}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{AD018020-0295-45E3-846A-198BEACA6665}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"
[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}\TypeLib]
"(Default)" = "{e554852a-1a28-4c1b-bd52-1bce7711c9ad}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"
[HKCR\CLSID\{8198f7e2-d249-4fea-8309-d93b4b06cbaf}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 51 A1 3A 1E 03 CF 92 CA 47 49 B6 C2 22 91 DC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\CLSID\{c401ed53-7842-45d3-aac0-cad287067bfd}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{DE35CA84-BAFD-44BC-9014-789F00959B9C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}]
"(Default)" = ""
[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{bf93b40f-222c-4072-bacc-86e3a8c785d9}]
"(Default)" = ""
[HKCR\Interface\{D9794603-38E7-4A16-AA19-E54C5153E254}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BC1159D3-E09B-4F9E-8264-A93C4F0DA153}]
"(Default)" = "_ITemplateBarSettingsEvents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\TypeLib\{EFD7FCF3-CD02-44C4-A571-6097755E3326}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"ua" = "0"
[HKCR\CLSID\{caf8c658-43b4-4633-af39-71e19188aa79}]
"(Default)" = ""
[HKCR\Interface\{F8174B44-8C68-4A1B-B237-1B48433754E8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0ecf9f87-1d3d-4634-848d-753c4fc1a26b}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}]
"(Default)" = ""
[HKCR\CLSID\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\AutoPCBackup_cx.HTMLMenu\CLSID]
"(Default)" = "{1448EE35-A6C6-4AF6-8AB8-D015938567CF}"
[HKCR\Interface\{FEE6568F-86D0-42ED-8B79-13BE16F0AA1C}]
"(Default)" = "BARFEED_INTERFACE"
[HKCR\AutoPCBackup_cx.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"
[HKCR\AutoPCBackup_cx.MultipleButton]
"(Default)" = ""
[HKCR\TypeLib\{CE214850-70BB-4FA4-997D-2170966D4CC3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\AutoPCBackup_cx.FeedManager.1\CLSID]
"(Default)" = "{141c1180-299a-4c21-92aa-10b514dd9274}"
[HKCR\AutoPCBackup_cx.HTMLPanel.1]
"(Default)" = "AutoPCBackup_cx HTML Panel"
[HKCR\Interface\{308BA220-662F-4080-879F-9793174195BF}\TypeLib]
"(Default)" = "{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ebb7930d-2ed0-4118-917a-20b5c0e46b96}]
"AppName" = "cxSkPlay.exe"
[HKCR\Interface\{561CEDB0-828D-4309-A58F-AD2EF19D7F79}\TypeLib]
"(Default)" = "{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}"
[HKCR\AutoPCBackup_cx.HTMLPanel\CLSID]
"(Default)" = "{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}"
[HKCR\CLSID\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}\InprocServer32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll"
[HKCR\CLSID\{848d8086-b611-4ecb-a501-639851083359}]
"(Default)" = "Toolbar BHO"
[HKCR\TypeLib\{E554852A-1A28-4C1B-BD52-1BCE7711C9AD}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{5A29C667-030D-48C6-AC6E-320EBC3834C0}]
"(Default)" = "ITemplatePopupMenu"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"Visible" = "1"
[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\405"
[HKCR\AutoPCBackup_cx.HTMLPanel]
"(Default)" = "AutoPCBackup_cx HTML Panel"
[HKCR\Interface\{3C480B6F-F5E6-4C1F-8F13-CC1B498C8446}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"PID" = "^BVA"
[HKCR\Interface\{60E2CE54-D107-481E-A268-A989F8DDEB53}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{fb18ed71-29cb-4f4d-9c49-ff758f9f87f5}]
"(Default)" = "HttpControl Class"
[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0]
"(Default)" = "Skin 1.0 Type Library"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar\Switches]
"nk" = "0"
[HKCR\CLSID\{1448EE35-A6C6-4AF6-8AB8-D015938567CF}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.HTMLMenu"
[HKCR\AutoPCBackup_cx.ScriptButton\CLSID]
"(Default)" = "{c9aee132-2b0e-4bb8-9e8a-428d865a1809}"
[HKCR\TypeLib\{5A194A36-36C0-477A-802E-8E975BDBB610}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"
[HKCR\Interface\{6BB273CA-8933-4156-8DFE-96B7384195AA}\TypeLib]
"(Default)" = "{E99BB286-E393-429E-A620-E146ED98CB77}"
[HKCR\Interface\{9577D43C-EEA2-4E56-91A3-CEA321F319D6}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bc1159d3-e09b-4f9e-8264-a93c4f0da153}]
"Policy" = "3"
[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0\0\win32]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin\t8res.dll\1807"
