Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fb578b0e6f519976deee57b092d7549b
SHA1: 379fef028b19c410a8801c0015dda956bf6fc93c
SHA256: 8611b0530334ca11e540102b08bfa9044e5c3ef7d039b1cb5ae60198a2f7ae85
SSDeep: 98304:CUi1OwdqeM5whl7gj0C6QBx8NgSKU3Z3v3ZbodowaQ2ddfl:Cl5M5whl7glx8NFP3Z/3Zb8owKfl
Size: 5822848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: SafePCRepair
Created at: 2014-07-01 20:38:05
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
000006dcT8SETUP.EXE:224
89HighIn.exe:1792
89barsvc.exe:1388
89barsvc.exe:468
89barsvc.exe:444
TPIManagerConsole.exe:1140
{2333AA97-0431-42FE-83D0-2124538A8772}.exe:1472
ioloToolService.exe:1868
regsvr32.exe:2012
89srchmn.exe:1912
%original file name%.exe:1756
irsetup.exe:1852
The Trojan injects its code into the following process(es):
AppIntegrator.exe:1748
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 000006dcT8SETUP.EXE:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll (5442 bytes)
%Program Files%\SafePCRepair_89\bar\Message\COMMON.T8S (100 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regiet.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skplay.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89medint.exe (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe (264 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89idle.dll (62 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\Hpg64.dll (220 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regfft.dll (85 bytes)
%System%\config\system (2878 bytes)
%Program Files%\SafePCRepair_89\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\SafePCRepair_89\bar\Settings\s_pid.dat (8 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe (13 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\chrome\89ffxtbr.jar (1829 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%System%\config\SOFTWARE.LOG (37401 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll (179 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89hkstub.dll (59 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll (145 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll (98 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CrExtP89.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89barsvc.exe (90 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89srchmr.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL (1628 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll (144 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll (151 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk64.dll (147 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89reghk.dll (80 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\installKeys.js (207 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\SafePCRepair_89\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (8088 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89Plugin.dll (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8RES.DLL (198 bytes)
%System%\config (200 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE (229 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrchMn.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll (212 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%System%\config\software (32816 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll (214 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5024 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll (104 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL (217 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL (1729 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL (79 bytes)
The process TPIManagerConsole.exe:1140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (140 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\{2333AA97-0431-42FE-83D0-2124538A8772}.exe (1592255 bytes)
The Trojan deletes the following file(s):
%Program Files%\SafePCRepair_89\bar\1.bin\{2333AA97-0431-42FE-83D0-2124538A8772}.exe (0 bytes)
The process {2333AA97-0431-42FE-83D0-2124538A8772}.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000006dcT8SETUP.EXE (190298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000006dcT8SETUP.EX_ (39950 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000006dcT8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000006dcT8SETUP.EX_ (0 bytes)
The process irsetup.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SafePCRepair Setup Log.txt (3398 bytes)
%Program Files%\SafePCRepair\Newtonsoft.Json.dll (4895 bytes)
%Program Files%\SafePCRepair\SPR.exe.config (885 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (11621 bytes)
%Program Files%\SafePCRepair\SPR.exe (18790 bytes)
%Program Files%\SafePCRepair\IoloServiceWrapper.dll (34 bytes)
%Program Files%\SafePCRepair\log4net.dll (2807 bytes)
%Program Files%\SafePCRepair\Uninstall\Wow64.lmd (601 bytes)
%Program Files%\SafePCRepair\uninstall.exe (9213 bytes)
%Program Files%\SafePCRepair\ioloToolService.dll (24 bytes)
%Program Files%\SafePCRepair\ioloToolService.exe (22524 bytes)
%Program Files%\SafePCRepair\MindSparkTools.dll (20641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
%Program Files%\SafePCRepair\Microsoft.Expression.Drawing.dll (1137 bytes)
%Program Files%\SafePCRepair\Uninstall\IRIMG1.PNG (5 bytes)
%Program Files%\SafePCRepair\TaskDialog.dll (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\spr.ico (5 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.dat (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Program Files%\SafePCRepair\lua5.1.dll (2902 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.xml (1201 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\spr.ico (0 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
Registry activity
The process 000006dcT8SETUP.EXE:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}]
"(Default)" = "IIEInstalledToolbar"
[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\TypeLib]
"(Default)" = "{154690a0-7778-41b5-a3ab-eb51e2482b74}"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\ProgID]
"(Default)" = "SafePCRepair_89.HTMLPanel.1"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"hpp" = "0"
[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"ID" = "3B6191C3-5B81-44A8-890D-482C1AEBDBEE"
[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin"
[HKCR\SafePCRepair_89.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{50066dbf-71b9-4489-b62e-4188d3048db2}"
[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\ProgID]
"(Default)" = "SafePCRepair_89.HTMLMenu.1"
[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}]
"(Default)" = "IThirdPartyInstaller"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\SAFEPC~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"
