Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 46a65cf2f8363bf7d6834e601d8ffb0b
SHA1: 81cf5e3fb439e7ddc3b804e452953f5de2939563
SHA256: 217da752314f9a496877438da547d26a9685f6cb3debde2667b30ae1d0a28e8d
SSDeep: 98304:WYNn57GPpaNfEHOC6ocg/RcG6orUled5z7UKZKygN/mGvjymJ1AkxIKkKvIZ:WYNZGPpMEHKocg/R5X2ed5z7HJWjyTkm
Size: 5822824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: PremierDownloadManager
Created at: 2015-05-08 17:12:10
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
{7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe:1324
TPIManagerConsole.exe:640
WPFFontCache_v0400.exe:784
00000660T8SETUP.EXE:968
PDManager.exe:1860
%original file name%.exe:1632
helper.exe:480
PDMSetupDotNet.exe:1292
agHighIn.exe:1072
agbarsvc.exe:1620
agbarsvc.exe:304
agbarsvc.exe:456
regasm.exe:472
irsetup.exe:1364
The Trojan injects its code into the following process(es):
AppIntegrator.exe:1296
PDManager.exe:648
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process {7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
The process TPIManagerConsole.exe:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\{7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe (873958 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (146 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
The Trojan deletes the following file(s):
%Program Files%\PremierDownloadManager_ag\bar\1.bin\{7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe (0 bytes)
The process 00000660T8SETUP.EXE:968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskplay.exe (55 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
%Program Files%\PremierDownloadManager_ag\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghttpct.dll (151 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\LOGO.BMP (10 bytes)
%System%\config (200 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agscript.dll (104 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agmlbtn.dll (98 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agmedint.exe (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\chrome\agffxtbr.jar (1829 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdlghk64.dll (147 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8EXTEX.DLL (102 bytes)
%System%\config\SOFTWARE.LOG (40977 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbprtct.dll (121 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agPlugin.dll (82 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agregiet.dll (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\installKeys.js (207 bytes)
%System%\config\system (2810 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdlghk.dll (121 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9152 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\HKFXMGR.DLL (1681 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agidle.dll (61 bytes)
%Program Files%\PremierDownloadManager_ag\bar\Settings\s_pid.dat (8 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agSrcAs.dll (146 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghighin.exe (13 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8RES.DLL (199 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\CREXT.DLL (6424 bytes)
%Program Files%\PremierDownloadManager_ag\bar\Message\COMMON.T8S (106 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\CrExtPag.exe (7386 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbar.dll (5442 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agtpinst.dll (179 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\AppIntegrator64.exe (265 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%System%\config\software (33643 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\PremierDownloadManager_ag\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdatact.dll (171 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4952 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agfeedmg.dll (145 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbarsvc.exe (90 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskin.dll (212 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghtmlmu.dll (214 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agregfft.dll (85 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
The process PDManager.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\d3d9caps.tmp (2648 bytes)
%Documents and Settings%\%current user%\Application Data\PDManager\install.log (469 bytes)
%Documents and Settings%\%current user%\Application Data\PDManager\config.cfg (609 bytes)
The Trojan deletes the following file(s):
%System%\d3d9caps.dat (0 bytes)
The process PDManager.exe:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\PDManager\install.log (593 bytes)
The process %original file name%.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00000660T8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000660T8SETUP.EXE (196915 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00000660T8SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000660T8SETUP.EXE (0 bytes)
The process PDMSetupDotNet.exe:1292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PremierDownloadManager\RegAsm.exe (2134 bytes)
%Program Files%\PremierDownloadManager\WPFToolkit.dll (10808 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PremierDownloadManager\PremierDownloadManager.lnk (797 bytes)
%Program Files%\PremierDownloadManager\{94285e43-a27b-4f51-b280-ff763ae7cd81}.xpi (3 bytes)
%Program Files%\PremierDownloadManager\nppdm.dll (2788 bytes)
%Program Files%\PremierDownloadManager\helper.exe (8838 bytes)
%Program Files%\PremierDownloadManager\pdm.dll (2546 bytes)
%Program Files%\PremierDownloadManager\PDManager.exe (20668 bytes)
%Program Files%\PremierDownloadManager\uninstall.exe (304 bytes)
%Program Files%\PremierDownloadManager\pdm.ico (32 bytes)
%Program Files%\PremierDownloadManager\PDManager_ie.dll (8 bytes)
%Program Files%\PremierDownloadManager\Xceed.Wpf.Toolkit.dll (22574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\LogEx.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PremierDownloadManager\Uninstall.lnk (619 bytes)
%Program Files%\PremierDownloadManager\WpfAnimatedGif.dll (1868 bytes)
%Program Files%\PremierDownloadManager\install.log (1097 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\LogEx.dll (0 bytes)
The process regasm.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PremierDownloadManager\pdmanager_ie.tlb (11364 bytes)
The process irsetup.exe:1364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uninstall.xml (3154 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uninstall.dat (2712 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall.exe (9213 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\IRIMG1.PNG (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (6 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uni1.tmp (10533 bytes)
%Program Files%\Mindspark\PremierDownloadManager\lua5.1.dll (2902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PremierDownloadManager Setup Log.txt (2835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\PDMSetupDotNet.exe (21069 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\PDMSetupDotNet.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW4.tmp (0 bytes)
Registry activity
The process AppIntegrator.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F3 4B BB 04 E2 64 65 38 7C 7E 5F 44 C8 CB B4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The process {7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 45 B8 30 C4 87 E5 A5 85 03 6F B8 18 18 F8 92"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process TPIManagerConsole.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\PremierDownloadManager_ag\Dependencies]
"dependencymanagerpath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\DPNMNGR.DLL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\PremierDownloadManager_ag\Dependencies\PremierDownloadManager]
"is64bit" = "0"
"FriendlyName" = "Premier Download Manager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\PremierDownloadManager_ag\Dependencies\PremierDownloadManager]
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\Mindspark\PremierDownloadManager\Uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\Mindspark\PremierDownloadManager\Uninstall\uninstall.xml"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C EF C2 FD 13 E5 2B 23 E5 F3 90 4F C9 B2 E9 70"
[HKLM\SOFTWARE\PremierDownloadManager_ag\Dependencies\PremierDownloadManager]
"uninstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process WPFFontCache_v0400.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 15 E1 A1 C1 94 4F 99 99 82 E5 C6 1C 15 FF DB"
[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"
The process 00000660T8SETUP.EXE:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{F704FB2B-1CF2-4088-B5FA-5D8C585626EF}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{34A8F66F-BD14-4CAD-8013-181FFA827C52}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=781B8D79&p2=^BE4&ptb=D87161E2-2422-44D5-846A-D13E1DCB7510"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}]
"(Default)" = ""
[HKCR\TypeLib\{34A8F66F-BD14-4CAD-8013-181FFA827C52}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\905"
[HKCR\Interface\{8127B594-FE69-4D62-8E68-AF362CDC67FF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BB9E7A3A-186A-40E8-B9FF-8C24FFAFDD64}]
"(Default)" = "IDisableAddonRebuttal"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Integrators]
"HiddenToolbarReminder.dll" = ""
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"
[HKCR\Interface\{6BFB71F4-FF52-4C54-ABE8-D79A0D3A8C12}\TypeLib]
"Version" = "1.0"
[HKCR\PremierDownloadManager_ag.HTMLMenu\CLSID]
"(Default)" = "{B28B0498-E37B-4A9B-AC37-4D65443F82FE}"
[HKCR\TypeLib\{F4DDDD9D-5FB1-4FE9-A538-C8BBD695A2A9}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\1506"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{FBB95F79-F60C-4F3F-B608-FEE5A2A8940C}\TypeLib]
"(Default)" = "{3B18B575-7750-4EF5-88C0-4B923E81CAAB}"
[HKCR\CLSID\{bacf0bb5-e070-45a8-afef-548fcf5ae807}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.ToolbarProtector"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb19751c-c628-43db-895c-3b33deda7ecc}]