[HKCR\Interface\{2088ECFA-9D33-4B80-8977-C3193E9A7622}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AutoPCBackup_cx.SettingsPlugin\CurVer]
"(Default)" = "AutoPCBackup_cx.SettingsPlugin.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoPCBackup_cxbar Uninstall Internet Explorer]
"DisplayName" = "AutoPCBackup Toolbar & Supporting Application"
[HKCR\Interface\{7D6BD74E-2F70-4B70-AF14-98E4505F5176}]
"(Default)" = "_IThirdPartyInstallerEvents"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{D800C92E-5C6F-4725-AD02-42DDF057F4BE}\TypeLib]
"(Default)" = "{1DFC15CA-3F18-4208-9538-5D624C0AE165}"
[HKCR\CLSID\{141c1180-299a-4c21-92aa-10b514dd9274}\VersionIndependentProgID]
"(Default)" = "AutoPCBackup_cx.FeedManager"
[HKCR\TypeLib\{48157E3E-F8E1-481A-A0E4-2C2F93094BE0}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKCR\CLSID\{848d8086-b611-4ecb-a501-639851083359}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{99ABF40F-4137-4516-AF88-9B9ED5FD9DC1}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{1DFC15CA-3F18-4208-9538-5D624C0AE165}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AutoPCBackup_cx\bar\1.bin"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"CurInstall" = "1"
"pl" = "9"
[HKCR\CLSID\{9f9dc89c-1a1f-43ea-b2a5-1ccacf4a6a3c}\TypeLib]
"(Default)" = "{c9c9d133-69c2-42bc-ac1f-0e896b7f821e}"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup AppIntegrator 32-bit" = "C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe"
"AutoPCBackup" = "rundll32 C:\PROGRA~1\AUTOPC~1\bar\1.bin\cxbar.dll,S"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{848d8086-b611-4ecb-a501-639851083359}]
"(Default)" = ""
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d14af66-35cb-437c-bb3e-37ab0fbcf085}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"
[HKLM\SOFTWARE\AutoPCBackup_cx\bar]
"pid2"
"ConfigDateStamp"
"un"
The process irsetup.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"DisplayName" = "AutoPCBackup Supporting Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"Publisher" = "Mindspark Interactive Network"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"URLInfoAbout" = "http://www.mindspark.com"
"UninstallString" = "%Program Files%\Mindspark\AutoPCBackup\uninstall.exe /U:%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.xml"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"HelpLink" = "http://www.mindspark.com"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"DisplayIcon" = "%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"Contact" = "Mindspark Interactive Network Support Department"
"DisplayVersion" = "1.0.370b25ea5bd72be9ccd77691bfb0880521c9a771.192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 B3 9C 91 FB E9 10 69 D6 CE 63 FF 78 69 17 2F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark AutoPCBackup]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\Mindspark\AutoPCBackup"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup" = "%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe /AutoRestart"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
f0c2c3d183a087b51dbe88dd773126b6 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\APPINTEGRATOR.EXE |
3d6b337517336594470f070bbc7188dd | c:\Program Files\AutoPCBackup_cx\bar\1.bin\APPINTEGRATORSTUB.DLL |
36194eb9cf8c55d41ce917beb9d0cd61 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR.DLL |
ef0439594263d5e3ee0a0b87717d8f30 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR64.DLL |
cf182742aa4f29b44dfd95779c3a79d0 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\AppIntegrator64.exe |
0da866b437db8560d9bb83f1c14b2e79 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\AppIntegratorStub64.dll |
ed0259fd945476d3e1f5175a22a5281a | c:\Program Files\AutoPCBackup_cx\bar\1.bin\CREXT.DLL |
b3e27442407095a8fcee6e827b87baf6 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\CrExtPcx.exe |
b7887260ed97aa7474c22e0409ec20ba | c:\Program Files\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL |
bf22cfcd99cacfd5cc557196593a429b | c:\Program Files\AutoPCBackup_cx\bar\1.bin\FF-NativeMessagingDispatcher.dll |
9e6225a6deab5b28d8971ea09a57881d | c:\Program Files\AutoPCBackup_cx\bar\1.bin\HKFXMGR.DLL |
258974b87536c176f852bed3df551146 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\HKFXMGR64.DLL |