[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\TypeLib]
"(Default)" = "{C78CCE0D-F991-44F4-B450-33C4FD189E38}"
[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.ThirdPartyInstaller]
"(Default)" = "SafePCRepair Third Party Installer"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"
[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
"(Default)" = "Search Assistant BHO"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c34c0e9f-c070-4b05-b912-563c3cff8555}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\TypeLib]
"(Default)" = "{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP89.exe" = "0"
[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\TypeLib]
"(Default)" = "{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}"
[HKCR\SafePCRepair_89.FeedManager.1\CLSID]
"(Default)" = "{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}"
[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5806dc83-95c8-4120-a305-cbce6260adf1}]
"(Default)" = ""
[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"dir" = "%Program Files%\SafePCRepair_89\bar\"
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PID" = "^AW7"
[HKCR\SafePCRepair_89.SettingsPlugin\CurVer]
"(Default)" = "SafePCRepair_89.SettingsPlugin.1"
[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{be823b8c-a7ec-4078-a321-0f8046cbb48a}" = ""
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller"
[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\TypeLib]
"(Default)" = "{63498647-b3ef-4a8a-8c98-163ecf8048fe}"
[HKCR\SafePCRepair_89.FeedManager\CLSID]
"(Default)" = "{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}"
[HKLM\SOFTWARE\SafePCRepair_89\SkinTools]
"PlayerPath" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SkPlay.exe"
[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"
[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}]
"(Default)" = "Toolbar BHO"
[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}]
"(Default)" = "SKINSETTINGS_INTERFACE"
[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"
[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"AppName" = "89SkPlay.exe"
[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin\MimeTypes\application/x-safepcrepair_89plugin]
"Suffixes" = "89"
[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0]
"(Default)" = "HTML 1.0 Type Library"
[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}]
"(Default)" = "_ITemplateBarSettingsEvents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\SafePCRepair_89\bar\1.bin\89Bar.dll,O mindsparktoolbarkey=SafePCRepair_89 uninstalltype=FF"
[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.SettingsPlugin.1\CLSID]
"(Default)" = "{e81003f0-8f21-4a23-8142-403d821198ac}"
[HKCR\SafePCRepair_89.ScriptButton.1]
"(Default)" = ""
[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}]
"(Default)" = ""
[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"
[HKCR\SafePCRepair_89.ScriptButton\CurVer]
"(Default)" = "SafePCRepair_89.ScriptButton.1"
[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.ThirdPartyInstaller\CurVer]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller.1"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"
[HKCR\SafePCRepair_89.ScriptButton]
"(Default)" = ""
[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.PseudoTransparentPlugin\CurVer]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin.1"
[HKCR\SafePCRepair_89.MultipleButton.1\CLSID]
"(Default)" = "{2accb327-7218-4979-8eb7-0e653bc0ea66}"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"SettingsDir" = "%Program Files%\SafePCRepair_89\bar\Settings\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.FeedManager"
[HKCR\SafePCRepair_89.MultipleButton\CurVer]
"(Default)" = "SafePCRepair_89.MultipleButton.1"
[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}]
"(Default)" = "IDataCtrl"
[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.MultipleButton"
[HKCR\SafePCRepair_89.HTMLMenu\CLSID]
"(Default)" = "{816098C9-EC16-4106-9FF7-E19580B2C338}"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"
[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\TypeLib]
"(Default)" = "{154690A0-7778-41B5-A3AB-EB51E2482B74}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}]
"(Default)" = ""
[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"89SrcAs.dll" = ""
[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\SafePCRepair_89.FeedManager.1]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Path" = "%Program Files%\SafePCRepair_89\bar\1.bin\NP89Stub.dll"
[HKCR\SafePCRepair_89.ScriptButton.1\CLSID]
"(Default)" = "{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}"
[HKCR\SafePCRepair_89.PseudoTransparentPlugin\CLSID]
"(Default)" = "{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}"
[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\626"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"
[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}]
"(Default)" = "HttpControl Class"
[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Visible" = "1"
[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}]
"(Default)" = "SafePCRepair_89 HTML Menu"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"ua" = "0"
[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"
[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}]
"(Default)" = "SafePCRepair_89 HTML"
[HKCR\SafePCRepair_89.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}"
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\ProgID]
"(Default)" = "SafePCRepair_89.ScriptButton.1"
[HKCR\SafePCRepair_89.ToolbarProtector.1\CLSID]
"(Default)" = "{b6de1d4c-f21b-4056-a99c-1727fd6400ce}"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.SettingsPlugin"
[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"vendor" = "SafePCRepair_89"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"DeletedCustomizations" = "1"
[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"
[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"
[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}]
"(Default)" = "IDisableAddonRebuttal"
[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"AppName" = "89SlSrch.exe"
[HKCR\SafePCRepair_89.HTMLMenu]
"(Default)" = "SafePCRepair_89 HTML Menu"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"UninstallFFString" = "%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe 89bar.dll,O uninstalltype=FF"
"sr" = "0"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PartnerPixelNotSet" = ""
[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\SafePCRepair_89.MultipleButton]
"(Default)" = ""
[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}" = ""
[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0]
