Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 61c23fbe048e7ca377ce60389f235414
SHA1: b926fb363b922816896a7f17bcf2e6df579e4aa3
SHA256: 15150cafc7f60248798a87e50549384e23f223dabfa80ed30af499772231cacc
SSDeep: 98304:pDJw/LJpxkvEqQJPoR/J2EwRm41fRJBFAuXmzixMVGMFkF yDHxj4e3:paLxfqQ R/wEH4FRJBFfXcixO4 yLx/3
Size: 5822864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Marine Aquarium Lite
Created at: 2014-07-01 20:38:05
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
57srchmn.exe:1556
MALiteSetup.tmp:252
TPIManagerConsole.exe:364
{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500
00000294T8SETUP.EXE:1276
57HighIn.exe:1900
MALiteSetup.exe:160
57barsvc.exe:1284
57barsvc.exe:1016
57barsvc.exe:1564
%original file name%.exe:660
irsetup.exe:1968
The Trojan injects its code into the following process(es):
AppIntegrator.exe:1088
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process MALiteSetup.tmp:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.dat (2064 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-AN6HM.tmp (7150 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium on the Web.lnk (981 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\www.SereneScreen.com.url (310 bytes)
%System%\is-0I46C.tmp (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium Lite.lnk (706 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-IABLG.tmp (195 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Marine Aquarium Lite.lnk (706 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-BO418.tmp (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Documents and Settings%\%current user%\Desktop\SereneScreen Marine Aquarium Lite.lnk (688 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-BVAE0.tmp (35 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\Prolific Publishing on the Web.lnk (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup (0 bytes)
The process TPIManagerConsole.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L4Z4NAVX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (136 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe (1495258 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9AB3MJ6C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VO9Z1ANT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDL92Q1D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
The Trojan deletes the following file(s):
%Program Files%\MarineAquarium3Free_57\bar\1.bin\{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe (0 bytes)
The process {D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
The process 00000294T8SETUP.EXE:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll (145 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll (144 bytes)
%System%\config (200 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\MarineAquarium3Free_57\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrchMn.exe (55 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CrExtP57.exe (5442 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57medint.exe (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR.DLL (1629 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegrator64.exe (258 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57hkstub.dll (59 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll (121 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk64.dll (147 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57srchmr.dll (87 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll (179 bytes)
%System%\config\SOFTWARE.LOG (42313 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57regfft.dll (85 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57barsvc.exe (90 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll (214 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57idle.dll (62 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8TICKER.DLL (171 bytes)
%System%\config\system (2812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\Hpg64.dll (220 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57Plugin.dll (83 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6408 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll (98 bytes)
%Program Files%\MarineAquarium3Free_57\bar\Settings\s_pid.dat (6 bytes)
%Program Files%\MarineAquarium3Free_57\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll (121 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57datact.dll (171 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57regiet.dll (87 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57script.dll (104 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skplay.exe (55 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57httpct.dll (151 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll (5442 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%System%\config\software (34218 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\chrome\57ffxtbr.jar (1829 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll (212 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe (13 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3544 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\VERIFY.DLL (70 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\MarineAquarium3Free_57\bar\Message\COMMON.T8S (100 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8RES.DLL (196 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57reghk.dll (80 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\installKeys.js (206 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTEX.DLL (102 bytes)
The process MALiteSetup.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp\MALiteSetup.tmp (3790 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp\MALiteSetup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp (0 bytes)
The process %original file name%.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EXE (188805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EX_ (39950 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EX_ (0 bytes)