fdb44ebf6a36cb1cd99401e209f53b6a | c:\Program Files\AutoPCBackup_cx\bar\1.bin\HiddenToolbarReminder.dll |
99e6d5152ec5ebee8575ae94cd4801eb | c:\Program Files\AutoPCBackup_cx\bar\1.bin\INSTALLENABLER.DLL |
a4a441ebd83fd66d03f10895419fadb7 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8EPMSUP.DLL |
c69ec2b5d9e89d5c8e05be1d482e7f82 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8EXTEX.DLL |
6bc6e9db38a9cfea465b64177606e66d | c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8EXTPEX.DLL |
32f857d34001b795a898f7c50651af6b | c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL |
e4dd6a5325848bc353c0d441ac29b283 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8RES.DLL |
9294b3d8e5052ecf3c23d31eecab8f07 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\T8TICKER.DLL |
b273c99560d26fb5a08e3cebf47e5bb1 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD.DLL |
5d16b944c42a8468f9cf59b96947c917 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD64.DLL |
7040b23a128b49a97ca8f8d93c451677 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\TPIMANAGERCONSOLE.EXE |
eb4aa26e1a5c3cd6256a48b3c88c0059 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\VERIFY.DLL |
84960b155e9ff6c931cd21798ce217b2 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER.DLL |
267202f1663f579b55e3fcb177fd2a77 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER64.DLL |
994ef00fad9a8e289c9ce0a7c085bfc2 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\ASSIST.EXE |
58cb372449dab3a2c798e4c2454bee91 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\ASSIST.EXE |
cbfdb354f658af062be791b6914eb25a | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL |
2205c3df09c286a6059415c16023c6e7 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL |
e999b0d00082accdf9514b9b18cf27f2 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE |
9389f5b1c2c2684adb948a1fb161f0cb | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER.DLL |
c1285334ce13d734083fc8f5bd0f9a66 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER64.DLL |
143678734dbbf30ff73b2a1e182970d6 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxPlugin.dll |
feaa90789a41e01caefcb5b02cefede9 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll |
99cc9f1e159d11f08cae0e3ae8726011 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxbar.dll |
09c2c30e15dcb3c1d197208e51e8a8f4 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxbarsvc.exe |
c0d2405e4d44656a1729b0a8b29123db | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll |
629ea085462a9832c8e1d4804c9131a1 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxdatact.dll |
5b723723a3b15807efb90dbfbf9989ec | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll |
c120998d06bf3198dc39a6f6b48a636d | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxdlghk64.dll |
cf959830a291941bb68b228492442da5 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll |
cfcf18eda229d24d880b4eefb2eeaa09 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxhighin.exe |
0358525c385bd4246bcbd5cb52c25d84 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll |
ba0b181aa48ed4d50ea2fc9e957630d8 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll |
f5e0a300d3c344cbf20538ea61915dca | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxidle.dll |
70dc4406538aa6508f51a9b91150082c | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxmedint.exe |
787f17d71fb75e9539244194bf352fe5 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll |
0d05671b86d96031a8a46cde84a0ea16 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxregfft.dll |
541a039e3b5f3859117efe498b062ccc | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxregiet.dll |
09325e2140cd35d9f2e303f2943ec075 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxscript.dll |
b9892a2d0e2550615db1f7ff60bc7008 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxskin.dll |
18804f338e38b8720ba1538e31c97cc0 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxskplay.exe |
cf0646bb879911192c833e314e0afc57 | c:\Program Files\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll |
daf13c8e9544549a83cc2f5ae58516b1 | c:\Program Files\Mindspark\AutoPCBackup\AutoPCBackup.exe |
b5200c231609c2d619e5b6c77b9b790f | c:\Program Files\Mindspark\AutoPCBackup\DesktopSdk.dll |
4370c5093c1f9dead07c96c10c9dd8e1 | c:\Program Files\Mindspark\AutoPCBackup\LogicNP.FileView.WPF.dll |