"(Default)" = "Skin 1.0 Type Library"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}\InprocServer32]
"(Default)" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll"
[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\ProgID]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin.1"
[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}]
"(Default)" = "ProtectorControl Class"
[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"
[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\TypeLib]
"Version" = "1.0"
[HKCR\SafePCRepair_89.ThirdPartyInstaller\CLSID]
"(Default)" = "{50066dbf-71b9-4489-b62e-4188d3048db2}"
[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"AppName" = "89medint.exe"
[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\TypeLib]
"(Default)" = "{6c227856-d369-4b3f-a317-89e4b1cd1a83}"
[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll"
[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}]
"(Default)" = "Disable Addon Rebuttal Control"
[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}]
"(Default)" = "ITemplateBarSettings"
[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1104"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL"
[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Description" = "SafePCRepair Plugin"
[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"
[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"od" = "1"
[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\ProgID]
"(Default)" = "SafePCRepair_89.ToolbarProtector.1"
[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}]
"(Default)" = "ITemplateBarButtonRect"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"ok" = "1"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"tiec" = "208976"
[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ToolbarProtector"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll"
[HKCR\SafePCRepair_89.SettingsPlugin\CLSID]
"(Default)" = "{e81003f0-8f21-4a23-8142-403d821198ac}"
[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}]
"(Default)" = "SKINWINDOW_INTERFACE"
[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}]
"(Default)" = "ITemplatePopupMenu"
[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\905"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}]
"(Default)" = "HTMLPANEL_INTERFACE"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"RegisteredWithFirefox" = "1"
[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}]
"(Default)" = "IHttpControlEvents"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1506"
[HKCR\SafePCRepair_89.HTMLMenu.1]
"(Default)" = "SafePCRepair_89 HTML Menu"
[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}]
"(Default)" = "IProtectorControl"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"Policy" = "3"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\ProgID]
"(Default)" = "SafePCRepair_89.FeedManager.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\SafePCRepair_89\bar\1.bin\89Bar.dll,O mindsparktoolbarkey=SafePCRepair_89 uninstalltype=IE"
[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll"
[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"
[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}]
"(Default)" = "ITemplateHTMLMenu"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"
[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll"
[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}]
"(Default)" = "ISessionData"
[HKLM\SOFTWARE\SafePCRepair_89\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"
[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.HTMLPanel.1]
"(Default)" = "SafePCRepair_89 HTML Panel"
[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Build" = "126.49328"
[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"
[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\TypeLib]
"(Default)" = "{0bc5607d-dc04-410a-b137-73f2ee733596}"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\ProgID]
"(Default)" = "SafePCRepair_89.SettingsPlugin.1"
[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}]
"(Default)" = "DataCtrl Class"
[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\SafePCRepair_89.MultipleButton.1]
"(Default)" = ""
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"Policy" = "3"
[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ScriptButton"
[HKCR\SafePCRepair_89.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}]
"(Default)" = ""
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"Policy" = "3"
[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}]
"(Default)" = "Popup Menu Plugin"
[HKCR\SafePCRepair_89.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1406"
[HKCR\SafePCRepair_89.FeedManager\CurVer]
"(Default)" = "SafePCRepair_89.FeedManager.1"
[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}]
"(Default)" = "BARFEED_INTERFACE"
[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Version" = "1.1.1.1"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"CurInstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"DisplayName" = "SafePCRepair Internet Explorer Toolbar"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\ProgID]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller.1"
[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"AssistMonitor.dll" = ""
[HKCR\SafePCRepair_89.SettingsPlugin]
"(Default)" = ""
[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"RegHookPath" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89reghk"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\TypeLib]
"(Default)" = "{c78cce0d-f991-44f4-b450-33c4fd189e38}"
[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"
[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"
[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\TypeLib]
"Version" = "1.0"
[HKCR\SafePCRepair_89.ToolbarProtector\CurVer]
"(Default)" = "SafePCRepair_89.ToolbarProtector.1"
[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\405"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0]
"(Default)" = "TYPELIB_NAME"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"pl" = "9"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}]
"(Default)" = "POPUPMENU_INTERFACE"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=780CE51F&p2=^AW7&ptb=3B6191C3-5B81-44A8-890D-482C1AEBDBEE"
[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.HTMLPanel\CurVer]
"(Default)" = "SafePCRepair_89.HTMLPanel.1"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}]
"(Default)" = "SEARCHSCOPE_INTERFACE"
[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\100"
[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin\MimeTypes\application/x-safepcrepair_89plugin]
"Description" = "SafePCRepair Plugin"
[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"89SrcAs.dll" = "0"