"Policy" = "3"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"PartnerPixelNotSet" = ""
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}\TypeLib]
"(Default)" = "{68b6016b-1308-4d05-9efb-2a50f159ed78}"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\TypeLib]
"(Default)" = "{0e01f743-5f86-437c-aff8-f8b81e8d1455}"
[HKCR\Interface\{FBB95F79-F60C-4F3F-B608-FEE5A2A8940C}]
"(Default)" = "IIEInstalledToolbars"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6c696e1d-399f-4d35-b756-0b0de20e3259}]
"AppPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\PremierDownloadManager_ag.SettingsPlugin.1]
"(Default)" = ""
[HKCR\PremierDownloadManager_ag.HTMLPanel\CurVer]
"(Default)" = "PremierDownloadManager_ag.HTMLPanel.1"
[HKCR\TypeLib\{F4DDDD9D-5FB1-4FE9-A538-C8BBD695A2A9}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\PremierDownloadManager_ag.ScriptButton\CLSID]
"(Default)" = "{1d806c49-099a-4ac9-8339-be248856de96}"
[HKCR\Interface\{371C3417-6D07-4484-870D-4240DB5C4FFC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{4F107491-CB01-4090-A378-76D29C67C4A8}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{BB9E7A3A-186A-40E8-B9FF-8C24FFAFDD64}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{68B6016B-1308-4D05-9EFB-2A50F159ED78}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\405"
[HKCR\Interface\{62219837-ECAB-46B3-B467-9DED4DEEFB46}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"un" = "PremierDownloadManager"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\Interface\{327E6890-7483-4BF0-A4AC-47733D6B3DAE}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"hpp" = "0"
[HKCR\PremierDownloadManager_ag.ToolbarProtector]
"(Default)" = "ProtectorControl Class"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b68801d1-641a-445a-8dca-05cd1b86d899}]
"AppPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\Interface\{F133B294-8A56-44A1-BCF4-40127EB142A9}\TypeLib]
"(Default)" = "{3B18B575-7750-4EF5-88C0-4B923E81CAAB}"
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{FBB95F79-F60C-4F3F-B608-FEE5A2A8940C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D45CB87C-A884-408C-ADE8-807D4ADC7EA8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Integrators]
"AssistMonitor.dll" = ""
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\ProgID]
"(Default)" = "PremierDownloadManager_ag.SettingsPlugin.1"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{BDFE2FC2-BDD5-419D-973C-A04EDAB40D11}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1a1f743b-4631-46e1-84a6-677557ccc83c}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agmlbtn.dll"
[HKCR\TypeLib\{68B6016B-1308-4D05-9EFB-2A50F159ED78}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{40485C5B-7707-448F-97FB-B6958A7E491A}\TypeLib]
"(Default)" = "{BA0CC1B0-494E-4B94-A2C2-F9D9C6D2B569}"
[HKCR\Interface\{23AD211A-1B82-4582-947D-C3C88388D8A7}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremierDownloadManager_agbar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"
[HKCR\Interface\{F704FB2B-1CF2-4088-B5FA-5D8C585626EF}\TypeLib]
"(Default)" = "{523BB920-0F2D-4E7E-BB43-6B426E347DD5}"
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{8B7FD08D-4012-4343-AC8F-A0D90C3101B3}\TypeLib]
"Version" = "1.0"
[HKCR\PremierDownloadManager_ag.ThirdPartyInstaller.1]
"(Default)" = "PremierDownloadManager Third Party Installer"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{970c55b4-c79e-4c62-9bfa-76439b68969f}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{08D76822-8C0C-4F2D-826C-5C9FC5E8BC6E}]
"(Default)" = "ISessionData"
[HKCR\CLSID\{13bf204e-491f-45e2-9fc2-2969c903b459}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghttpct.dll"
[HKCR\Interface\{371C3417-6D07-4484-870D-4240DB5C4FFC}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.HTMLPanel.1]
"(Default)" = "PremierDownloadManager_ag HTML Panel"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremierDownloadManager_agbar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"
[HKCR\Interface\{F133B294-8A56-44A1-BCF4-40127EB142A9}]
"(Default)" = "IProtectorControl"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\ProgID]
"(Default)" = "PremierDownloadManager_ag.ThirdPartyInstaller.1"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremierDownloadManager_agbar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"
[HKCR\Interface\{4833CC5F-F775-4D48-BF64-B6968D9D0D1A}\TypeLib]
"(Default)" = "{68B6016B-1308-4D05-9EFB-2A50F159ED78}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"
[HKCR\PremierDownloadManager_ag.HTMLPanel]
"(Default)" = "PremierDownloadManager_ag HTML Panel"
[HKCR\PremierDownloadManager_ag.MultipleButton.1]
"(Default)" = ""
[HKCR\Interface\{B0E55DA4-7799-4ECC-AE04-745ECFBAF79D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B0E55DA4-7799-4ECC-AE04-745ECFBAF79D}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8B7FD08D-4012-4343-AC8F-A0D90C3101B3}\TypeLib]
"(Default)" = "{0E01F743-5F86-437C-AFF8-F8B81E8D1455}"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbar.dll"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"DeletedCustomizations" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\PremierDownloadManager_ag.MultipleButton\CurVer]
"(Default)" = "PremierDownloadManager_ag.MultipleButton.1"
[HKCR\Interface\{FB19751C-C628-43DB-895C-3B33DEDA7ECC}\TypeLib]
"(Default)" = "{0E01F743-5F86-437C-AFF8-F8B81E8D1455}"
[HKCR\Interface\{D45CB87C-A884-408C-ADE8-807D4ADC7EA8}\TypeLib]
"(Default)" = "{18BF8106-8C3C-4FF5-A483-8654144F7F32}"
[HKCR\CLSID\{c42118c7-59e5-404c-b161-2314a645b84f}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{F448F83B-3C69-4081-95A0-4A5B2DDFB95F}]
"(Default)" = "IHttpControlEvents"
[HKLM\SOFTWARE\MozillaPlugins\@PremierDownloadManager_ag.com/Plugin\MimeTypes\application/x-premierdownloadmanager_agplugin]
"Description" = "PremierDownloadManager Plugin"
[HKCR\PremierDownloadManager_ag.SettingsPlugin]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b68801d1-641a-445a-8dca-05cd1b86d899}]
"Policy" = "3"
[HKCR\PremierDownloadManager_ag.ThirdPartyInstaller]
"(Default)" = "PremierDownloadManager Third Party Installer"
[HKCR\Interface\{23AD211A-1B82-4582-947D-C3C88388D8A7}]
"(Default)" = "SEARCHSCOPE_INTERFACE"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{6BFB71F4-FF52-4C54-ABE8-D79A0D3A8C12}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{523BB920-0F2D-4E7E-BB43-6B426E347DD5}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{FBB95F79-F60C-4F3F-B608-FEE5A2A8940C}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}]
"(Default)" = "PremierDownloadManager Third Party Installer"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"ua" = "0"
[HKCR\Interface\{F448F83B-3C69-4081-95A0-4A5B2DDFB95F}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{523BB920-0F2D-4E7E-BB43-6B426E347DD5}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\Interface\{D8C05950-3253-4E4A-82DA-9640A4A43289}\TypeLib]
"(Default)" = "{18BF8106-8C3C-4FF5-A483-8654144F7F32}"
[HKCR\Interface\{D45CB87C-A884-408C-ADE8-807D4ADC7EA8}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{F6EB7866-E726-4D2C-BAB6-15D396698FD0}\1.0]
"(Default)" = "TYPELIB_NAME"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"ID" = "D87161E2-2422-44D5-846A-D13E1DCB7510"
[HKCR\CLSID\{c42118c7-59e5-404c-b161-2314a645b84f}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbar.dll"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\PREMIE~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{371c3417-6d07-4484-870d-4240db5c4ffc}]
"Policy" = "3"
[HKCR\Interface\{F133B294-8A56-44A1-BCF4-40127EB142A9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5473ee40-254d-4e91-9cf3-6a63cc600f48}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6773eedc-4504-4743-b2eb-4300279250f9}]
"(Default)" = ""
[HKCR\Interface\{F448F83B-3C69-4081-95A0-4A5B2DDFB95F}\TypeLib]
"(Default)" = "{34A8F66F-BD14-4CAD-8013-181FFA827C52}"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{D30287C4-60E3-418C-BCBF-1E68FB8B4331}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"
[HKCR\PremierDownloadManager_ag.HTMLPanel\CLSID]
"(Default)" = "{5473ee40-254d-4e91-9cf3-6a63cc600f48}"
[HKCR\PremierDownloadManager_ag.MultipleButton\CLSID]
"(Default)" = "{1a1f743b-4631-46e1-84a6-677557ccc83c}"
[HKCR\Interface\{FB19751C-C628-43DB-895C-3B33DEDA7ECC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F448F83B-3C69-4081-95A0-4A5B2DDFB95F}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Integrators]
"agDlgHk.dll" = ""
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}]
"(Default)" = "Skin Settings"
[HKCR\Interface\{BB9E7A3A-186A-40E8-B9FF-8C24FFAFDD64}\TypeLib]
"Version" = "1.0"
[HKCR\PremierDownloadManager_ag.HTMLMenu.1]
"(Default)" = "PremierDownloadManager_ag HTML Menu"
[HKCR\Interface\{4833CC5F-F775-4D48-BF64-B6968D9D0D1A}]
"(Default)" = "SKINWINDOW_INTERFACE"
[HKCR\TypeLib\{BA0CC1B0-494E-4B94-A2C2-F9D9C6D2B569}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"
[HKCR\CLSID\{da104fa1-3714-4056-8f42-d7fb74fd43dc}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\PremierDownloadManager_ag.PseudoTransparentPlugin\CLSID]
"(Default)" = "{a0854441-df43-4985-a1c2-16ce64bb7458}"
[HKCR\CLSID\{1a1f743b-4631-46e1-84a6-677557ccc83c}\ProgID]
"(Default)" = "PremierDownloadManager_ag.MultipleButton.1"
[HKCR\TypeLib\{18BF8106-8C3C-4FF5-A483-8654144F7F32}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\PremierDownloadManager_ag.MultipleButton]
"(Default)" = ""
[HKCR\PremierDownloadManager_ag.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"
[HKCR\CLSID\{1d806c49-099a-4ac9-8339-be248856de96}]
"(Default)" = ""
[HKCR\PremierDownloadManager_ag.ToolbarProtector\CLSID]
"(Default)" = "{bacf0bb5-e070-45a8-afef-548fcf5ae807}"
[HKCR\Interface\{D30287C4-60E3-418C-BCBF-1E68FB8B4331}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{917DD37D-6F5F-4AFB-BC8F-F21EA71D8CB4}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\Interface\{371C3417-6D07-4484-870D-4240DB5C4FFC}\TypeLib]
"(Default)" = "{0E01F743-5F86-437C-AFF8-F8B81E8D1455}"
[HKCR\Interface\{62219837-ECAB-46B3-B467-9DED4DEEFB46}\TypeLib]
"(Default)" = "{523BB920-0F2D-4E7E-BB43-6B426E347DD5}"