The process irsetup.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MarineAquarium Setup Log.txt (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MALiteSetup.exe (33812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MALiteSetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW1.tmp (0 bytes)
Registry activity
The process 57srchmn.exe:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 33 FE 5D DC 19 F3 E7 6D 8C 69 31 FB 63 3D EA"
The process MALiteSetup.tmp:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Publisher" = "Prolific Publishing, Inc."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayName" = "SereneScreen Marine Aquarium Lite"
"Inno Setup: User" = "%CurrentUserName%"
"MinorVersion" = "0"
"Inno Setup: Icon Group" = "SereneScreen"
"Inno Setup: App Path" = "%Program Files%\SereneScreen\Marine Aquarium Lite"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayIcon" = "%System%\MarineAquariumLite.exe"
"URLUpdateInfo" = "http://www.SereneScreen.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\SereneScreen\MarineAquariumLite]
"EXE" = "%System%\MarineAquariumLite.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{936872f0-5423-11e1-b86c-0800200c9a66}]
"AppName" = "MarineAquariumLite.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayVersion" = "3.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{936872f0-5423-11e1-b86c-0800200c9a66}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"MajorVersion" = "3"
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
[HKCU\Control Panel\Desktop]
"ScreenSaveTimeOut" = "120"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"InstallDate" = "20140916"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"URLInfoAbout" = "http://www.ProlificPublishingInc.com"
"Inno Setup: Setup Version" = "5.3.11 (a)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"InstallLocation" = "%Program Files%\SereneScreen\Marine Aquarium Lite\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"NoRepair" = "1"
"UninstallString" = "%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Inno Setup: Language" = "en"
"QuietUninstallString" = "%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.exe /SILENT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "MarineAquariumLite.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Readme" = ".\Readme.txt"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{936872f0-5423-11e1-b86c-0800200c9a66}]
"AppPath" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 2F F4 D4 FB 8F D3 EC B5 82 A4 93 7F FA 5E 10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Inno Setup: Deselected Tasks" = ""
"HelpLink" = "http://www.SereneScreen.com"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
The process TPIManagerConsole.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 6F 6C 70 1E A6 4D FD 50 63 F5 FE 8B 55 62 2D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\MarineAquarium3Free_57\Dependencies]
"dependencymanagerpath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL"
[HKLM\SOFTWARE\MarineAquarium3Free_57\Dependencies\MarineAquarium]
"uninstall" = "0"
"FriendlyName" = "Marine Aquarium Lite"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process {D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D C6 0B 81 4F 97 F6 03 FB EC 8C 0B 1B 03 82 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process 00000294T8SETUP.EXE:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"Maximized" = "1"
[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57datact.dll"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\TypeLib]
"(Default)" = "{fdb8f0c7-adf7-4a45-b762-fe8ef4970dbd}"
[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}]
"(Default)" = "ISessionData"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}]
"(Default)" = "ITemplateBarMenu"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ecd011be-bc4c-45dd-85bc-70e5f36806d9}]
"AppName" = "57medint.exe"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"un" = "Marine Aquarium Lite"
"RegHookPath" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57reghk"
[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.ScriptButton\CLSID]
"(Default)" = "{94c67622-4e77-495a-9457-c8064c92a228}"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\ProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLPanel.1"
[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\TypeLib]
"(Default)" = "{2F868090-A282-4C80-AC30-F743C9BECADF}"
[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin\MimeTypes\application/x-marineaquarium3free_57plugin]
"Suffixes" = "57"
[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}]
"(Default)" = "HttpControl Class"
[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}]
"(Default)" = "Marine Aquarium Lite Third Party Installer"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin\CurVer]
"(Default)" = "MarineAquarium3Free_57.PseudoTransparentPlugin.1"
[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}]
"(Default)" = "ITemplateBarControl"
[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.ToolbarProtector]
"(Default)" = "ProtectorControl Class"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}]
"(Default)" = "Skin Settings"
[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"Version" = "1.1.1.1"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\Version]
"(Default)" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin\CLSID]
"(Default)" = "{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}"
[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\SkinTools]
"PlayerPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SkPlay.exe"
[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"
[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\TypeLib]
"(Default)" = "{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}"
[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\MarineAquarium3Free_57.HTMLMenu\CurVer]