4b81657378341213e57cf8f2ceea7865 | c:\Program Files\Mindspark\AutoPCBackup\LogicNP.FolderView.WPF.dll |
da0c4a024f87e44eb868b785968f7be1 | c:\Program Files\Mindspark\AutoPCBackup\Microsoft.Expression.Interactions.dll |
d076db892606f419d5a0e9674875961b | c:\Program Files\Mindspark\AutoPCBackup\RebootRequired.exe |
e14a3a5e0c83811e7f7cea720f089c17 | c:\Program Files\Mindspark\AutoPCBackup\System.Windows.Interactivity.dll |
9026e5d3a8c36fc5f711afc78cb8f7a7 | c:\Program Files\Mindspark\AutoPCBackup\UnifiedLogging.dll |
8c0b6838878f3dd76135f999ddb1c900 | c:\Program Files\Mindspark\AutoPCBackup\lua5.1.dll |
eb87773cf10284a6db7dfb1638705769 | c:\Program Files\Mindspark\AutoPCBackup\uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
cxHighIn.exe:348
cxbarsvc.exe:1592
cxbarsvc.exe:1748
cxbarsvc.exe:1808
%original file name%.exe:1068
TPIManagerConsole.exe:1452
ngen.exe:1276
{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe:1028
0000042cT8SETUP.EXE:224
irsetup.exe:1900 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EXE (196915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000042cT8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (145 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\{0633B004-9A4B-4CBB-B721-393082E9C44A}.exe (694617 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen.log (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
%Program Files%\AutoPCBackup_cx\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxPlugin.dll (82 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmedint.exe (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdatact.dll (171 bytes)
%Program Files%\AutoPCBackup_cx\bar\Message\COMMON.T8S (106 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxregfft.dll (85 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk.dll (121 bytes)
%System%\config (200 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR.DLL (1681 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxmlbtn.dll (98 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\installKeys.js (207 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%System%\config\SOFTWARE.LOG (39433 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
%Program Files%\AutoPCBackup_cx\bar\Settings\s_pid.dat (8 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhighin.exe (13 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CREXT.DLL (6424 bytes)
%System%\config\system (3777 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxfeedmg.dll (145 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbarsvc.exe (90 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CrExtPcx.exe (7386 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
%Program Files%\AutoPCBackup_cx\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxregiet.dll (87 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\chrome\cxffxtbr.jar (1829 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxtpinst.dll (179 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskplay.exe (55 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbar.dll (5442 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegrator64.exe (265 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxscript.dll (104 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhttpct.dll (151 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxhtmlmu.dll (214 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxSrcAs.dll (146 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxbprtct.dll (121 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%System%\config\software (34365 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8RES.DLL (198 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxskin.dll (212 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxdlghk64.dll (147 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\cxidle.dll (61 bytes)
%Program Files%\AutoPCBackup_cx\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.BMP (1209 bytes)
%Documents and Settings%\%current user%\Desktop\AutoPCBackup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\AfterInstalling.html (1 bytes)
%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe (4277 bytes)
%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe.config (195 bytes)