[HKCR\TypeLib\{F6EB7866-E726-4D2C-BAB6-15D396698FD0}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4d687bc7-7f1a-472c-bf8e-9af6d7b17ac8}" = ""
[HKCR\PremierDownloadManager_ag.SettingsPlugin\CurVer]
"(Default)" = "PremierDownloadManager_ag.SettingsPlugin.1"
[HKCR\TypeLib\{F6EB7866-E726-4D2C-BAB6-15D396698FD0}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\TypeLib]
"(Default)" = "{f4dddd9d-5fb1-4fe9-a538-c8bbd695a2a9}"
[HKCR\TypeLib\{917DD37D-6F5F-4AFB-BC8F-F21EA71D8CB4}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"
[HKCR\TypeLib\{BA0CC1B0-494E-4B94-A2C2-F9D9C6D2B569}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\CLSID\{eba5bdb3-535a-48f8-ab79-c2f0075dc43b}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{56497D89-7F84-40C3-8BFE-A0312A552905}]
"(Default)" = "SKINSETTINGS_INTERFACE"
[HKCR\PremierDownloadManager_ag.HTMLMenu.1\CLSID]
"(Default)" = "{B28B0498-E37B-4A9B-AC37-4D65443F82FE}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Integrators]
"agSrcAs.dll" = ""
[HKCR\TypeLib\{917DD37D-6F5F-4AFB-BC8F-F21EA71D8CB4}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{1d806c49-099a-4ac9-8339-be248856de96}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agscript.dll"
[HKCR\Interface\{08D76822-8C0C-4F2D-826C-5C9FC5E8BC6E}\TypeLib]
"(Default)" = "{523BB920-0F2D-4E7E-BB43-6B426E347DD5}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"sr" = "0"
[HKCR\TypeLib\{3B18B575-7750-4EF5-88C0-4B923E81CAAB}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{56497D89-7F84-40C3-8BFE-A0312A552905}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{08D76822-8C0C-4F2D-826C-5C9FC5E8BC6E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{34A8F66F-BD14-4CAD-8013-181FFA827C52}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a0854441-df43-4985-a1c2-16ce64bb7458}]
"(Default)" = ""
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Integrators]
"ToolbarGuard.dll" = ""
[HKCR\Interface\{327E6890-7483-4BF0-A4AC-47733D6B3DAE}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{BE5F8580-7A0F-48A5-B84A-2E5DB8EAB60D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{BA0CC1B0-494E-4B94-A2C2-F9D9C6D2B569}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\1604"
[HKCR\CLSID\{79b92d37-5edb-428a-ad11-f801ed3ae0c0}]
"(Default)" = "Disable Addon Rebuttal Control"
[HKCR\TypeLib\{0E01F743-5F86-437C-AFF8-F8B81E8D1455}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\Interface\{4F107491-CB01-4090-A378-76D29C67C4A8}\TypeLib]
"(Default)" = "{3B18B575-7750-4EF5-88C0-4B923E81CAAB}"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskin.dll"
[HKCR\Interface\{40485C5B-7707-448F-97FB-B6958A7E491A}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{1a1f743b-4631-46e1-84a6-677557ccc83c}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6c696e1d-399f-4d35-b756-0b0de20e3259}]
"AppName" = "CrExtPag.exe"
[HKCR\Interface\{D8C05950-3253-4E4A-82DA-9640A4A43289}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{4d687bc7-7f1a-472c-bf8e-9af6d7b17ac8}]
"(Default)" = ""
[HKCR\Interface\{6BFB71F4-FF52-4C54-ABE8-D79A0D3A8C12}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.HTMLMenu\CurVer]
"(Default)" = "PremierDownloadManager_ag.HTMLMenu.1"
[HKCR\PremierDownloadManager_ag.ScriptButton.1]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@PremierDownloadManager_ag.com/Plugin]
"Version" = "1.1.1.1"
[HKCR\Interface\{62219837-ECAB-46B3-B467-9DED4DEEFB46}]
"(Default)" = "IDataCtrl"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.SettingsPlugin"
[HKCR\Interface\{BB9E7A3A-186A-40E8-B9FF-8C24FFAFDD64}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}]
"(Default)" = "PremierDownloadManager_ag HTML"
[HKCR\TypeLib\{917DD37D-6F5F-4AFB-BC8F-F21EA71D8CB4}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\625"
[HKCR\Interface\{BE5F8580-7A0F-48A5-B84A-2E5DB8EAB60D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@PremierDownloadManager_ag.com/Plugin]
"Path" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\NPagStub.dll"
[HKCR\Interface\{4F107491-CB01-4090-A378-76D29C67C4A8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{0E01F743-5F86-437C-AFF8-F8B81E8D1455}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\626"
[HKCR\PremierDownloadManager_ag.PseudoTransparentPlugin\CurVer]
"(Default)" = "PremierDownloadManager_ag.PseudoTransparentPlugin.1"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{D45CB87C-A884-408C-ADE8-807D4ADC7EA8}]
"(Default)" = "BARFEED_INTERFACE"
[HKCR\CLSID\{79b92d37-5edb-428a-ad11-f801ed3ae0c0}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdlghk.dll"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"PID" = "^BE4"
[HKCR\TypeLib\{0E01F743-5F86-437C-AFF8-F8B81E8D1455}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"
[HKCR\Interface\{23AD211A-1B82-4582-947D-C3C88388D8A7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{40485C5B-7707-448F-97FB-B6958A7E491A}]
"(Default)" = "ITemplatePopupMenu"
[HKCR\Interface\{A3B093F2-FAA2-4C9D-BB20-30F346B1316B}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{371c3417-6d07-4484-870d-4240db5c4ffc}]
"AppName" = "AppIntegrator.exe"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\TypeLib]
"(Default)" = "{f6eb7866-e726-4d2c-bab6-15d396698fd0}"
[HKCR\PremierDownloadManager_ag.FeedManager.1\CLSID]
"(Default)" = "{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}"
[HKCR\Interface\{FB19751C-C628-43DB-895C-3B33DEDA7ECC}]
"(Default)" = "ITemplateBarSettings"
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{6773eedc-4504-4743-b2eb-4300279250f9}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\PremierDownloadManager_ag.FeedManager.1]
"(Default)" = ""
[HKCR\Interface\{8127B594-FE69-4D62-8E68-AF362CDC67FF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D30287C4-60E3-418C-BCBF-1E68FB8B4331}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@PremierDownloadManager_ag.com/Plugin]
"vendor" = "PremierDownloadManager_ag"
[HKCR\CLSID\{1a1f743b-4631-46e1-84a6-677557ccc83c}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{4F107491-CB01-4090-A378-76D29C67C4A8}]
"(Default)" = "IIEInstalledToolbar"
[HKCR\CLSID\{1d806c49-099a-4ac9-8339-be248856de96}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{bacf0bb5-e070-45a8-afef-548fcf5ae807}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbprtct.dll"
[HKCR\Interface\{371C3417-6D07-4484-870D-4240DB5C4FFC}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\ProgID]
"(Default)" = "PremierDownloadManager_ag.PseudoTransparentPlugin.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b68801d1-641a-445a-8dca-05cd1b86d899}]
"AppName" = "agSkPlay.exe"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskin.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6c696e1d-399f-4d35-b756-0b0de20e3259}]
"Policy" = "3"
[HKCR\Interface\{8127B594-FE69-4D62-8E68-AF362CDC67FF}\TypeLib]
"(Default)" = "{34A8F66F-BD14-4CAD-8013-181FFA827C52}"
[HKCR\Interface\{62219837-ECAB-46B3-B467-9DED4DEEFB46}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"Maximized" = "1"
[HKCR\Interface\{BE5F8580-7A0F-48A5-B84A-2E5DB8EAB60D}\TypeLib]
"(Default)" = "{68B6016B-1308-4D05-9EFB-2A50F159ED78}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"agSrcAs.dll" = "0"
[HKCR\PremierDownloadManager_ag.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{24e8f441-b633-49b9-856e-1869c06527d5}"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\ProgID]
"(Default)" = "PremierDownloadManager_ag.FeedManager.1"
[HKCR\CLSID\{B28B0498-E37B-4A9B-AC37-4D65443F82FE}\ProgID]
"(Default)" = "PremierDownloadManager_ag.HTMLMenu.1"
[HKCR\Interface\{A3B093F2-FAA2-4C9D-BB20-30F346B1316B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{eba5bdb3-535a-48f8-ab79-c2f0075dc43b}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdatact.dll"
[HKCR\Interface\{FB19751C-C628-43DB-895C-3B33DEDA7ECC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{a0854441-df43-4985-a1c2-16ce64bb7458}"
[HKCR\PremierDownloadManager_ag.FeedManager\CurVer]
"(Default)" = "PremierDownloadManager_ag.FeedManager.1"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{3B18B575-7750-4EF5-88C0-4B923E81CAAB}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\ProgID]
"(Default)" = "PremierDownloadManager_ag.HTMLPanel.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{24e8f441-b633-49b9-856e-1869c06527d5}]
"(Default)" = ""
[HKCR\TypeLib\{18BF8106-8C3C-4FF5-A483-8654144F7F32}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\Interface\{BDFE2FC2-BDD5-419D-973C-A04EDAB40D11}]
"(Default)" = "IThirdPartyInstaller"
[HKCR\Interface\{E9216FF6-BDD0-493A-BD7A-A424FE8AB016}]
"(Default)" = "ITemplateBarMenu"
[HKCR\PremierDownloadManager_ag.ThirdPartyInstaller\CLSID]
"(Default)" = "{24e8f441-b633-49b9-856e-1869c06527d5}"
[HKCR\CLSID\{bacf0bb5-e070-45a8-afef-548fcf5ae807}\TypeLib]
"(Default)" = "{3b18b575-7750-4ef5-88c0-4b923e81caab}"
[HKCR\Interface\{56497D89-7F84-40C3-8BFE-A0312A552905}\TypeLib]
"Version" = "1.0"
[HKCR\PremierDownloadManager_ag.ScriptButton\CurVer]
"(Default)" = "PremierDownloadManager_ag.ScriptButton.1"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agtpinst.dll"
[HKCR\TypeLib\{BA0CC1B0-494E-4B94-A2C2-F9D9C6D2B569}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{BB9E7A3A-186A-40E8-B9FF-8C24FFAFDD64}\TypeLib]
"(Default)" = "{917DD37D-6F5F-4AFB-BC8F-F21EA71D8CB4}"
[HKCR\Interface\{B0E55DA4-7799-4ECC-AE04-745ECFBAF79D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"au" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c42118c7-59e5-404c-b161-2314a645b84f}" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb19751c-c628-43db-895c-3b33deda7ecc}]
"AppPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"nk" = "0"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{F133B294-8A56-44A1-BCF4-40127EB142A9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{970c55b4-c79e-4c62-9bfa-76439b68969f}]
"(Default)" = "Toolbar BHO"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"nd" = "0"
[HKCR\Interface\{6BFB71F4-FF52-4C54-ABE8-D79A0D3A8C12}]
"(Default)" = "_IThirdPartyInstallerEvents"
[HKCR\TypeLib\{0E01F743-5F86-437C-AFF8-F8B81E8D1455}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{08D76822-8C0C-4F2D-826C-5C9FC5E8BC6E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.FeedManager\CLSID]