"(Default)" = "MarineAquarium3Free_57.HTMLMenu.1"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.FeedManager"
[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"57DlgHk.dll" = ""
[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\625"
[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\TypeLib]
"(Default)" = "{199350AF-34C3-496F-A764-F4BF91CF2835}"
[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1807"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b6e803d8-1514-4aa2-a53e-358400dfbb94}]
"Policy" = "3"
[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\TypeLib]
"(Default)" = "{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b6e803d8-1514-4aa2-a53e-358400dfbb94}]
"AppName" = "CrExtP57.exe"
[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f4d12989-af1c-4363-bfcf-b9ad96d18b0f}]
"Policy" = "3"
[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"PartnerPixelNotSet" = ""
[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"UninstallString" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe 57bar.dll,O uninstalltype=IE"
[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\ProgID]
"(Default)" = "MarineAquarium3Free_57.ScriptButton.1"
[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{dd4285fa-3345-4b73-92e5-4de464edc3b2}"
[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\TypeLib]
"(Default)" = "{2F868090-A282-4C80-AC30-F743C9BECADF}"
[HKCR\MarineAquarium3Free_57.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"UninstallFFString" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe 57bar.dll,O uninstalltype=FF"
[HKCR\MarineAquarium3Free_57.FeedManager.1\CLSID]
"(Default)" = "{f153e08e-19e7-4ece-bb2b-afe06394c6ea}"
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}]
"(Default)" = "Popup Menu Plugin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"
[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"
[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\ProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLMenu.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{dd4285fa-3345-4b73-92e5-4de464edc3b2}]
"(Default)" = ""
[HKCU\Software\Classes\CLSID\{327f75ed-061b-4339-8cc6-5dd45ad1396d}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\MiscStatus\1]
"(Default)" = "131473"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\TypeLib]
"(Default)" = "{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"lidate" = "2014-09-16T05:22:12Z"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b6e803d8-1514-4aa2-a53e-358400dfbb94}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\TypeLib]
"(Default)" = "{09e63ba3-09c7-4d20-9e4b-2ebad3be5b50}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}]
"(Default)" = "MarineAquarium3Free_57 HTML"
[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1506"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ecd011be-bc4c-45dd-85bc-70e5f36806d9}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}]
"(Default)" = "IIEInstalledToolbars"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C0FD73B4-C692-4061-B36F-BC15B111314C}]
"(Default)" = ""
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\TypeLib]
"(Default)" = "{00c5edb1-1261-41eb-8fee-9c0c2cd98058}"
[HKCR\CLSID\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll"
[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}]
"(Default)" = ""
[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.HTMLMenu.1]
"(Default)" = "MarineAquarium3Free_57 HTML Menu"
[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{074d3229-0a22-491b-b9dd-ff3171d75f25}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"Visible" = "1"
[HKCR\MarineAquarium3Free_57.SettingsPlugin.1\CLSID]
"(Default)" = "{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}"
[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f4d12989-af1c-4363-bfcf-b9ad96d18b0f}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\TypeLib]
"(Default)" = "{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}"
[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\TypeLib]
"(Default)" = "{199350AF-34C3-496F-A764-F4BF91CF2835}"
[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"au" = "1"
[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"Description" = "Marine Aquarium Lite Plugin"
[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"
[HKCR\MarineAquarium3Free_57.ScriptButton\CurVer]
"(Default)" = "MarineAquarium3Free_57.ScriptButton.1"
[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}\TypeLib]
"(Default)" = "{a29ba259-04a2-426b-949f-d486e674df9b}"
[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57script.dll"
[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\TypeLib]
"(Default)" = "{d458d0d1-08f3-4dc9-9c67-ade048ae0ef9}"
[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\TypeLib]
"Version" = "1.0"
[HKCR\MarineAquarium3Free_57.MultipleButton\CLSID]
"(Default)" = "{ad750e83-1c56-4196-90e3-e5a0f3c5421c}"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\ProgID]
"(Default)" = "MarineAquarium3Free_57.PseudoTransparentPlugin.1"
[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.ScriptButton"
[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\TypeLib]
"(Default)" = "{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}"
[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}]
"(Default)" = "HTMLPANEL_INTERFACE"
[HKCR\MarineAquarium3Free_57.HTMLPanel\CLSID]
"(Default)" = "{eda1dca1-c71d-46e7-b504-6cefd21ee60d}"
[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller\CurVer]
"(Default)" = "MarineAquarium3Free_57.ThirdPartyInstaller.1"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"ToolbarGuard.dll" = ""
[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\MarineAquarium3Free_57.SettingsPlugin.1]
"(Default)" = ""
[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0]
"(Default)" = "TYPELIB_NAME"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"dir" = "%Program Files%\MarineAquarium3Free_57\bar\"
[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"