[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\SafePCRepair_89.ThirdPartyInstaller.1]
"(Default)" = "SafePCRepair Third Party Installer"
[HKCR\SafePCRepair_89.SettingsPlugin.1]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"AppName" = "CrExtP89.exe"
[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\TypeLib]
"(Default)" = "{ccb31621-e2c6-43e7-b5d8-2b161973d5c3}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Maximized" = "1"
[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\TypeLib]
"(Default)" = "{B2A921D8-E831-468F-BBC6-16416342C0A7}"
[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}]
"(Default)" = "SafePCRepair"
[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"AppName" = "AppIntegrator.exe"
[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1807"
[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"
[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nd" = "0"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.HTMLPanel"
[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"
[HKCR\SafePCRepair_89.HTMLPanel.1\CLSID]
"(Default)" = "{5806dc83-95c8-4120-a305-cbce6260adf1}"
[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}]
"(Default)" = "_IThirdPartyInstallerEvents"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nk" = "0"
[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\SafePCRepair_89.HTMLMenu.1\CLSID]
"(Default)" = "{816098C9-EC16-4106-9FF7-E19580B2C338}"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"HPG.dll" = ""
[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1604"
[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"lidate" = "2014-11-10T05:02:47Z"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"
[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"
[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c34c0e9f-c070-4b05-b912-563c3cff8555}]
"Policy" = "3"
[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\TypeLib]
"(Default)" = "{b2a921d8-e831-468f-bbc6-16416342c0a7}"
[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\625"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PluginPath" = "%Program Files%\SafePCRepair_89\bar\1.bin\"
[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\ProgID]
"(Default)" = "SafePCRepair_89.MultipleButton.1"
[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\TypeLib]
"(Default)" = "{C78CCE0D-F991-44F4-B450-33C4FD189E38}"
[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}]
"(Default)" = "Pseudo Transparent Plugin"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"ToolbarGuard.dll" = ""
[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"
[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll"
[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"Policy" = "3"
[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"UninstallString" = "%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe 89bar.dll,O uninstalltype=IE"
[HKCR\SafePCRepair_89.ToolbarProtector]
"(Default)" = "ProtectorControl Class"
[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\Version]
"(Default)" = "1.0"
[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\SafePCRepair_89.MultipleButton\CLSID]
"(Default)" = "{2accb327-7218-4979-8eb7-0e653bc0ea66}"
[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.HTMLMenu"
[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"89DlgHk.dll" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 D5 2D 9C 8E 7D 07 C8 6D BF 21 A4 E3 08 93 FC"
[HKCR\SafePCRepair_89.HTMLMenu\CurVer]
"(Default)" = "SafePCRepair_89.HTMLMenu.1"
[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}]
"(Default)" = "IHttpControl"
[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e81003f0-8f21-4a23-8142-403d821198ac}]
"(Default)" = ""
[HKCR\SafePCRepair_89.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"
[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\TypeLib]
"(Default)" = "{6C227856-D369-4B3F-A317-89E4B1CD1A83}"
[HKCR\SafePCRepair_89.FeedManager]
"(Default)" = ""
[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\TypeLib]
"(Default)" = "{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}"
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"au" = "1"
[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{50066dbf-71b9-4489-b62e-4188d3048db2}]
"(Default)" = ""
[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"un" = "SafePCRepair"
[HKCR\SafePCRepair_89.ToolbarProtector\CLSID]
"(Default)" = "{b6de1d4c-f21b-4056-a99c-1727fd6400ce}"
[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}]
"(Default)" = "SafePCRepair Third Party Installer"
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"(Default)" = "Skin Settings"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{816098C9-EC16-4106-9FF7-E19580B2C338}]
"(Default)" = ""
[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}]
"(Default)" = ""
[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}]
"(Default)" = "ITemplateBarControl"
[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\TypeLib]
"(Default)" = "{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}"
[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"
[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c34c0e9f-c070-4b05-b912-563c3cff8555}]
"AppName" = "89SrchMn.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"
[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll"
[HKCR\SafePCRepair_89.ScriptButton\CLSID]
"(Default)" = "{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}"
[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"
[HKCR\SafePCRepair_89.HTMLPanel\CLSID]
"(Default)" = "{5806dc83-95c8-4120-a305-cbce6260adf1}"
[HKCR\SafePCRepair_89.HTMLPanel]
"(Default)" = "SafePCRepair_89 HTML Panel"
[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}]
"(Default)" = "IIEInstalledToolbars"
[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}]
"(Default)" = "ITemplateBarMenu"
[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\TypeLib]
"(Default)" = "{154690A0-7778-41B5-A3AB-EB51E2482B74}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"oldhpp" = "0"
[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll"
[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"
[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}]
"(Default)" = "_IDataCtrlEvents"
[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}]
"(Default)" = ""
[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"Policy" = "3"
[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\TypeLib]
"(Default)" = "{6C227856-D369-4B3F-A317-89E4B1CD1A83}"
[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\TypeLib]
"(Default)" = "{f7b9f27c-2e1a-429c-972a-da83f1165b74}"
[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fc509df-4b29-4ab3-96e6-47c178d60287}]