%Program Files%\Mindspark\AutoPCBackup\Microsoft.Expression.Interactions.dll (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\LogicNP.FileView.WPF.dll (6275 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.dat (14600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_3.jpg (3 bytes)
%Program Files%\Mindspark\AutoPCBackup\lua5.1.dll (2902 bytes)
%Program Files%\Mindspark\AutoPCBackup\System.Windows.Interactivity.dll (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Steps_complete.jpg (3 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uninstall.xml (1224 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.BMP (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Styles.css (429 bytes)
%Program Files%\Mindspark\AutoPCBackup\LogicNP.FolderView.WPF.dll (4440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\IRIMG1.PNG (4 bytes)
%Program Files%\Mindspark\AutoPCBackup\DesktopSdk.dll (6514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\BeforeInstalling.html (1 bytes)
%Program Files%\Mindspark\AutoPCBackup\UnifiedLogging.dll (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (8671 bytes)
%Program Files%\Mindspark\AutoPCBackup\RebootRequired.exe (1137 bytes)
%Program Files%\Mindspark\AutoPCBackup\Uninstall\uni1.tmp (19233 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AutoPCBackup\AutoPCBackup.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoPCBackup Setup Log.txt (6542 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup AppIntegrator 32-bit" = "C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup" = "rundll32 C:\PROGRA~1\AUTOPC~1\bar\1.bin\cxbar.dll,S"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoPCBackup" = "%Program Files%\Mindspark\AutoPCBackup\AutoPCBackup.exe /AutoRestart" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: AutoPCBackup
Product Name: AutoPCBackup
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: cxSetup.exe
Internal Name: cxSetup
File Version: 2, 0, 5, 6
File Description: AutoPCBackup
Comments:
Language: Language Neutral
Company Name: AutoPCBackupProduct Name: AutoPCBackupProduct Version: 2, 0, 5, 6Legal Copyright: Copyright (c) 2009 - 2014Legal Trademarks: Original Filename: cxSetup.exeInternal Name: cxSetupFile Version: 2, 0, 5, 6File Description: AutoPCBackupComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 7790 | 8192 | 4.27337 | 2025105e80249339871a8364b9d6462e |
.rdata | 12288 | 8748 | 12288 | 1.93802 | 572d1e8b7ed8ad6d42375759a3f883bf |
.data | 24576 | 2126 | 4096 | 1.23729 | 1c7e0ea211faa299dbdfeafcd23371b5 |
.rsrc | 28672 | 5786104 | 5787648 | 5.42465 | b5659df67a9d9018b876cf171b3240fd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://a728.g2.akamai.net/images/nocache/vicinio/executable-packages/AutoPCBackup/1428078127515/AutoPCBackupSetup.exe | |
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl | |
hxxp://ak.dl.autopcbackup.com/images/nocache/vicinio/executable-packages/AutoPCBackup/1428078127515/AutoPCBackupSetup.exe | 194.146.191.104 |
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.43.133.163 |
hxxp://crl.verisign.com/pca3-g5.crl | 23.43.133.163 |
hxxp://crl.thawte.com/ThawteTimestampingCA.crl | 23.43.133.163 |
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl | 23.43.133.163 |
anx.mindspark.com | 74.113.233.187 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "ccfb395c271afc099abec1e2735f53b6:1434186400"
Last-Modified: Sat, 13 Jun 2015 09:06:40 GMT
Date: Sat, 13 Jun 2015 11:13:33 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..150613090115Z..150623090115Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......y0...*.H..............]..'..m...>.i........JN22.Y...2.c ...y....#"..=..h.]PTI.=uN;P...z.P.:...Z._..u.z1.vW}~.{Q....Q....mx]L.S^..K.....$x.8....@=.?....).EDC.....@.......F.n.L.q..9#...[...46..<.}.6...#K.|....@<.!. ..-.1)...k./.rY......bq$.....z;M"...<)...9..;2wHC.p~......\_..8.HTTP/1.1 200 OK..Server: Apache..ETag: "ccfb395c271afc099abec1e2735f53b6:1434186400"..Last-Modified: Sat, 13 Jun 2015 09:06:40 GMT..Date: Sat, 13 Jun 2015 11:13:33 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..150613090115Z..150623090115Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......y0...*.H..............]..'..m...>.i........JN22.Y...2.c ...y....#"..=..h.]PTI.=uN;P...z.P.:...Z._..u.z1.vW}~.{Q....Q....mx]L.S^..K.....$x.8....@=.?....).EDC.....@.......F.n.L.q..9#...[...46..<.}.6...#K.|....@<.!. ..-.1)...k./.rY......bq$.....z;M"...<)...9..;2wHC.p~......\_..8...
GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "02e277383c1ef089951c3afe285accbd:1427488519"
Last-Modified: Fri, 27 Mar 2015 20:35:19 GMT
Date: Sat, 13 Jun 2015 11:13:33 GMT
Content-Length: 341
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..150318000000Z..150630235959Z0...*.H..............-0.u.f..0.C..O. ..._....m....V......Zb.=.!`...@..[.Q.c...#..}b...Q..c...q....X.....}u}........K..}A(...bQ@.w.y.[........P9G^..HTTP/1.1 200 OK..Server: Apache..ETag: "02e277383c1ef089951c3afe285accbd:1427488519"..Last-Modified: Fri, 27 Mar 2015 20:35:19 GMT..Date: Sat, 13 Jun 2015 11:13:33 GMT..Content-Length: 341..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..150318000000Z..150630235959Z0...*.H..............-0.u.f..0.C..O. ..._....m....V......Zb.=.!`...@..[.Q.c...#..}b...Q..c...q....X.....}u}........K..}A(...bQ@.w.y.[........P9G^....
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "fb62b9f08064a10d3509e3cac5d5c994:1434186316"
Last-Modified: Sat, 13 Jun 2015 09:05:16 GMT
Date: Sat, 13 Jun 2015 11:13:33 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..9.0..8....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..150613090004Z..150627090004Z0..7u0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.
<<< skipped >>>
GET /images/nocache/vicinio/executable-packages/AutoPCBackup/1428078127515/AutoPCBackupSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.dl.autopcbackup.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 03 Apr 2015 16:22:28 GMT
ETag: "17993e3-3d38c8-512d45ab91900"
Accept-Ranges: bytes
Content-Length: 4012232
Cache-Control: max-age=309244151
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Sat, 13 Jun 2015 11:13:16 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L......R.................X...........).......p....@..........................P.......,>...@.................................<...d........n..........h.=.`....0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....n.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A............