[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\ProgID]
"(Default)" = "MarineAquarium3Free_57.ThirdPartyInstaller.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c1c3d4a-dcff-443d-a49f-4abb6af151af}]
"AppName" = "57SrchMn.exe"
[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller\CLSID]
"(Default)" = "{dd4285fa-3345-4b73-92e5-4de464edc3b2}"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=780C9958&p2=^0D&ptb=D384F68F-2C0B-4FC8-9083-333ABE20BF2C"
[HKCR\CLSID\{07189b84-b33b-4a1e-9b32-ad203c983c20}]
"(Default)" = "Marine Aquarium Lite"
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\TypeLib]
"(Default)" = "{00c5edb1-1261-41eb-8fee-9c0c2cd98058}"
[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}]
"(Default)" = "IDataCtrl"
[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\MiscStatus]
"(Default)" = "0"
[HKCR\MarineAquarium3Free_57.HTMLPanel\CurVer]
"(Default)" = "MarineAquarium3Free_57.HTMLPanel.1"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\MarineAquarium3Free_57.ScriptButton.1]
"(Default)" = ""
[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}\TypeLib]
"(Default)" = "{83783d62-ec4a-4cdd-acb3-b2a4bf184959}"
[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0]
"(Default)" = "Skin 1.0 Type Library"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"ua" = "0"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.PseudoTransparentPlugin"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}]
"(Default)" = "BARFEED_INTERFACE"
[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\ProgID]
"(Default)" = "MarineAquarium3Free_57.MultipleButton.1"
[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLPanel"
[HKCR\MarineAquarium3Free_57.MultipleButton\CurVer]
"(Default)" = "MarineAquarium3Free_57.MultipleButton.1"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\MarineAquarium3Free_57\bar\1.bin\57Bar.dll,O mindsparktoolbarkey=MarineAquarium3Free_57 uninstalltype=FF"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e9e780cc-8821-4b00-b4f9-f4c4f82be2c7}]
"Policy" = "3"
[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}]
"(Default)" = "IHttpControlEvents"
[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLMenu"
[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}]
"(Default)" = "SKINWINDOW_INTERFACE"
[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\TypeLib]
"(Default)" = "{2F868090-A282-4C80-AC30-F743C9BECADF}"
[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.SettingsPlugin]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e9e780cc-8821-4b00-b4f9-f4c4f82be2c7}]
"AppName" = "57SlSrch.exe"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c1c3d4a-dcff-443d-a49f-4abb6af151af}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f4d12989-af1c-4363-bfcf-b9ad96d18b0f}]
"AppName" = "AppIntegrator.exe"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"od" = "1"
[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"ok" = "1"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll"
[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}]
"(Default)" = "ProtectorControl Class"
[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}]
"(Default)" = "IDisableAddonRebuttal"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\CLSID\{07189b84-b33b-4a1e-9b32-ad203c983c20}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f90c885b-332c-4379-965c-3ef665f369dc}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"
[HKCR\MarineAquarium3Free_57.HTMLMenu]
"(Default)" = "MarineAquarium3Free_57 HTML Menu"
[HKCR\CLSID\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"
[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}]
"(Default)" = "ITemplateBarButtonRect"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\TypeLib]
"(Default)" = "{00c5edb1-1261-41eb-8fee-9c0c2cd98058}"
[HKCR\MarineAquarium3Free_57.ScriptButton.1\CLSID]
"(Default)" = "{94c67622-4e77-495a-9457-c8064c92a228}"
[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\405"
[HKCR\MarineAquarium3Free_57.ToolbarProtector\CurVer]
"(Default)" = "MarineAquarium3Free_57.ToolbarProtector.1"
[HKCR\MarineAquarium3Free_57.FeedManager\CurVer]
"(Default)" = "MarineAquarium3Free_57.FeedManager.1"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\ProgID]
"(Default)" = "MarineAquarium3Free_57.SettingsPlugin.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\TypeLib]
"(Default)" = "{fb84548c-47c9-4323-820b-9e46b50e9947}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP57.exe" = "0"
[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"
[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\MARINE~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}]
"(Default)" = ""
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"pl" = "9"
[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"DisplayName" = "Marine Aquarium Lite Internet Explorer Toolbar"
[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"vendor" = "MarineAquarium3Free_57"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c1c3d4a-dcff-443d-a49f-4abb6af151af}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"PID" = "^0D"
[HKCR\MarineAquarium3Free_57.MultipleButton.1\CLSID]
"(Default)" = "{ad750e83-1c56-4196-90e3-e5a0f3c5421c}"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\TypeLib]
"(Default)" = "{199350af-34c3-496f-a764-f4bf91cf2835}"
[HKCR\MarineAquarium3Free_57.MultipleButton.1]
"(Default)" = ""
[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1604"
[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.ToolbarProtector"
[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.SettingsPlugin\CurVer]
"(Default)" = "MarineAquarium3Free_57.SettingsPlugin.1"
[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.SettingsPlugin"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"
[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"
[HKCR\MarineAquarium3Free_57.FeedManager\CLSID]
"(Default)" = "{f153e08e-19e7-4ece-bb2b-afe06394c6ea}"
[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"tiec" = "208976"