"(Default)" = ""
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair" = "rundll32 C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll,S"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
"(Default)" = ""
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair AppIntegrator 32-bit" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe"
"SafePCRepair Search Scope Monitor" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89srchmn.exe /m=2 /w /h"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"pid2"
"ConfigDateStamp"
"un"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair Search Scope Monitor"
The process 89HighIn.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 0A 6B 86 10 0E 2B 64 BE 9D 9F 57 82 82 45 81"
The process 89barsvc.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 ED 9A 47 37 38 A1 D0 5D 06 C3 63 C3 6A C1 6C"
The process 89barsvc.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 81 EA 5B E8 61 10 1B 20 FB A8 37 71 4B 1A 99"
The process 89barsvc.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 99 D1 C8 76 AB 6F 59 61 30 85 99 7B 78 33 C8"
The process TPIManagerConsole.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"is64bit" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"FriendlyName" = "Safe PC Repair"
"uninstall" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\SafePCRepair_89\Dependencies]
"dependencymanagerpath" = "%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL"
[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\SafePCRepair\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\SafePCRepair\Uninstall\uninstall.xml"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 29 E4 2A E0 E1 B4 89 D3 D8 BA 3C 1E 47 FA DA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process {2333AA97-0431-42FE-83D0-2124538A8772}.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 8C 25 9B 58 E9 39 B4 47 A0 78 C1 09 50 9A 91"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process ioloToolService.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SAFEPC~2\IOLOTO~1.EXE"
[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\ProgID]
"(Default)" = "ioloToolService.ToolManager"
[HKCR\ioloToolService.ToolManager\Clsid]
"(Default)" = "{7D6E502F-02F7-46E9-AA46-D3364038B6F7}"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCU\Software\CodeGear\Locales\%Program Files%\SafePCRepair]
"ioloToolService.exe" = "en"
[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}]
"(Default)" = "ITool"
[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}]
"(Default)" = "IToolProfile"
[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\ioloToolService.ToolManager]
"(Default)" = "ToolManager Object"
[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0]
"(Default)" = "ioloToolService"
[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\AppID\{CFBE264C-912E-4DA5-B67B-790B27D6D338}]
"LocalService" = "ioloService"
[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}]
"(Default)" = "ISession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}]
"AppID" = "{CFBE264C-912E-4DA5-B67B-790B27D6D338}"
[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}]
"(Default)" = "IAsyncResult"
[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}]
"(Default)" = "IToolProgressSink"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
"(Default)" = ""
[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}]
"(Default)" = "IEnumTool"
[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\ioloToolService.exe]
"AppID" = "{CFBE264C-912E-4DA5-B67B-790B27D6D338}"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}]
"(Default)" = "IToolManager"
[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 AF 28 AD 06 00 47 59 ED AA 23 88 FB F8 1E 7A"
[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}]
"(Default)" = "IFileInfo"
[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}]
"(Default)" = "IDataManager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}]
"(Default)" = "IEnumToolProfile"
[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair\ioloToolService.exe"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}]
"(Default)" = "ToolManager Object"
[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair\"
[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"
The process regsvr32.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 30 20 2E FA 67 28 98 46 50 BF E4 78 80 69 4E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\150]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"
[HKCU\Software\CodeGear\Locales\%System%]
"regsvr32.exe" = "en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\170]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\140]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"
The process 89srchmn.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 35 CB 6E BF 85 0C 3F AD 6E 03 C1 98 16 A3 5B"
The process AppIntegrator.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 8B 3D 20 8F 62 68 43 9A 47 DA 3B BC B6 67 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 0C 6A 91 5D 5C 8D 49 C9 73 A4 60 E8 42 C0 57"
[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nodns" = "0"
"ffTabs" = "0"
[HKCU\Software\SafePCRepair_89\Events\EventData]
"00000000_5" = "01 00 00 00 FC 46 60 54 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 FC 46 60 54 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 FC 46 60 54 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"OToIData" = "001"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\SafePCRepair_89\bar]
"OToIData"
The process irsetup.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"DisplayVersion" = "1.0.0.5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"InstallLocation" = "%Program Files%\SafePCRepair"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"HelpLink" = "http://www.mindspark.com/"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"Contact" = "Mindspark Interactive Network Support Department"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"DisplayIcon" = "%Program Files%\SafePCRepair\SPR.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"UninstallString" = "%Program Files%\SafePCRepair\uninstall.exe /U:%Program Files%\SafePCRepair\Uninstall\uninstall.xml"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 E3 0D E4 99 CE B3 04 27 D2 DF E6 82 EC 5E 55"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\AppDataLow\Software\Mindspark\SafePCRepair]
"InstallDir" = "%Program Files%\SafePCRepair\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"DisplayName" = "SafePCRepair"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"URLInfoAbout" = "http://www.mindspark.com/"
"Publisher" = "Mindspark Interactive Network"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