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "97b93bbbb813910cb8bfc80753e88aff:1427247319"
Last-Modified: Wed, 25 Mar 2015 01:35:19 GMT
Date: Sat, 13 Jun 2015 11:13:33 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150318000000Z..150630235959Z0...*.H.............R.`Ts.......... .p.....V,..E...n]...T....R.....5.....j.I*J.:q.......^..2...p..3...!)Oo6[...D.............|..$......R$.......<(........Ohl.....'...C......X.......r......c.........G.....K.j/.L....7O<G....X..4s....2.J.1.8`......?....-(#h.i.p.Z..HB;.-g#...#q..HTTP/1.1 200 OK..Server: Apache..ETag: "97b93bbbb813910cb8bfc80753e88aff:1427247319"..Last-Modified: Wed, 25 Mar 2015 01:35:19 GMT..Date: Sat, 13 Jun 2015 11:13:33 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150318000000Z..150630235959Z0...*.H.............R.`Ts.......... .p.....V,..E...n]...T....R.....5.....j.I*J.:q.......^..2...p..3...!)Oo6[...D.............|..$......R$.......<(........Ohl.....'...C......X.......r......c.........G.....K.j/.L....7O<G....X..4s....2.J.1.8`......?....-(#h.i.p.Z..HB;.-g#...#q....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
AppIntegrator.exe_240:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
SHELL32.dll
SHELL32.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
MaxPolicyElementKey
MaxPolicyElementKey
AppIntegrator.cpp
AppIntegrator.cpp
Application.cpp
Application.cpp
IAC::AppIntegrator::CApplication::SetupWindowsHook
IAC::AppIntegrator::CApplication::SetupWindowsHook
C Exception thrown in %s: %s
C Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
Unknown exception thrown in %s
RegOpenKeyTransactedW
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExW
SetWindowsHookExW
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCloseUSKey
SHRegCreateUSKeyW
SHRegCreateUSKeyW
SHLWAPI.dll
SHLWAPI.dll
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
AppIntegrator.exe
AppIntegrator.exe
zcÃ
zcÃ
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
;(;7;
;(;7;
0#0'0 0/030:0
0#0'0 0/030:0
:&;.;6;>;~;
:&;.;6;>;~;
6 6$6(6,6064686
6 6$6(6,6064686
> >$>(>,>0>4>8>@>
> >$>(>,>0>4>8>@>
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
ieframe.dll
ieframe.dll
Failed to enable heap terminate-on-corruption with LastError %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: %S
Error: 0x%0x
Error: 0x%0x
%s:AppIntegratorShutdown
%s:AppIntegratorShutdown
Already running! %s
Already running! %s
The %s event cannot be created (%u)
The %s event cannot be created (%u)
\AppIntegratorStub.dll
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling GetProcAddress %u
Error calling CApplicationBase::SetWindowsHookEx %u
Error calling CApplicationBase::SetWindowsHookEx %u
TraceLogUnitTest.exe
TraceLogUnitTest.exe
TraceLog.cfg
TraceLog.cfg
).csv
).csv
\StringFileInfo\XX\OriginalFilename
\StringFileInfo\XX\OriginalFilename
@t8res.dll
@t8res.dll
Advapi32.dll
Advapi32.dll
C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\AUTOPC~1\bar\1.bin
C:\PROGRA~1\AUTOPC~1\bar\1.bin
@C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe
@C:\PROGRA~1\AUTOPC~1\bar\1.bin\AppIntegrator.exe
1.0.7.247
1.0.7.247
2.5.15.15
2.5.15.15
mscorsvw.exe_1056:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
EX_CATCH line %d
EX_CATCH line %d
CACHE_S_FORMATETC_NOTSUPPORTED
CACHE_S_FORMATETC_NOTSUPPORTED
CTL_E_GETNOTSUPPORTEDATRUNTIME
CTL_E_GETNOTSUPPORTEDATRUNTIME
CTL_E_GETNOTSUPPORTED
CTL_E_GETNOTSUPPORTED
CTL_E_SETNOTSUPPORTEDATRUNTIME
CTL_E_SETNOTSUPPORTEDATRUNTIME
CTL_E_SETNOTSUPPORTED
CTL_E_SETNOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
CO_E_SERVER_EXEC_FAILURE
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
REGDB_E_KEYMISSING
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
OLE_E_ADVISENOTSUPPORTED
CO_E_INIT_SCM_EXEC_FAILURE
CO_E_INIT_SCM_EXEC_FAILURE
EX_THROW Type = 0x%x HR = 0x%x, line %d