[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\ProgID]
"(Default)" = "MarineAquarium3Free_57.ToolbarProtector.1"
[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}]
"(Default)" = "SKINSETTINGS_INTERFACE"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ecd011be-bc4c-45dd-85bc-70e5f36806d9}]
"Policy" = "3"
[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0]
"(Default)" = "HTML 1.0 Type Library"
[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\MarineAquarium3Free_57\bar\1.bin\57Bar.dll,O mindsparktoolbarkey=MarineAquarium3Free_57 uninstalltype=IE"
[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\TypeLib]
"(Default)" = "{DBC4BE0B-800C-4075-9521-A9F6B00D6982}"
[HKCR\MarineAquarium3Free_57.HTMLPanel.1]
"(Default)" = "MarineAquarium3Free_57 HTML Panel"
[HKCR\CLSID\{074d3229-0a22-491b-b9dd-ff3171d75f25}]
"(Default)" = "Toolbar BHO"
[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}]
"(Default)" = "IProtectorControl"
[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"sr" = "0"
[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}]
"(Default)" = "_IThirdPartyInstallerEvents"
[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}]
"(Default)" = "DataCtrl Class"
[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57httpct.dll"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\MiscStatus]
"(Default)" = "0"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{327f75ed-061b-4339-8cc6-5dd45ad1396d}" = ""
[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1104"
[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}]
"(Default)" = "IThirdPartyInstaller"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.ThirdPartyInstaller"
[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\TypeLib]
"(Default)" = "{FB84548C-47C9-4323-820B-9E46B50E9947}"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\TypeLib]
"(Default)" = "{A29BA259-04A2-426B-949F-D486E674DF9B}"
[HKCR\MarineAquarium3Free_57.FeedManager.1]
"(Default)" = ""
[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"
[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}]
"(Default)" = "ITemplateHTMLMenu"
[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.MultipleButton"
[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\MarineAquarium3Free_57.ScriptButton]
"(Default)" = ""
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"PluginPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"HPG.dll" = ""
[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}]
"(Default)" = "IIEInstalledToolbar"
[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}]
"(Default)" = "_ITemplateBarSettingsEvents"
[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{07189b84-b33b-4a1e-9b32-ad203c983c20}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll"
[HKCR\MarineAquarium3Free_57.HTMLMenu\CLSID]
"(Default)" = "{C0FD73B4-C692-4061-B36F-BC15B111314C}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"
[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\626"
[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\TypeLib]
"(Default)" = "{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}]
"(Default)" = ""
[HKCU\Software\Classes\CLSID\{327f75ed-061b-4339-8cc6-5dd45ad1396d}]
"(Default)" = ""
[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"
[HKCR\MarineAquarium3Free_57.ToolbarProtector.1\CLSID]
"(Default)" = "{3ca77147-e5a4-43ba-80b2-efa3245f8d88}"
[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"nd" = "0"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"AssistMonitor.dll" = ""
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"
[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}]
"(Default)" = "SEARCHSCOPE_INTERFACE"
[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\MarineAquarium3Free_57.ToolbarProtector\CLSID]
"(Default)" = "{3ca77147-e5a4-43ba-80b2-efa3245f8d88}"
[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"DeletedCustomizations" = "1"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"nk" = "0"
[HKCR\MarineAquarium3Free_57.HTMLPanel]
"(Default)" = "MarineAquarium3Free_57 HTML Panel"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"
[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\MarineAquarium3Free_57.FeedManager]
"(Default)" = ""
[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\TypeLib]
"(Default)" = "{DBC4BE0B-800C-4075-9521-A9F6B00D6982}"
[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"
[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"
[HKCR\CLSID\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}]
"(Default)" = "Search Assistant BHO"
[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}]
"(Default)" = "ITemplateBarSettings"
[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f90c885b-332c-4379-965c-3ef665f369dc}]
"AppName" = "57SkPlay.exe"
[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\905"
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\MarineAquarium3Free_57.MultipleButton]
"(Default)" = ""
[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{327f75ed-061b-4339-8cc6-5dd45ad1396d}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll"
[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\TypeLib]
"(Default)" = "{FB84548C-47C9-4323-820B-9E46B50E9947}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"Build" = "102.46985"
[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}]
"(Default)" = "MarineAquarium3Free_57 HTML Menu"
[HKCR\MarineAquarium3Free_57.HTMLMenu.1\CLSID]
"(Default)" = "{C0FD73B4-C692-4061-B36F-BC15B111314C}"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll"
[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}]
"(Default)" = ""
[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}]
"(Default)" = "POPUPMENU_INTERFACE"
[HKCR\MarineAquarium3Free_57.HTMLPanel.1\CLSID]
"(Default)" = "{eda1dca1-c71d-46e7-b504-6cefd21ee60d}"
[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"oldhpp" = "0"
[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"