"(Default)" = "{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}"
[HKCR\Interface\{327E6890-7483-4BF0-A4AC-47733D6B3DAE}\TypeLib]
"(Default)" = "{F4DDDD9D-5FB1-4FE9-A538-C8BBD695A2A9}"
[HKCR\Interface\{327E6890-7483-4BF0-A4AC-47733D6B3DAE}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.PseudoTransparentPlugin"
[HKCR\Interface\{FB19751C-C628-43DB-895C-3B33DEDA7ECC}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{523BB920-0F2D-4E7E-BB43-6B426E347DD5}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"
[HKCR\Interface\{8B7FD08D-4012-4343-AC8F-A0D90C3101B3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{371c3417-6d07-4484-870d-4240db5c4ffc}]
"AppPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCU\Software\Classes\CLSID\{4d687bc7-7f1a-472c-bf8e-9af6d7b17ac8}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agSrcAs.dll"
[HKCR\Interface\{D8C05950-3253-4E4A-82DA-9640A4A43289}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{da104fa1-3714-4056-8f42-d7fb74fd43dc}]
"(Default)" = "Search Assistant BHO"
[HKCR\TypeLib\{68B6016B-1308-4D05-9EFB-2A50F159ED78}\1.0]
"(Default)" = "Skin 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremierDownloadManager_agbar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\PremierDownloadManager_ag\bar\1.bin\agBar.dll,O mindsparktoolbarkey=PremierDownloadManager_ag uninstalltype=IE"
[HKCR\Interface\{8127B594-FE69-4D62-8E68-AF362CDC67FF}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{B28B0498-E37B-4A9B-AC37-4D65443F82FE}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{A3B093F2-FAA2-4C9D-BB20-30F346B1316B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{13bf204e-491f-45e2-9fc2-2969c903b459}]
"(Default)" = "HttpControl Class"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"tiec" = "208976"
[HKCR\Interface\{F448F83B-3C69-4081-95A0-4A5B2DDFB95F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}\TypeLib]
"(Default)" = "{68b6016b-1308-4d05-9efb-2a50f159ed78}"
[HKCR\CLSID\{bacf0bb5-e070-45a8-afef-548fcf5ae807}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{6BFB71F4-FF52-4C54-ABE8-D79A0D3A8C12}\TypeLib]
"(Default)" = "{F6EB7866-E726-4D2C-BAB6-15D396698FD0}"
[HKCR\PremierDownloadManager_ag.ToolbarProtector.1\CLSID]
"(Default)" = "{bacf0bb5-e070-45a8-afef-548fcf5ae807}"
[HKCR\Interface\{4833CC5F-F775-4D48-BF64-B6968D9D0D1A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E9216FF6-BDD0-493A-BD7A-A424FE8AB016}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{da104fa1-3714-4056-8f42-d7fb74fd43dc}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agSrcAs.dll"
[HKCR\Interface\{E9216FF6-BDD0-493A-BD7A-A424FE8AB016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{34A8F66F-BD14-4CAD-8013-181FFA827C52}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"Visible" = "1"
[HKCR\Interface\{E9216FF6-BDD0-493A-BD7A-A424FE8AB016}\TypeLib]
"(Default)" = "{0E01F743-5F86-437C-AFF8-F8B81E8D1455}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"Build" = "146.36286"
"dir" = "%Program Files%\PremierDownloadManager_ag\bar\"
[HKCR\Interface\{F704FB2B-1CF2-4088-B5FA-5D8C585626EF}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremierDownloadManager_agbar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\PremierDownloadManager_ag\bar\1.bin\agBar.dll,O mindsparktoolbarkey=PremierDownloadManager_ag uninstalltype=FF"
[HKCR\Interface\{40485C5B-7707-448F-97FB-B6958A7E491A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.HTMLMenu]
"(Default)" = "PremierDownloadManager_ag HTML Menu"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"RegisteredWithFirefox" = "1"
[HKCR\PremierDownloadManager_ag.HTMLPanel.1\CLSID]
"(Default)" = "{5473ee40-254d-4e91-9cf3-6a63cc600f48}"
[HKCR\Interface\{E9216FF6-BDD0-493A-BD7A-A424FE8AB016}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D30287C4-60E3-418C-BCBF-1E68FB8B4331}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B28B0498-E37B-4A9B-AC37-4D65443F82FE}]
"(Default)" = ""
[HKCR\Interface\{A3B093F2-FAA2-4C9D-BB20-30F346B1316B}\TypeLib]
"(Default)" = "{F4DDDD9D-5FB1-4FE9-A538-C8BBD695A2A9}"
[HKCR\PremierDownloadManager_ag.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\Interface\{B0E55DA4-7799-4ECC-AE04-745ECFBAF79D}]
"(Default)" = "ITemplateBarControl"
[HKCR\Interface\{CFE23A98-9CF0-4334-8148-C496EB26F4BA}\TypeLib]
"(Default)" = "{BA0CC1B0-494E-4B94-A2C2-F9D9C6D2B569}"
[HKCR\Interface\{F704FB2B-1CF2-4088-B5FA-5D8C585626EF}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\Interface\{4833CC5F-F775-4D48-BF64-B6968D9D0D1A}\TypeLib]
"Version" = "1.0"
[HKCR\PremierDownloadManager_ag.SettingsPlugin\CLSID]
"(Default)" = "{6773eedc-4504-4743-b2eb-4300279250f9}"
[HKCR\CLSID\{c42118c7-59e5-404c-b161-2314a645b84f}]
"(Default)" = "PremierDownloadManager"
[HKCR\Interface\{BDFE2FC2-BDD5-419D-973C-A04EDAB40D11}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8B7FD08D-4012-4343-AC8F-A0D90C3101B3}]
"(Default)" = "ITemplateBarButtonRect"
[HKCR\Interface\{4F107491-CB01-4090-A378-76D29C67C4A8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{CFE23A98-9CF0-4334-8148-C496EB26F4BA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"UninstallString" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghighin.exe agbar.dll,O uninstalltype=IE"
[HKCR\Interface\{371C3417-6D07-4484-870D-4240DB5C4FFC}]
"(Default)" = "_ITemplateBarSettingsEvents"
[HKCR\Interface\{CFE23A98-9CF0-4334-8148-C496EB26F4BA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"pl" = "9"
[HKCR\PremierDownloadManager_ag.ToolbarProtector\CurVer]
"(Default)" = "PremierDownloadManager_ag.ToolbarProtector.1"
[HKCR\Interface\{D8C05950-3253-4E4A-82DA-9640A4A43289}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"
[HKCR\PremierDownloadManager_ag.ScriptButton.1\CLSID]
"(Default)" = "{1d806c49-099a-4ac9-8339-be248856de96}"
[HKCR\Interface\{D8C05950-3253-4E4A-82DA-9640A4A43289}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PremierDownloadManager_ag.ThirdPartyInstaller\CurVer]
"(Default)" = "PremierDownloadManager_ag.ThirdPartyInstaller.1"
[HKCR\Interface\{23AD211A-1B82-4582-947D-C3C88388D8A7}\TypeLib]
"(Default)" = "{0E01F743-5F86-437C-AFF8-F8B81E8D1455}"
[HKCR\TypeLib\{F4DDDD9D-5FB1-4FE9-A538-C8BBD695A2A9}\1.0]
"(Default)" = "HTML 1.0 Type Library"
[HKCR\Interface\{8127B594-FE69-4D62-8E68-AF362CDC67FF}]
"(Default)" = "IHttpControl"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83ac0d1e-aa11-48bc-98ed-b5e52e235562}]
"AppName" = "agmedint.exe"
[HKCR\CLSID\{1a1f743b-4631-46e1-84a6-677557ccc83c}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.MultipleButton"
[HKCR\CLSID\{B28B0498-E37B-4A9B-AC37-4D65443F82FE}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.HTMLMenu"
[HKCR\TypeLib\{18BF8106-8C3C-4FF5-A483-8654144F7F32}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\1104"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.ThirdPartyInstaller"
[HKCR\PremierDownloadManager_ag.FeedManager]
"(Default)" = ""
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"UninstallFFString" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghighin.exe agbar.dll,O uninstalltype=FF"
[HKCR\TypeLib\{18BF8106-8C3C-4FF5-A483-8654144F7F32}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"SettingsDir" = "%Program Files%\PremierDownloadManager_ag\bar\Settings\"
"PluginPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\TypeLib]
"(Default)" = "{18bf8106-8c3c-4ff5-a483-8654144f7f32}"
[HKCR\Interface\{D45CB87C-A884-408C-ADE8-807D4ADC7EA8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{970c55b4-c79e-4c62-9bfa-76439b68969f}\InprocServer32]
"(Default)" = "C:\PROGRA~1\PREMIE~1\bar\1.bin\agbar.dll"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8HTML.DLL"
[HKCR\CLSID\{B28B0498-E37B-4A9B-AC37-4D65443F82FE}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghtmlmu.dll"
[HKCR\TypeLib\{F4DDDD9D-5FB1-4FE9-A538-C8BBD695A2A9}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}\TypeLib]
"(Default)" = "{68b6016b-1308-4d05-9efb-2a50f159ed78}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"lidate" = "2015-07-16T06:58:18Z"
[HKCR\Interface\{327E6890-7483-4BF0-A4AC-47733D6B3DAE}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskin.dll"
[HKCR\PremierDownloadManager_ag.MultipleButton.1\CLSID]
"(Default)" = "{1a1f743b-4631-46e1-84a6-677557ccc83c}"
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{B0E55DA4-7799-4ECC-AE04-745ECFBAF79D}\TypeLib]
"(Default)" = "{0E01F743-5F86-437C-AFF8-F8B81E8D1455}"
[HKCR\Interface\{08D76822-8C0C-4F2D-826C-5C9FC5E8BC6E}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{A3B093F2-FAA2-4C9D-BB20-30F346B1316B}]
"(Default)" = "HTMLPANEL_INTERFACE"
[HKCU\Software\Classes\CLSID\{4d687bc7-7f1a-472c-bf8e-9af6d7b17ac8}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{CFE23A98-9CF0-4334-8148-C496EB26F4BA}]
"(Default)" = "ITemplateHTMLMenu"
[HKCR\CLSID\{eba5bdb3-535a-48f8-ab79-c2f0075dc43b}\TypeLib]
"(Default)" = "{523bb920-0f2d-4e7e-bb43-6b426e347dd5}"
[HKCR\TypeLib\{F6EB7866-E726-4D2C-BAB6-15D396698FD0}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\100"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 DC D7 45 F3 9B 72 D7 04 C5 32 F2 C8 05 CC 75"
[HKCR\TypeLib\{523BB920-0F2D-4E7E-BB43-6B426E347DD5}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\1406"
[HKCR\CLSID\{eba5bdb3-535a-48f8-ab79-c2f0075dc43b}]
"(Default)" = "DataCtrl Class"
[HKCR\TypeLib\{3B18B575-7750-4EF5-88C0-4B923E81CAAB}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"
[HKCR\CLSID\{79b92d37-5edb-428a-ad11-f801ed3ae0c0}\TypeLib]
"(Default)" = "{917dd37d-6f5f-4afb-bc8f-f21ea71d8cb4}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtPag.exe" = "0"
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\PremierDownloadManager_ag\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.FeedManager"
[HKCR\CLSID\{13bf204e-491f-45e2-9fc2-2969c903b459}\TypeLib]
"(Default)" = "{34a8f66f-bd14-4cad-8013-181ffa827c52}"
[HKCR\Interface\{D30287C4-60E3-418C-BCBF-1E68FB8B4331}\TypeLib]
"(Default)" = "{68B6016B-1308-4D05-9EFB-2A50F159ED78}"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\MozillaPlugins\@PremierDownloadManager_ag.com/Plugin]
"Description" = "PremierDownloadManager Plugin"
[HKCR\Interface\{8B7FD08D-4012-4343-AC8F-A0D90C3101B3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\SkinTools]
"PlayerPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agSkPlay.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{56497D89-7F84-40C3-8BFE-A0312A552905}\TypeLib]
"(Default)" = "{68B6016B-1308-4D05-9EFB-2A50F159ED78}"
[HKLM\SOFTWARE\MozillaPlugins\@PremierDownloadManager_ag.com/Plugin\MimeTypes\application/x-premierdownloadmanager_agplugin]
"Suffixes" = "ag"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{4833CC5F-F775-4D48-BF64-B6968D9D0D1A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"CurInstall" = "1"
[HKCR\Interface\{40485C5B-7707-448F-97FB-B6958A7E491A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{3B18B575-7750-4EF5-88C0-4B923E81CAAB}\1.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\t8res.dll\1807"
[HKCR\PremierDownloadManager_ag.SettingsPlugin.1\CLSID]
"(Default)" = "{6773eedc-4504-4743-b2eb-4300279250f9}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PremierDownloadManager_agbar Uninstall Internet Explorer]
"DisplayName" = "PremierDownloadManager Internet Explorer Toolbar"
[HKCR\Interface\{23AD211A-1B82-4582-947D-C3C88388D8A7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{56497D89-7F84-40C3-8BFE-A0312A552905}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"ok" = "1"
[HKCR\CLSID\{1d806c49-099a-4ac9-8339-be248856de96}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.ScriptButton"
[HKCR\CLSID\{bacf0bb5-e070-45a8-afef-548fcf5ae807}\ProgID]
"(Default)" = "PremierDownloadManager_ag.ToolbarProtector.1"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"od" = "1"
[HKCR\PremierDownloadManager_ag.ScriptButton]
"(Default)" = ""
[HKCR\CLSID\{b68801d1-641a-445a-8dca-05cd1b86d899}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83ac0d1e-aa11-48bc-98ed-b5e52e235562}]
"AppPath" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\CLSID\{a0854441-df43-4985-a1c2-16ce64bb7458}]
"(Default)" = "Pseudo Transparent Plugin"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb19751c-c628-43db-895c-3b33deda7ecc}]
"AppName" = "agSlSrch.exe"
[HKCR\Interface\{BE5F8580-7A0F-48A5-B84A-2E5DB8EAB60D}]
"(Default)" = "POPUPMENU_INTERFACE"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83ac0d1e-aa11-48bc-98ed-b5e52e235562}]
"Policy" = "3"
[HKCR\CLSID\{7a85162c-2222-4492-9c14-ea8ec9ec9c7f}]
"(Default)" = "Popup Menu Plugin"
[HKCR\Interface\{62219837-ECAB-46B3-B467-9DED4DEEFB46}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\VersionIndependentProgID]
"(Default)" = "PremierDownloadManager_ag.HTMLPanel"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{bacf0bb5-e070-45a8-afef-548fcf5ae807}]
"(Default)" = "ProtectorControl Class"
[HKCR\TypeLib\{68B6016B-1308-4D05-9EFB-2A50F159ED78}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin"
[HKCR\CLSID\{13bf204e-491f-45e2-9fc2-2969c903b459}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{FBB95F79-F60C-4F3F-B608-FEE5A2A8940C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1d806c49-099a-4ac9-8339-be248856de96}\ProgID]
"(Default)" = "PremierDownloadManager_ag.ScriptButton.1"
[HKCR\Interface\{BDFE2FC2-BDD5-419D-973C-A04EDAB40D11}\TypeLib]
"(Default)" = "{F6EB7866-E726-4D2C-BAB6-15D396698FD0}"
[HKCR\CLSID\{d46a933c-4507-46b7-bc70-f6dc8a57e2fc}\InprocServer32]
"(Default)" = "%Program Files%\PremierDownloadManager_ag\bar\1.bin\agfeedmg.dll"
[HKCR\CLSID\{B28B0498-E37B-4A9B-AC37-4D65443F82FE}]
"(Default)" = "PremierDownloadManager_ag HTML Menu"
[HKCR\Interface\{CFE23A98-9CF0-4334-8148-C496EB26F4BA}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{5473ee40-254d-4e91-9cf3-6a63cc600f48}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{79b92d37-5edb-428a-ad11-f801ed3ae0c0}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{24e8f441-b633-49b9-856e-1869c06527d5}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{F704FB2B-1CF2-4088-B5FA-5D8C585626EF}]
"(Default)" = "_IDataCtrlEvents"
[HKCR\Interface\{BE5F8580-7A0F-48A5-B84A-2E5DB8EAB60D}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{F133B294-8A56-44A1-BCF4-40127EB142A9}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{BDFE2FC2-BDD5-419D-973C-A04EDAB40D11}\TypeLib]
"Version" = "1.0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PremierDownloadManager AppIntegrator 32-bit" = "C:\PROGRA~1\PREMIE~1\bar\1.bin\AppIntegrator.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{970c55b4-c79e-4c62-9bfa-76439b68969f}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da104fa1-3714-4056-8f42-d7fb74fd43dc}]
"(Default)" = ""
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PremierDownloadManager" = "rundll32 C:\PROGRA~1\PREMIE~1\bar\1.bin\agbar.dll,S"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da104fa1-3714-4056-8f42-d7fb74fd43dc}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"pid2"
"un"
"ConfigDateStamp"
The process PDManager.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 30 F6 DC BA 8B C3 D3 B9 B4 D9 A6 51 4D F9 C1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "PMIL"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\PremierDownloadManager]
"PDManager.exe" = "PDManager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Control\VIDEO\{459B62D6-C2AB-471C-BC12-EEF931FDF4EB}\0000]
"Attach.ToDesktop" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "PDManager.exe"
[HKCU\Software\PremierDownloadManager]
"Receiver" = "524412"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process PDManager.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 24 7A C0 2E 43 B2 33 D3 D6 DE 8B 0A 44 E2 5D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\PremierDownloadManager]
"helper.exe" = "Premier Download Manager Uninstall Component"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\PremierDownloadManager]
"Internet Explorer" = "%Program Files%\PremierDownloadManager\pdmanager_ie.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32]
"CodeBase" = "file:///C:/Program Files/PremierDownloadManager/pdmanager_ie.dll"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\PremierDownloadManager]
"RegAsm.exe" = "Microsoft .NET Assembly Registration Utility"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A F6 94 67 B1 37 46 14 C1 B9 23 97 9B 53 01 F5"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"nodns" = "0"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"OToIData" = "001"
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar\Switches]
"ffTabs" = "0"
[HKCU\Software\PremierDownloadManager_ag\Events\EventData]
"00000000_5" = "01 00 00 00 0D 56 A7 55 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 0D 56 A7 55 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 0D 56 A7 55 00 00 00 00 00 00 00 00"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\PremierDownloadManager_ag\bar]
"OToIData"
The process helper.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 D4 D9 5C A2 2F 59 1C 9B BB 8B 64 C8 BE D9 11"
The process PDMSetupDotNet.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Premier Download Manager]
"FFDisable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Premier Download Manager]
"IEDisable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Premier Download Manager]
"DisplayName" = "Premier Download Manager"
"DisplayIcon" = "%Program Files%\PremierDownloadManager\pdm.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Premier Download Manager]
"(Default)" = "%Program Files%\PremierDownloadManager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 AB 56 8E 05 62 F8 01 7A 2C DC BE 3F 86 1C B8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Premier Download Manager]
"ChromeDisable" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Premier Download Manager]
"Publisher" = "Mindspark Interactive Network"
"UninstallString" = "%Program Files%\PremierDownloadManager\uninstall.exe"
The process agHighIn.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 91 C0 B6 C3 1D A4 BF 59 1B 3B 4E 33 8B 43 6E"
The process agbarsvc.exe:1620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF F4 6B 3B 97 CF 12 2B F7 29 CF 08 B3 C9 B5 71"
The process agbarsvc.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 8A 0F DB EF FF CD 44 57 3C E1 5E A8 50 21 17"
The process agbarsvc.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 B5 19 C3 B7 22 AA 92 2C 8A 93 1E 40 E5 23 F9"
The process regasm.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{C22BA932-C30F-328F-9775-BFF6D9A9F26D}\TypeLib]
"Version" = "2.0"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}]
"(Default)" = "PDManager_ie.PDManagerIEclass"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32\2.0.0.1]
"Assembly" = "PDManager_ie, Version=2.0.0.1, Culture=neutral, PublicKeyToken=null"
[HKCR\Interface\{C22BA932-C30F-328F-9775-BFF6D9A9F26D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Internet Explorer]
"DownloadUI" = "{87d1bd5f-0174-4ab2-ffc4-9e3a451f17eb}"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32\2.0.0.1]
"Class" = "PDManager_ie.PDManagerIEclass"
[HKCR\Record\{EDF1D497-05B5-37F6-AAAC-3EB5E67D4DC2}\2.0.0.1]
"CodeBase" = "file:///C:/Program Files/PremierDownloadManager/PDManager_ie.DLL"
[HKCR\PDManager_ie.PDManagerIEclass\CLSID]
"(Default)" = "{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}"
[HKCR\TypeLib\{12B0C2CE-8371-4826-9112-2EE71C4AEBD9}\2.0]
"(Default)" = "Premier Download Manager IE Component"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32\2.0.0.1]
"RuntimeVersion" = "v4.0.30319"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32\2.0.0.1]
"Assembly" = "PDManager_ie, Version=2.0.0.1, Culture=neutral, PublicKeyToken=null"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32\2.0.0.1]
"Class" = "PDManager_ie.MessageHelper"
[HKCR\TypeLib\{12B0C2CE-8371-4826-9112-2EE71C4AEBD9}\2.0\0\win32]
"(Default)" = "%Program Files%\PremierDownloadManager\pdmanager_ie.tlb"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}]
"(Default)" = "PDManager_ie.MessageHelper"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32\2.0.0.1]
"RuntimeVersion" = "v4.0.30319"
[HKCR\Component Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}]
"0" = ".NET Category"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32]
"RuntimeVersion" = "v4.0.30319"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32]