9f283fe65917b09419ac6c2a42ee5c6e | c:\Program Files\SafePCRepair\IoloServiceWrapper.dll |
df234383c91c6f52386ff064f6521618 | c:\Program Files\SafePCRepair\Microsoft.Expression.Drawing.dll |
59a16258a357b3dd0eb256dd5372b1a8 | c:\Program Files\SafePCRepair\MindSparkTools.dll |
8611795b70cd1f321cb5cb5aad95ff7b | c:\Program Files\SafePCRepair\Newtonsoft.Json.dll |
a5ff44b2560a74c79e9abc231f96f7fe | c:\Program Files\SafePCRepair\SPR.exe |
50e7046b92b7b001e30fcd5bc5889e48 | c:\Program Files\SafePCRepair\TaskDialog.dll |
d5c82eaca74946caf9034dd825b6a74f | c:\Program Files\SafePCRepair\Uninstall\Wow64.lmd |
1fe131b0989428b4915c3db7a3e65890 | c:\Program Files\SafePCRepair\ioloToolService.dll |
8510762c904e9111e6a8b6bc693270a1 | c:\Program Files\SafePCRepair\ioloToolService.exe |
a072b04165c379dfef863214ef14eb5f | c:\Program Files\SafePCRepair\log4net.dll |
8c0b6838878f3dd76135f999ddb1c900 | c:\Program Files\SafePCRepair\lua5.1.dll |
30da79752cb6b5d9846354ef7ae75627 | c:\Program Files\SafePCRepair\uninstall.exe |
ccbfb0fb6a1771a6851512c824175a8d | c:\Program Files\SafePCRepair_89\bar\1.bin\89Plugin.dll |
3b80c3828554d878ba5b06f8bee6c241 | c:\Program Files\SafePCRepair_89\bar\1.bin\89SrcAs.dll |
6b20f550f0cf310bd0f065eaa97165c7 | c:\Program Files\SafePCRepair_89\bar\1.bin\89SrchMn.exe |
2f7623e361a623d38bbac524702c3b06 | c:\Program Files\SafePCRepair_89\bar\1.bin\89bar.dll |
a629f8db2fe3f86b2b3b369ca2d22ead | c:\Program Files\SafePCRepair_89\bar\1.bin\89barsvc.exe |
aff3aab6d2bc9776ef16b7e310f200f8 | c:\Program Files\SafePCRepair_89\bar\1.bin\89bprtct.dll |
99cd66b4fc8a4da919615cb00358cd89 | c:\Program Files\SafePCRepair_89\bar\1.bin\89datact.dll |
678d96f39fc4511c078ae18eedda725a | c:\Program Files\SafePCRepair_89\bar\1.bin\89dlghk.dll |
47c3d4b1ec799f2410d5c4db3150830c | c:\Program Files\SafePCRepair_89\bar\1.bin\89dlghk64.dll |
56c388f118e47a46e55c78653bf2ae8a | c:\Program Files\SafePCRepair_89\bar\1.bin\89feedmg.dll |
9a56a71b3092fcceb6f3ccb45abad7de | c:\Program Files\SafePCRepair_89\bar\1.bin\89highin.exe |
78f4e5e669f4c0e4d2ab71f432b4f25b | c:\Program Files\SafePCRepair_89\bar\1.bin\89hkstub.dll |
a28971193059661e64d84eea069331dd | c:\Program Files\SafePCRepair_89\bar\1.bin\89htmlmu.dll |
4548cae3d2b5256449a777aac73cc253 | c:\Program Files\SafePCRepair_89\bar\1.bin\89httpct.dll |
1ddc5cffd155ae909c751e4a0104d974 | c:\Program Files\SafePCRepair_89\bar\1.bin\89idle.dll |
0eb5c27740d39b28e407e25f74a2f23a | c:\Program Files\SafePCRepair_89\bar\1.bin\89medint.exe |
6dfe507877f8f11f70dd6db55553a165 | c:\Program Files\SafePCRepair_89\bar\1.bin\89mlbtn.dll |
d05813d47c423da1b8cf674cd1137d59 | c:\Program Files\SafePCRepair_89\bar\1.bin\89regfft.dll |
ebfc2a20a4a3fbe4cd4468f57ba63e1e | c:\Program Files\SafePCRepair_89\bar\1.bin\89reghk.dll |
8491754a8000a9265cda69a407f99b0c | c:\Program Files\SafePCRepair_89\bar\1.bin\89regiet.dll |
cd848ca77df8282a0a4778414808154c | c:\Program Files\SafePCRepair_89\bar\1.bin\89script.dll |
8d0d0ae3e70363239e19c2da171558a7 | c:\Program Files\SafePCRepair_89\bar\1.bin\89skin.dll |
cc079d45f96c2ca37f5d938ab437e985 | c:\Program Files\SafePCRepair_89\bar\1.bin\89skplay.exe |
673d9574e3beb883688975fe2c22556a | c:\Program Files\SafePCRepair_89\bar\1.bin\89srchmr.dll |
cf0646bb879911192c833e314e0afc57 | c:\Program Files\SafePCRepair_89\bar\1.bin\89tpinst.dll |
10f7e914cee5636179838d7f7f976b5a | c:\Program Files\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE |
184f78c50bcc6c2319d56963552f2b7b | c:\Program Files\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL |
29b69b9f0c61ae41100870500a65d219 | c:\Program Files\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL |
82cb70126e6223a63316b71f4cc13976 | c:\Program Files\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL |
aec7ac415e570fa2566769bfbcbc7fd0 | c:\Program Files\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe |
61568320cac2d0868928f9364a565b1a | c:\Program Files\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll |
b096c32156bcd51f33e0e7f12a90e304 | c:\Program Files\SafePCRepair_89\bar\1.bin\CREXT.DLL |
9526b7e071abdd76002bbdbb21beb726 | c:\Program Files\SafePCRepair_89\bar\1.bin\CrExtP89.exe |
4d346cd5b9d4d5be83563bc7d4af0e5c | c:\Program Files\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL |
cc8978a1e61f9b95e99a5cd16aa901f9 | c:\Program Files\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll |
12706849799668a9a88480249b98f060 | c:\Program Files\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL |
e533043cb8fdb1c96839f22e046c2f20 | c:\Program Files\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL |
186159381df948b37bfc3bbdb4fd991a | c:\Program Files\SafePCRepair_89\bar\1.bin\HPG.DLL |
2bd149504e2890da76ddf3e6a891c5cf | c:\Program Files\SafePCRepair_89\bar\1.bin\Hpg64.dll |
444e9d42e6cb5e3a90680232b4c5dd3b | c:\Program Files\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL |
abf98ad68d32356d85417b3907617250 | c:\Program Files\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL |
2b203ef9ed024561e563062fc0d53dc0 | c:\Program Files\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL |
45d1827ce4abc76965688771b44771d5 | c:\Program Files\SafePCRepair_89\bar\1.bin\T8HTML.DLL |
66debcd8acfbc376be016d678057dcca | c:\Program Files\SafePCRepair_89\bar\1.bin\T8RES.DLL |
391e0a8c28c520a3c131c95f9f07bbe9 | c:\Program Files\SafePCRepair_89\bar\1.bin\T8TICKER.DLL |
5cfde1c7f0a7a974dd610a8bdff23577 | c:\Program Files\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL |
f2248d813ae3e7c0a53f395a1485b93a | c:\Program Files\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL |
ae15b408ab9d7d262bc015d942aeed0c | c:\Program Files\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE |
2f143f9d838217a4db883e8e4e8b5234 | c:\Program Files\SafePCRepair_89\bar\1.bin\VERIFY.DLL |
9bc04e8e818cdb85b2f0b2ffd8cb78dd | c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL |
c2af09bff7579b4bf81fa8ae227b15eb | c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL |
7e0e289b1cf9eea5440162efcebe151b | c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE |
e8994129fe701fb4dcb2ae5f3c65f4cc | c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL |
0c42f8320a4f8b87b50acd2c3c987d1e | c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
000006dcT8SETUP.EXE:224
89HighIn.exe:1792
89barsvc.exe:1388
89barsvc.exe:468
89barsvc.exe:444
TPIManagerConsole.exe:1140
{2333AA97-0431-42FE-83D0-2124538A8772}.exe:1472
ioloToolService.exe:1868
regsvr32.exe:2012
89srchmn.exe:1912
%original file name%.exe:1756
irsetup.exe:1852 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll (5442 bytes)