EX_THROW Type = 0x%x HR = 0x%x, line %d
ThrowHR: HR = %x
ThrowHR: HR = %x
mscorsvw.pdb
mscorsvw.pdb
_amsg_exit
_amsg_exit
_acmdln
_acmdln
MSVCR100_CLR0400.dll
MSVCR100_CLR0400.dll
_crt_debugger_hook
_crt_debugger_hook
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
USER32.dll
USER32.dll
mscoree.dll
mscoree.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
.PAVException@@
.PAVException@@
v1.0.3705
v1.0.3705
.PAVOutOfMemoryException@@
.PAVOutOfMemoryException@@
.PAVHRException@@
.PAVHRException@@
7 7$7(7,7074787
7 7$7(7,7074787
6$6,686\6|6
6$6,686\6|6
advapi32.dll
advapi32.dll
Wtsapi32.dll
Wtsapi32.dll
kernel32.dll
kernel32.dll
mscorsvc.dll
mscorsvc.dll
Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been uninstalled
Microsoft .NET Runtime Optimization Service has been uninstalled
Failed to uninstall Microsoft .NET Runtime Optimization Service
Failed to uninstall Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been installed
Microsoft .NET Runtime Optimization Service has been installed
Failed to install Microsoft .NET Runtime Optimization Service
Failed to install Microsoft .NET Runtime Optimization Service
Failed to retrieve Microsoft .NET Runtime Optimization Service interface
Failed to retrieve Microsoft .NET Runtime Optimization Service interface
Set service status to %d
Set service status to %d
Service control handler op %u, event type %u
Service control handler op %u, event type %u
\ndpsetup.bat
\ndpsetup.bat
Created repair process in session %d, process ID %d
Created repair process in session %d, process ID %d
Unable to create repair process, error %d
Unable to create repair process, error %d
Microsoft.NET\NETFXRepair.exe
Microsoft.NET\NETFXRepair.exe
Error changing token session ID, error %d
Error changing token session ID, error %d
Error duplicating current process token, error %d
Error duplicating current process token, error %d
Error getting current process token, error %d
Error getting current process token, error %d
Session %u has become active.
Session %u has become active.
Aborting repair due to unexpected wait status %u
Aborting repair due to unexpected wait status %u
Found active session %u
Found active session %u
Aborting repair due to error %u from WTSEnumerateSessions
Aborting repair due to error %u from WTSEnumerateSessions
StartServiceCtrlDispatcher failed with error %d. Will try slow path
StartServiceCtrlDispatcher failed with error %d. Will try slow path
\fusion.localgac
\fusion.localgac
\v2.0.50727
\v2.0.50727
SOFTWARE\Microsoft\.NetFramework
SOFTWARE\Microsoft\.NetFramework
v4.0.0
v4.0.0
SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
ngenrootstorelock.dat
ngenrootstorelock.dat
ngenservicelock.dat
ngenservicelock.dat
FastStartupCheck(isPrivateRuntime=%d)
FastStartupCheck(isPrivateRuntime=%d)
yKERNEL32.DLL
yKERNEL32.DLL
Software\Microsoft\.NETFramework
Software\Microsoft\.NETFramework
RestrictedGCStressExe
RestrictedGCStressExe
EnableInternetHREFexes
EnableInternetHREFexes
NGENServiceWaitPassiveWork
NGENServiceWaitPassiveWork
NGENServicePassiveWorkWaitTimeout
NGENServicePassiveWorkWaitTimeout
NGENServicePassiveHardDiskIdleTimeout
NGENServicePassiveHardDiskIdleTimeout
NGENServicePassiveExceptInputTimeout
NGENServicePassiveExceptInputTimeout
MD_ForceNoColDesSharing
MD_ForceNoColDesSharing
UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException
UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException
DbgTransportProxyAddress
DbgTransportProxyAddress
DbgRedirectCreateCmd
DbgRedirectCreateCmd
DbgRedirectCommonCmd
DbgRedirectCommonCmd
DbgRedirectAttachCmd
DbgRedirectAttachCmd
mscorrc.dll
mscorrc.dll
v4.0.30319
v4.0.30319
.NET Runtime Optimization Service
.NET Runtime Optimization Service
4.0.30319.1 (RTMRel.030319-0100)
4.0.30319.1 (RTMRel.030319-0100)
mscorsvw.exe
mscorsvw.exe
.NET Framework
.NET Framework
4.0.30319.1
4.0.30319.1