"CodeBase" = "file:///C:/Program Files/PremierDownloadManager/PDManager_ie.DLL"
"RuntimeVersion" = "v4.0.30319"
[HKCR\Interface\{CC391B01-F037-3EF0-AEAF-680F5F8DB98C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\Record\{EDF1D497-05B5-37F6-AAAC-3EB5E67D4DC2}\2.0.0.1]
"Assembly" = "PDManager_ie, Version=2.0.0.1, Culture=neutral, PublicKeyToken=null"
[HKCR\Interface\{C22BA932-C30F-328F-9775-BFF6D9A9F26D}\TypeLib]
"(Default)" = "{12B0C2CE-8371-4826-9112-2EE71C4AEBD9}"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\ProgId]
"(Default)" = "PDManager_ie.PDManagerIEclass"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32]
"Class" = "PDManager_ie.MessageHelper"
"CodeBase" = "file:///C:/Program Files/PremierDownloadManager/PDManager_ie.DLL"
[HKCR\Interface\{C22BA932-C30F-328F-9775-BFF6D9A9F26D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\ProgId]
"(Default)" = "PDManager_ie.MessageHelper"
[HKCR\PDManager_ie.MessageHelper]
"(Default)" = "PDManager_ie.MessageHelper"
[HKCR\Interface\{CC391B01-F037-3EF0-AEAF-680F5F8DB98C}]
"(Default)" = "_MessageHelper"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32]
"(Default)" = "mscoree.dll"
[HKCR\TypeLib\{12B0C2CE-8371-4826-9112-2EE71C4AEBD9}\2.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{CC391B01-F037-3EF0-AEAF-680F5F8DB98C}\TypeLib]
"(Default)" = "{12B0C2CE-8371-4826-9112-2EE71C4AEBD9}"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32]
"Assembly" = "PDManager_ie, Version=2.0.0.1, Culture=neutral, PublicKeyToken=null"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32]
"Class" = "PDManager_ie.PDManagerIEclass"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32\2.0.0.1]
"CodeBase" = "file:///C:/Program Files/PremierDownloadManager/PDManager_ie.DLL"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32\2.0.0.1]
"CodeBase" = "file:///C:/Program Files/PremierDownloadManager/PDManager_ie.DLL"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{C22BA932-C30F-328F-9775-BFF6D9A9F26D}]
"(Default)" = "_PDManagerIEclass"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 E4 6D F2 BC 15 DC 3B 87 94 42 C3 64 6F E4 BD"
[HKCR\PDManager_ie.MessageHelper\CLSID]
"(Default)" = "{819D045F-E9A2-39E0-B495-D615AD1A9471}"
[HKCR\Record\{EDF1D497-05B5-37F6-AAAC-3EB5E67D4DC2}\2.0.0.1]
"Class" = "PDManager_ie.MessageHelper COPYDATASTRUCT"
[HKCR\PDManager_ie.PDManagerIEclass]
"(Default)" = "PDManager_ie.PDManagerIEclass"
[HKCR\TypeLib\{12B0C2CE-8371-4826-9112-2EE71C4AEBD9}\2.0\HELPDIR]
"(Default)" = "%Program Files%\PremierDownloadManager"
[HKCR\CLSID\{87D1BD5F-0174-4AB2-FFC4-9E3A451F17EB}\InprocServer32]
"Assembly" = "PDManager_ie, Version=2.0.0.1, Culture=neutral, PublicKeyToken=null"
[HKCR\Record\{EDF1D497-05B5-37F6-AAAC-3EB5E67D4DC2}\2.0.0.1]
"RuntimeVersion" = "v4.0.30319"
[HKCR\CLSID\{819D045F-E9A2-39E0-B495-D615AD1A9471}\InprocServer32]
"(Default)" = "mscoree.dll"
[HKCR\Interface\{CC391B01-F037-3EF0-AEAF-680F5F8DB98C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{CC391B01-F037-3EF0-AEAF-680F5F8DB98C}\TypeLib]
"Version" = "2.0"
The process irsetup.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"InstallLocation" = "%Program Files%\Mindspark\PremierDownloadManager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"Publisher" = "Mindspark Interactive Network"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"UninstallString" = "%Program Files%\Mindspark\PremierDownloadManager\Uninstall.exe /U:%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uninstall.xml"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"DisplayName" = "Premier Download Manager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"NoRepair" = "1"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Premier Download Manager]
"DisplayName" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"HelpLink" = "http://www.mindspark.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"URLInfoAbout" = "http://www.mindspark.com"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Premier Download Manager]
"PartnerToolBar" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 81 BF A0 5E 28 53 93 9B 94 C7 38 FE 16 D2 DC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"DisplayIcon" = "%Program Files%\PremierDownloadManager\PDManager.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark PremierDownloadManager]
"Contact" = "Mindspark Interactive Network Support Department"
"DisplayVersion" = "2.0.0.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 3622dde2e209dc53f1b79d9978b0b693 | c:\Program Files\Mindspark\PremierDownloadManager\Uninstall.exe |
| 8c0b6838878f3dd76135f999ddb1c900 | c:\Program Files\Mindspark\PremierDownloadManager\lua5.1.dll |
| fbdd362e800c1e3632eebe24c729214a | c:\Program Files\PremierDownloadManager\PDManager.exe |
| d7cfc8b8e436b287ec9627b8363d133f | c:\Program Files\PremierDownloadManager\PDManager_ie.dll |
| c28046946af1768df49a7cd84b16bcad | c:\Program Files\PremierDownloadManager\RegAsm.exe |
| 195ed09e0b4f3b09ea4a3b67a0d3f396 | c:\Program Files\PremierDownloadManager\WPFToolkit.dll |
| 01f6d4d6a0d38749c28769dbadc66ebe | c:\Program Files\PremierDownloadManager\WpfAnimatedGif.dll |
| 4d9016bddba557aa18b82faaf28520c5 | c:\Program Files\PremierDownloadManager\Xceed.Wpf.Toolkit.dll |
| dfc471baff2df51737ffb54410faf3f9 | c:\Program Files\PremierDownloadManager\helper.exe |
| d7fc989c41b644094a8a0ae6863a7844 | c:\Program Files\PremierDownloadManager\nppdm.dll |
| 8eda6fdabd2cf9a04d6aefa6cef3d70c | c:\Program Files\PremierDownloadManager\pdm.dll |
| 80eca928403732ea65d805d5c55a1b71 | c:\Program Files\PremierDownloadManager\uninstall.exe |
| f0c2c3d183a087b51dbe88dd773126b6 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\APPINTEGRATOR.EXE |
| 3d6b337517336594470f070bbc7188dd | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\APPINTEGRATORSTUB.DLL |
| 36194eb9cf8c55d41ce917beb9d0cd61 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\ASSISTMONITOR.DLL |
| ef0439594263d5e3ee0a0b87717d8f30 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\ASSISTMONITOR64.DLL |
| cf182742aa4f29b44dfd95779c3a79d0 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\AppIntegrator64.exe |
| 0da866b437db8560d9bb83f1c14b2e79 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\AppIntegratorStub64.dll |
| ed0259fd945476d3e1f5175a22a5281a | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\CREXT.DLL |
| b3e27442407095a8fcee6e827b87baf6 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\CrExtPag.exe |
| b7887260ed97aa7474c22e0409ec20ba | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\DPNMNGR.DLL |
| bf22cfcd99cacfd5cc557196593a429b | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\FF-NativeMessagingDispatcher.dll |
| 9e6225a6deab5b28d8971ea09a57881d | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\HKFXMGR.DLL |
| 258974b87536c176f852bed3df551146 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\HKFXMGR64.DLL |
| fdb44ebf6a36cb1cd99401e209f53b6a | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\HiddenToolbarReminder.dll |
| 99e6d5152ec5ebee8575ae94cd4801eb | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\INSTALLENABLER.DLL |
| a4a441ebd83fd66d03f10895419fadb7 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\T8EPMSUP.DLL |
| c69ec2b5d9e89d5c8e05be1d482e7f82 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\T8EXTEX.DLL |
| 6bc6e9db38a9cfea465b64177606e66d | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\T8EXTPEX.DLL |
| 32f857d34001b795a898f7c50651af6b | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\T8HTML.DLL |
| 94f509cc8dd3ea860076f7893cf406b6 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\T8RES.DLL |
| 9294b3d8e5052ecf3c23d31eecab8f07 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\T8TICKER.DLL |
| b273c99560d26fb5a08e3cebf47e5bb1 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\TOOLBARGUARD.DLL |
| 5d16b944c42a8468f9cf59b96947c917 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\TOOLBARGUARD64.DLL |
| e12861de780e1fc0c222e4e206f33928 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\TPIMANAGERCONSOLE.EXE |
| eb4aa26e1a5c3cd6256a48b3c88c0059 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\VERIFY.DLL |
| 143678734dbbf30ff73b2a1e182970d6 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agPlugin.dll |
| feaa90789a41e01caefcb5b02cefede9 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agSrcAs.dll |
| 99cc9f1e159d11f08cae0e3ae8726011 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agbar.dll |
| 09c2c30e15dcb3c1d197208e51e8a8f4 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agbarsvc.exe |
| c0d2405e4d44656a1729b0a8b29123db | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agbprtct.dll |
| 629ea085462a9832c8e1d4804c9131a1 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agdatact.dll |
| 5b723723a3b15807efb90dbfbf9989ec | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agdlghk.dll |
| c120998d06bf3198dc39a6f6b48a636d | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agdlghk64.dll |
| cf959830a291941bb68b228492442da5 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agfeedmg.dll |
| cfcf18eda229d24d880b4eefb2eeaa09 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\aghighin.exe |
| 0358525c385bd4246bcbd5cb52c25d84 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\aghtmlmu.dll |
| ba0b181aa48ed4d50ea2fc9e957630d8 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\aghttpct.dll |
| f5e0a300d3c344cbf20538ea61915dca | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agidle.dll |
| 70dc4406538aa6508f51a9b91150082c | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agmedint.exe |
| 787f17d71fb75e9539244194bf352fe5 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agmlbtn.dll |
| 0d05671b86d96031a8a46cde84a0ea16 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agregfft.dll |
| 541a039e3b5f3859117efe498b062ccc | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agregiet.dll |
| 09325e2140cd35d9f2e303f2943ec075 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agscript.dll |
| b9892a2d0e2550615db1f7ff60bc7008 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agskin.dll |
| 18804f338e38b8720ba1538e31c97cc0 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agskplay.exe |