%Program Files%\SafePCRepair_89\bar\Message\COMMON.T8S (100 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regiet.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skplay.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89medint.exe (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe (264 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89idle.dll (62 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\Hpg64.dll (220 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regfft.dll (85 bytes)
%System%\config\system (2878 bytes)
%Program Files%\SafePCRepair_89\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\SafePCRepair_89\bar\Settings\s_pid.dat (8 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe (13 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\chrome\89ffxtbr.jar (1829 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%System%\config\SOFTWARE.LOG (37401 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll (179 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89hkstub.dll (59 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll (145 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll (98 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CrExtP89.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89barsvc.exe (90 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89srchmr.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL (1628 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll (144 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll (151 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk64.dll (147 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89reghk.dll (80 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\installKeys.js (207 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\SafePCRepair_89\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (8088 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89Plugin.dll (83 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8RES.DLL (198 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE (229 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrchMn.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll (212 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%System%\config\software (32816 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll (214 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll (104 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL (217 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL (1729 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (140 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\{2333AA97-0431-42FE-83D0-2124538A8772}.exe (1592255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000006dcT8SETUP.EXE (190298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000006dcT8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SafePCRepair Setup Log.txt (3398 bytes)
%Program Files%\SafePCRepair\Newtonsoft.Json.dll (4895 bytes)
%Program Files%\SafePCRepair\SPR.exe.config (885 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (11621 bytes)
%Program Files%\SafePCRepair\IoloServiceWrapper.dll (34 bytes)
%Program Files%\SafePCRepair\log4net.dll (2807 bytes)
%Program Files%\SafePCRepair\Uninstall\Wow64.lmd (601 bytes)
%Program Files%\SafePCRepair\uninstall.exe (9213 bytes)
%Program Files%\SafePCRepair\ioloToolService.dll (24 bytes)
%Program Files%\SafePCRepair\ioloToolService.exe (22524 bytes)
%Program Files%\SafePCRepair\MindSparkTools.dll (20641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
%Program Files%\SafePCRepair\Microsoft.Expression.Drawing.dll (1137 bytes)
%Program Files%\SafePCRepair\Uninstall\IRIMG1.PNG (5 bytes)
%Program Files%\SafePCRepair\TaskDialog.dll (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\spr.ico (5 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.dat (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Program Files%\SafePCRepair\lua5.1.dll (2902 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.xml (1201 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair" = "rundll32 C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll,S"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair AppIntegrator 32-bit" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair Search Scope Monitor" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89srchmn.exe /m=2 /w /h" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: SafePCRepair
Product Name: SafePCRepair
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 89Setup.exe
Internal Name: 89Setup
File Version: 2, 0, 5, 6
File Description: SafePCRepair
Comments:
Language: English (United States)
Company Name: SafePCRepairProduct Name: SafePCRepairProduct Version: 2, 0, 5, 6Legal Copyright: Copyright (c) 2009 - 2014Legal Trademarks: Original Filename: 89Setup.exeInternal Name: 89SetupFile Version: 2, 0, 5, 6File Description: SafePCRepairComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 7790 | 8192 | 4.27339 | e28848bc1d5d86f7e6683c7388b6f4e3 |
.rdata | 12288 | 8748 | 12288 | 1.7971 | 07d6fef428c96dbe020e31fb83cdd0d0 |
.data | 24576 | 2126 | 4096 | 1.23441 | a47f92d38213ea3f932932afa2f5c0f4 |
.rsrc | 28672 | 5786104 | 5787648 | 5.39413 | 2146c6ebeb41cb14134c8dad63a8f2d9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
6110b87e6694431f0ceb8a55f20f5465
Network Activity
URLs
URL | IP |
---|---|
hxxp://a1834.g2.akamai.net/images/nocache/vicinio/executable-packages/SafePCRepair/1386165611692/SafePCRepairSetup.exe | |
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl | |
hxxp://ak.dl.safepcrepair.com/images/nocache/vicinio/executable-packages/SafePCRepair/1386165611692/SafePCRepairSetup.exe | 23.15.4.11 |
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl | 23.9.117.163 |
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.9.117.163 |
hxxp://crl.verisign.com/pca3-g5.crl | 23.9.117.163 |
hxxp://crl.thawte.com/ThawteTimestampingCA.crl | 23.9.117.163 |
anx.mindspark.com | 74.113.233.187 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "075003e67d35591a801778336e66e994:1411607711"
Last-Modified: Thu, 25 Sep 2014 01:15:11 GMT
Date: Mon, 10 Nov 2014 05:03:09 GMT
Content-Length: 341
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140922000000Z..141231235959Z0...*.H...............z ...H.....h.......>V......<...Y*.4..m.P{w.yN.*..rH....o7._..B.H..$O......D(..Or..E..e3....XR.#!1.5j.h..p......<.#..:.FI..l?.HTTP/1.1 200 OK..Server: Apache..ETag: "075003e67d35591a801778336e66e994:1411607711"..Last-Modified: Thu, 25 Sep 2014 01:15:11 GMT..Date: Mon, 10 Nov 2014 05:03:09 GMT..Content-Length: 341..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140922000000Z..141231235959Z0...*.H...............z ...H.....h.......>V......<...Y*.4..m.P{w.yN.*..rH....o7._..B.H..$O......D(..Or..E..e3....XR.#!1.5j.h..p......<.#..:.FI..l?...
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "437231c9ef1d0384cc8ab68afacd850f:1415567114"
Last-Modified: Sun, 09 Nov 2014 21:05:14 GMT
Date: Mon, 10 Nov 2014 05:03:08 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..#@0.."'...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..141109210004Z..141123210004Z0..!.0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "bd6753109994fa1bef1833b34f3e263b:1411514416"
Last-Modified: Tue, 23 Sep 2014 23:20:16 GMT
Date: Mon, 10 Nov 2014 05:03:07 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140922000000Z..141231235959Z0...*.H.............O...i.i(.#..s.T....F....${|...xLT.k...(....AC.#.....Y.Ht..}.n..* ...b.Gs...G..N.|2*.9l....\..H.Y....Wh. .....A.......?/...}.......z.Q..qP_.-..~......!.UBW...ER..6....:.p...[...../..h...9.J(..<.;i.......?c.I.t....LV.uD....B..z...~I .6..aR[..(..q............HTTP/1.1 200 OK..Server: Apache..ETag: "bd6753109994fa1bef1833b34f3e263b:1411514416"..Last-Modified: Tue, 23 Sep 2014 23:20:16 GMT..Date: Mon, 10 Nov 2014 05:03:07 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140922000000Z..141231235959Z0...*.H.............O...i.i(.#..s.T....F....${|...xLT.k...(....AC.#.....Y.Ht..}.n..* ...b.Gs...G..N.|2*.9l....\..H.Y....Wh. .....A.......?/...}.......z.Q..qP_.-..~......!.UBW...ER..6....:.p...[...../..h...9.J(..<.;i.......?c.I.t....LV.uD....B..z...~I .6..aR[..(..q..............
<<< skipped >>>
GET /images/nocache/vicinio/executable-packages/SafePCRepair/1386165611692/SafePCRepairSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.dl.safepcrepair.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 04 Dec 2013 14:00:24 GMT
ETag: "b0df1f-552f70-4ecb5d5a2befb"
Accept-Ranges: bytes
Content-Length: 5582704
Cache-Control: max-age=285929851
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Mon, 10 Nov 2014 05:02:52 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L......R.................X...........).......p....@..........................`........U...@.................................<...d........|............U.`....@..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....|.......~..................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A..............H
<<< skipped >>>
GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "7607f8af5f1162a7835be66dd8cae4d3:1415567799"
Last-Modified: Sun, 09 Nov 2014 21:16:39 GMT
Date: Mon, 10 Nov 2014 05:03:10 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..141109210108Z..141119210108Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H................!p...9{...>C..k:/4E^../.../V.....\o.W.#..#....7..#.n.. .'$....s....$..r..@.p...}..{$\&....J5@.....7Y..KH..@.w@....zu..F.BEou.j.I6..$omw.E..N.&p...[A..UBgI.S.4..V..v_s..... ...M.$..:*......a..-5.....W...J.E.T..k`...`j.....X:.'{..C.E{..O.S ..k..YF>-jQ"wL.HTTP/1.1 200 OK..Server: Apache..ETag: "7607f8af5f1162a7835be66dd8cae4d3:1415567799"..Last-Modified: Sun, 09 Nov 2014 21:16:39 GMT..Date: Mon, 10 Nov 2014 05:03:10 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..141109210108Z..141119210108Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H................!p...9{...>C..k:/4E^../.../V.....\o.W.#..#....7..#.n.. .'$....s....$..r..@.p...}..{$\&....J5@.....7Y..KH..@.w@....zu..F.BEou.j.I6..$omw.E..N.&p...[A..UBgI.S.4..V..v_s..... ...M.$..:*......a..-5.....W...J.E.T..k`...`j.....X:.'{..C.E{..O.S ..k..YF>-jQ"wL...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
89HighIn.exe_1792:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\e76829348a1f1718\Projects\ChromeExtAPI_Dev2\Build.TT\Release.x86\t8HighIn.pdb
E:\TeamCity\BuildAgent1\work\e76829348a1f1718\Projects\ChromeExtAPI_Dev2\Build.TT\Release.x86\t8HighIn.pdb
1.0.7.235
1.0.7.235
t8HighIn.exe
t8HighIn.exe
2.5.15.2
2.5.15.2
AppIntegrator.exe_1748:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
SHELL32.dll
SHELL32.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
MaxPolicyElementKey
MaxPolicyElementKey
AppIntegrator.cpp
AppIntegrator.cpp
IAC::AppIntegrator::Application::SetupWindowsHook
IAC::AppIntegrator::Application::SetupWindowsHook
C Exception thrown in %s: %s
C Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
Unknown exception thrown in %s
RegOpenKeyTransactedW
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\e76829348a1f1718\Projects\ChromeExtAPI_Dev2\Build.TT\Release.x86\AppIntegrator.pdb
E:\TeamCity\BuildAgent1\work\e76829348a1f1718\Projects\ChromeExtAPI_Dev2\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCloseUSKey
SHRegCreateUSKeyW
SHRegCreateUSKeyW
SHLWAPI.dll
SHLWAPI.dll
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
AppIntegrator.exe
AppIntegrator.exe
zcÃ
zcÃ
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0xbc07b221@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0xbc07b221@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0xbc07b221@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0xbc07b221@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
>$>,>4>
>$>,>4>
6 6$6(6,606
6 6$6(6,606
2 2@2\2`2
2 2@2\2`2
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
ieframe.dll
ieframe.dll
g%s:AppIntegratorShutdown
g%s:AppIntegratorShutdown
Already running! %s
Already running! %s
The %s event cannot be created (%u)
The %s event cannot be created (%u)
\AppIntegratorStub.dll
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling GetProcAddress %u
Error calling SetWindowsHookEx %u
Error calling SetWindowsHookEx %u
Failed to enable heap terminate-on-corruption with LastError %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: %S
Error: 0x%0x
Error: 0x%0x
TraceLogUnitTest.exe
TraceLogUnitTest.exe
TraceLog.cfg
TraceLog.cfg
).csv
).csv
\StringFileInfo\XX\OriginalFilename
\StringFileInfo\XX\OriginalFilename
@t8res.dll
@t8res.dll
Advapi32.dll
Advapi32.dll
C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\SAFEPC~1\bar\1.bin
C:\PROGRA~1\SAFEPC~1\bar\1.bin
@C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
@C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
1.0.7.235
1.0.7.235
2.5.15.2
2.5.15.2