| cf0646bb879911192c833e314e0afc57 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\agtpinst.dll |
| 84960b155e9ff6c931cd21798ce217b2 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\APA\ARBITER.DLL |
| 267202f1663f579b55e3fcb177fd2a77 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\APA\ARBITER64.DLL |
| 994ef00fad9a8e289c9ce0a7c085bfc2 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\APA\bar\ASSIST.EXE |
| 58cb372449dab3a2c798e4c2454bee91 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\APA\dialog\ASSIST.EXE |
| cbfdb354f658af062be791b6914eb25a | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL |
| 2205c3df09c286a6059415c16023c6e7 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL |
| e999b0d00082accdf9514b9b18cf27f2 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE |
| 9389f5b1c2c2684adb948a1fb161f0cb | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\ARBITER.DLL |
| c1285334ce13d734083fc8f5bd0f9a66 | c:\Program Files\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\ARBITER64.DLL |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
{7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe:1324
TPIManagerConsole.exe:640
WPFFontCache_v0400.exe:784
00000660T8SETUP.EXE:968
PDManager.exe:1860
%original file name%.exe:1632
helper.exe:480
PDMSetupDotNet.exe:1292
agHighIn.exe:1072
agbarsvc.exe:1620
agbarsvc.exe:304
agbarsvc.exe:456
regasm.exe:472
irsetup.exe:1364 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\{7E919EB8-C54B-42BC-994F-FB0B4E658411}.exe (873958 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (146 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskplay.exe (55 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
%Program Files%\PremierDownloadManager_ag\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghttpct.dll (151 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\LOGO.BMP (10 bytes)
%System%\config (200 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agscript.dll (104 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agmlbtn.dll (98 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agmedint.exe (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\chrome\agffxtbr.jar (1829 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdlghk64.dll (147 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8EXTEX.DLL (102 bytes)
%System%\config\SOFTWARE.LOG (40977 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbprtct.dll (121 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agPlugin.dll (82 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agregiet.dll (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\installKeys.js (207 bytes)
%System%\config\system (2810 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdlghk.dll (121 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9152 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\HKFXMGR.DLL (1681 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agidle.dll (61 bytes)
%Program Files%\PremierDownloadManager_ag\bar\Settings\s_pid.dat (8 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agSrcAs.dll (146 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghighin.exe (13 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8RES.DLL (199 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\CREXT.DLL (6424 bytes)
%Program Files%\PremierDownloadManager_ag\bar\Message\COMMON.T8S (106 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\CrExtPag.exe (7386 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbar.dll (5442 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agtpinst.dll (179 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\AppIntegrator64.exe (265 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%System%\config\software (33643 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\PremierDownloadManager_ag\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agdatact.dll (171 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agfeedmg.dll (145 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agbarsvc.exe (90 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agskin.dll (212 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\aghtmlmu.dll (214 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\agregfft.dll (85 bytes)
%Program Files%\PremierDownloadManager_ag\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
%System%\d3d9caps.tmp (2648 bytes)
%Documents and Settings%\%current user%\Application Data\PDManager\install.log (469 bytes)
%Documents and Settings%\%current user%\Application Data\PDManager\config.cfg (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000660T8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000660T8SETUP.EXE (196915 bytes)
%Program Files%\PremierDownloadManager\RegAsm.exe (2134 bytes)
%Program Files%\PremierDownloadManager\WPFToolkit.dll (10808 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PremierDownloadManager\PremierDownloadManager.lnk (797 bytes)
%Program Files%\PremierDownloadManager\{94285e43-a27b-4f51-b280-ff763ae7cd81}.xpi (3 bytes)
%Program Files%\PremierDownloadManager\nppdm.dll (2788 bytes)
%Program Files%\PremierDownloadManager\helper.exe (8838 bytes)
%Program Files%\PremierDownloadManager\pdm.dll (2546 bytes)
%Program Files%\PremierDownloadManager\PDManager.exe (20668 bytes)
%Program Files%\PremierDownloadManager\uninstall.exe (304 bytes)
%Program Files%\PremierDownloadManager\pdm.ico (32 bytes)
%Program Files%\PremierDownloadManager\PDManager_ie.dll (8 bytes)
%Program Files%\PremierDownloadManager\Xceed.Wpf.Toolkit.dll (22574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\LogEx.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PremierDownloadManager\Uninstall.lnk (619 bytes)
%Program Files%\PremierDownloadManager\WpfAnimatedGif.dll (1868 bytes)
%Program Files%\PremierDownloadManager\install.log (1097 bytes)
%Program Files%\PremierDownloadManager\pdmanager_ie.tlb (11364 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uninstall.xml (3154 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uninstall.dat (2712 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall.exe (9213 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\IRIMG1.PNG (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (6 bytes)
%Program Files%\Mindspark\PremierDownloadManager\Uninstall\uni1.tmp (10533 bytes)
%Program Files%\Mindspark\PremierDownloadManager\lua5.1.dll (2902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PremierDownloadManager Setup Log.txt (2835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\PDMSetupDotNet.exe (21069 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PremierDownloadManager AppIntegrator 32-bit" = "C:\PROGRA~1\PREMIE~1\bar\1.bin\AppIntegrator.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PremierDownloadManager" = "rundll32 C:\PROGRA~1\PREMIE~1\bar\1.bin\agbar.dll,S" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: PremierDownloadManager
Product Name: PremierDownloadManager
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: agSetup.exe
Internal Name: agSetup
File Version: 2, 0, 5, 6
File Description: PremierDownloadManager
Comments:
Language: English (United States)
Company Name: PremierDownloadManagerProduct Name: PremierDownloadManagerProduct Version: 2, 0, 5, 6Legal Copyright: Copyright (c) 2009 - 2014Legal Trademarks: Original Filename: agSetup.exeInternal Name: agSetupFile Version: 2, 0, 5, 6File Description: PremierDownloadManagerComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 7790 | 8192 | 4.27337 | 2025105e80249339871a8364b9d6462e |
| .rdata | 12288 | 8748 | 12288 | 1.89267 | 6ad075381494441a7924c0f77a65d91b |
| .data | 24576 | 2126 | 4096 | 1.25518 | 37b189070986417b6493db5dda891533 |
| .rsrc | 28672 | 5786104 | 5787648 | 5.42565 | 875eb2267d91df9a7edabf95baafcb8c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1123.g2.akamai.net/images/nocache/vicinio/executable-packages/PremierDownloadManager/1405952628273/PremierDownloadManagerWrapper.exe | |
| hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
| hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
| hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl | |
| hxxp://www187.mindspark.com/xt8a.gif?installationResult=Success&dotNetVersionInstalled=&dotNetExistingVersion=&product=PremierDownloadManager&anxe=Install&osDetail=5.1&defaultBrowser=IEXPLORE.EXE&anxd=2014-07-21&anxv=1.1.7843.16&anxa=ProductInstaller&osArchitecture=32 | |
| hxxp://crl.thawte.com/ThawteTimestampingCA.crl | 23.43.133.163 |
| hxxp://ak.dl.premierdownloadmanager.com/images/nocache/vicinio/executable-packages/PremierDownloadManager/1405952628273/PremierDownloadManagerWrapper.exe | 194.146.191.113 |
| hxxp://anx.mindspark.com/xt8a.gif?installationResult=Success&dotNetVersionInstalled=&dotNetExistingVersion=&product=PremierDownloadManager&anxe=Install&osDetail=5.1&defaultBrowser=IEXPLORE.EXE&anxd=2014-07-21&anxv=1.1.7843.16&anxa=ProductInstaller&osArchitecture=32 | 74.113.233.187 |
| hxxp://crl.verisign.com/pca3-g5.crl | 23.43.133.163 |
| hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.43.133.163 |
| hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl | 23.43.133.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "e4ea60d914f34d3f3d341907f72da002:1435263916"
Last-Modified: Thu, 25 Jun 2015 20:25:16 GMT
Date: Thu, 16 Jul 2015 06:58:35 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150617000000Z..150930235959Z0...*.H.............\j......H.......;...s....>U.:.-..A....\;/._>s ..T.....LY...w1..}........}<.........T........6.a..n..._.,m.=.Xu9.1.|1...&.)_6...wo.....w..9.........)...7...A....W..f..R.}og@.6..4....&.v.....x.r.._......5..n....g..2..:-...b...#"......2]........A.5.b.)NMX.6..HTTP/1.1 200 OK..Server: Apache..ETag: "e4ea60d914f34d3f3d341907f72da002:1435263916"..Last-Modified: Thu, 25 Jun 2015 20:25:16 GMT..Date: Thu, 16 Jul 2015 06:58:35 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150617000000Z..150930235959Z0...*.H.............\j......H.......;...s....>U.:.-..A....\;/._>s ..T.....LY...w1..}........}<.........T........6.a..n..._.,m.=.Xu9.1.|1...&.)_6...wo.....w..9.........)...7...A....W..f..R.}og@.6..4....&.v.....x.r.._......5..n....g..2..:-...b...#"......2]........A.5.b.)NMX.6....
<<< skipped >>>
GET /images/nocache/vicinio/executable-packages/PremierDownloadManager/1405952628273/PremierDownloadManagerWrapper.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.dl.premierdownloadmanager.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 21 Jul 2014 14:24:02 GMT
ETag: "6dc072-3e2200-4feb4dbcc2480"
Accept-Ranges: bytes
Content-Length: 4071936
Cache-Control: max-age=284282742
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Thu, 16 Jul 2015 06:58:19 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L......R.................X...........).......p....@..........................P.......%>...@.................................<...d........o............>.`....0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....o.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A.........
<<< skipped >>>
GET /xt8a.gif?installationResult=Success&dotNetVersionInstalled=&dotNetExistingVersion=&product=PremierDownloadManager&anxe=Install&osDetail=5.1&defaultBrowser=IEXPLORE.EXE&anxd=2014-07-21&anxv=1.1.7843.16&anxa=ProductInstaller&osArchitecture=32 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: anx.mindspark.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 204 No Content
Server: nginx/1.0.10
Date: Thu, 16 Jul 2015 06:58:46 GMT
Connection: close
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: max-age=0
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "56a06ebb4541a5e678b507944fdd9ed3:1436994919"
Last-Modified: Wed, 15 Jul 2015 21:15:19 GMT
Date: Thu, 16 Jul 2015 06:58:35 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..<.0..;r...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..150715210003Z..150729210003Z0..:T0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH
<<< skipped >>>
GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "ad0d3a69061e04d5186947c5a563cd14:1436995013"
Last-Modified: Wed, 15 Jul 2015 21:16:53 GMT
Date: Thu, 16 Jul 2015 06:58:41 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..150715210118Z..150725210118Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H................6..b.b.k.-...?.&...<.....Gq......[...~...@].bQ.}....I:,!....b..}=e.g...l/.{.pA.A.'H))..x>Z.....!.,.9..Y............l..O.......[.t]U.a&..j8.....2yq.-..D..1KK..I."L......7.%..v,....H.....U.zh..3uN.6.......(......!.a.R.0)e..qP.....P...#.Q...vf.._...cr.FN..HTTP/1.1 200 OK..Server: Apache..ETag: "ad0d3a69061e04d5186947c5a563cd14:1436995013"..Last-Modified: Wed, 15 Jul 2015 21:16:53 GMT..Date: Thu, 16 Jul 2015 06:58:41 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..150715210118Z..150725210118Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H................6..b.b.k.-...?.&...<.....Gq......[...~...@].bQ.}....I:,!....b..}=e.g...l/.{.pA.A.'H))..x>Z.....!.,.9..Y............l..O.......[.t]U.a&..j8.....2yq.-..D..1KK..I."L......7.%..v,....H.....U.zh..3uN.6.......(......!.a.R.0)e..qP.....P...#.Q...vf.._...cr.FN....
GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "e07a3d13a93004c10b476d1e8e1e8a6d:1435204514"
Last-Modified: Thu, 25 Jun 2015 03:55:14 GMT
Date: Thu, 16 Jul 2015 06:58:38 GMT
Content-Length: 341
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..150617000000Z..150930235959Z0...*.H................j ....f:.@'m.:..%.[_=..W...X..;:.|....6..oj..J....K......R.4roH.n.... kG..vB.....I.{-.P......._s...Aa......./............X..HTTP/1.1 200 OK..Server: Apache..ETag: "e07a3d13a93004c10b476d1e8e1e8a6d:1435204514"..Last-Modified: Thu, 25 Jun 2015 03:55:14 GMT..Date: Thu, 16 Jul 2015 06:58:38 GMT..Content-Length: 341..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..150617000000Z..150930235959Z0...*.H................j ....f:.@'m.:..%.[_=..W...X..;:.|....6..oj..J....K......R.4roH.n.... kG..vB.....I.{-.P......._s...Aa......./............X....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
agHighIn.exe_1072:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\t8HighIn.pdb
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\t8HighIn.pdb
1.0.7.247
1.0.7.247
t8HighIn.exe
t8HighIn.exe
2.5.15.15
2.5.15.15
AppIntegrator.exe_1296:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
SHELL32.dll
SHELL32.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
MaxPolicyElementKey
MaxPolicyElementKey
AppIntegrator.cpp
AppIntegrator.cpp
Application.cpp
Application.cpp
IAC::AppIntegrator::CApplication::SetupWindowsHook
IAC::AppIntegrator::CApplication::SetupWindowsHook
C Exception thrown in %s: %s
C Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
Unknown exception thrown in %s
RegOpenKeyTransactedW
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExW
SetWindowsHookExW
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCloseUSKey
SHRegCreateUSKeyW
SHRegCreateUSKeyW
SHLWAPI.dll
SHLWAPI.dll
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
AppIntegrator.exe
AppIntegrator.exe
zcÃ
zcÃ
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
;(;7;
;(;7;
0#0'0 0/030:0
0#0'0 0/030:0
:&;.;6;>;~;
:&;.;6;>;~;
6 6$6(6,6064686
6 6$6(6,6064686
> >$>(>,>0>4>8>@>
> >$>(>,>0>4>8>@>
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
ieframe.dll
ieframe.dll
Failed to enable heap terminate-on-corruption with LastError %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: %S
Error: 0x%0x
Error: 0x%0x
%s:AppIntegratorShutdown
%s:AppIntegratorShutdown
Already running! %s
Already running! %s
The %s event cannot be created (%u)
The %s event cannot be created (%u)
\AppIntegratorStub.dll
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling GetProcAddress %u
Error calling CApplicationBase::SetWindowsHookEx %u
Error calling CApplicationBase::SetWindowsHookEx %u
TraceLogUnitTest.exe
TraceLogUnitTest.exe
TraceLog.cfg
TraceLog.cfg
).csv
).csv
\StringFileInfo\XX\OriginalFilename
\StringFileInfo\XX\OriginalFilename
@t8res.dll
@t8res.dll
Advapi32.dll
Advapi32.dll
C:\PROGRA~1\PREMIE~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\PREMIE~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\PREMIE~1\bar\1.bin
C:\PROGRA~1\PREMIE~1\bar\1.bin
@C:\PROGRA~1\PREMIE~1\bar\1.bin\AppIntegrator.exe
@C:\PROGRA~1\PREMIE~1\bar\1.bin\AppIntegrator.exe
1.0.7.247
1.0.7.247
2.5.15.15
2.5.15.15
PDManager.exe_648_rwx_00A7C000_00002000:
sQlx^
sQlx^
PDManager.exe_648_rwx_03370000_00010000:
PresentationFramework.classic
PresentationFramework.classic
WindowsFormsIntegration
WindowsFormsIntegration
WPFFontCache_v0400.exe_784:
.text
.text
`.data
`.data
@.rsrc
@.rsrc
@.reloc
@.reloc
t1Ht.Ht
t1Ht.Ht
Ht.Ht
Ht.Ht
8Y%u(
8Y%u(
Ht.Ht$Ht
Ht.Ht$Ht
tGHt;Ht.Ht$Ht
tGHt;Ht.Ht$Ht
!!"$%%&$%%&())*
!!"$%%&$%%&())*
%s %s line %d
%s %s line %d
SHELL32.dll
SHELL32.dll
RPCRT4.dll
RPCRT4.dll
MSVCR100_CLR0400.dll
MSVCR100_CLR0400.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
_crt_debugger_hook
_crt_debugger_hook
_amsg_exit
_amsg_exit
wpffontcache_v0400.pdb
wpffontcache_v0400.pdb
.?AVMalformedKeyException@@
.?AVMalformedKeyException@@
.?AVNotSupportedException@@
.?AVNotSupportedException@@
6666666666666666
6666666666666666
666666666666
666666666666
6666666
6666666
8888888
8888888
!"#$%&'()* ,-./
!"#$%&'()* ,-./
0000000000000
0000000000000
#@$@$@$@$
#@$@$@$@$
@:@$@$@$@$@$@$@$@$@$@$
@:@$@$@$@$@$@$@$@$@$@$
!"#$%&'()* ,-./0
!"#$%&'()* ,-./0
%&'(gggg)* ,..........................................................................................MMMM..
%&'(gggg)* ,..........................................................................................MMMM..
4444444444444
4444444444444
#$%&'()*
#$%&'()*
!!!!"#$%&'()* ,-./0123456789:;
!!!!"#$%&'()* ,-./0123456789:;
KEYW
KEYW
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4 4}455
4 4}455
:":&:*:.:2:
:":&:*:.:2:
0!0&0,03090?0
0!0&0,03090?0
1 1$1(1,1014181
1 1$1(1,1014181
>0>8>`>~>
>0>8>`>~>
1$1@1\1|1
1$1@1\1|1
Software\Microsoft\Avalon.Graphics
Software\Microsoft\Avalon.Graphics
kernel32.dll
kernel32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
MARLETT.TTF
MARLETT.TTF
E\\?\
E\\?\
\WPFFontCache_v0400-System.dat
\WPFFontCache_v0400-System.dat
{2da8dded-086f-4cb9-a77f-b974b9cb0186}
{2da8dded-086f-4cb9-a77f-b974b9cb0186}
\\?\UNC\
\\?\UNC\
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
yKERNEL32.DLL
yKERNEL32.DLL
KeySize
KeySize
ElementMalformedKeyTask
ElementMalformedKeyTask
CacheMissReportReceivedTask
CacheMissReportReceivedTask
wpffontcache_v0400.exe
wpffontcache_v0400.exe
4.0.30319.1 built by: RTMRel
4.0.30319.1 built by: RTMRel
.NET Framework
.NET Framework
4.0.30319.1
4.0.30319.1