[HKCR\CLSID\{074d3229-0a22-491b-b9dd-ff3171d75f25}\InprocServer32]
"(Default)" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57bar.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 62 C1 80 44 8E 7F 81 D9 AB BC DC 81 2C 55 EC"
[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"CurInstall" = "1"
[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller.1]
"(Default)" = "Marine Aquarium Lite Third Party Installer"
[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}\TypeLib]
"(Default)" = "{2f868090-a282-4c80-ac30-f743c9becadf}"
[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"Path" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\NP57Stub.dll"
[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}]
"(Default)" = "IHttpControl"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"hpp" = "0"
[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"
[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin\MimeTypes\application/x-marineaquarium3free_57plugin]
"Description" = "Marine Aquarium Lite Plugin"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"RegisteredWithFirefox" = "1"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"57SrcAs.dll" = ""
[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{07189b84-b33b-4a1e-9b32-ad203c983c20}" = ""
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\ProgID]
"(Default)" = "MarineAquarium3Free_57.FeedManager.1"
[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller]
"(Default)" = "Marine Aquarium Lite Third Party Installer"
[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll"
[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"57SrcAs.dll" = "0"
[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL"
[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}]
"(Default)" = "ITemplatePopupMenu"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1406"
[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll"
[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e9e780cc-8821-4b00-b4f9-f4c4f82be2c7}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"
[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"ID" = "D384F68F-2C0B-4FC8-9083-333ABE20BF2C"
[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}]
"(Default)" = "Disable Addon Rebuttal Control"
[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}]
"(Default)" = ""
[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\MarineAquarium3Free_57\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"
[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}]
"(Default)" = ""
[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"SettingsDir" = "%Program Files%\MarineAquarium3Free_57\bar\Settings\"
[HKCR\MarineAquarium3Free_57.SettingsPlugin\CLSID]
"(Default)" = "{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f90c885b-332c-4379-965c-3ef665f369dc}]
"Policy" = "3"
[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\100"
[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\TypeLib]
"(Default)" = "{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}"
[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}]
"(Default)" = "_IDataCtrlEvents"
[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}]
"(Default)" = ""
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite Search Scope Monitor" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57srchmn.exe /m=2 /w /h"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074d3229-0a22-491b-b9dd-ff3171d75f25}]
"(Default)" = ""
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite AppIntegrator 32-bit" = "C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe"
"Marine Aquarium Lite" = "rundll32 C:\PROGRA~1\MARINE~1\bar\1.bin\57bar.dll,S"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"pid2"
"ConfigDateStamp"
"un"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite Search Scope Monitor"
The process 57HighIn.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 93 34 0F B0 AB 01 CD E6 E0 19 3E 97 49 DA 54"
The process MALiteSetup.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 64 EB 55 A0 A8 DE FF E9 88 86 10 16 AA CD 5E"
The process 57barsvc.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 C5 64 58 82 98 28 DA 94 8F 0F D1 68 4A 24 DD"
The process 57barsvc.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 11 B9 06 01 A6 8C 11 FB 70 B7 1A 38 29 D2 E3"
The process 57barsvc.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 57 8C 9F 0B 4C 5A B6 E1 2A C3 0A FC 7C 82 E5"
The process %original file name%.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 A6 F6 2C 01 C5 80 8C 59 E3 D2 83 A6 1D 42 61"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"nodns" = "0"
"ffTabs" = "0"
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"OToIData" = "001"
[HKCU\Software\MarineAquarium3Free_57\Events\EventData]
"00000000_5" = "01 00 00 00 08 C9 17 54 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 08 C9 17 54 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 08 C9 17 54 00 00 00 00 00 00 00 00"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"OToIData"
The process AppIntegrator.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 4E 18 C9 62 23 BB 85 FC 85 97 BF 70 52 08 69"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process irsetup.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayName" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"UninstallString" = "%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.exe /SILENT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 6B 76 FD AF F4 4E 9C 70 4C 7C 12 B4 AC E8 09"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 313460fa38c68768ec6bd38f795c4636 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57Plugin.dll |
| 779662595f6b51bb86f96eccc230f13c | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll |
| 3c93215de9cc97c60b1892ad8dbe4411 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57SrchMn.exe |
| 21ae5618ae49640455d80de92a741ec7 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57bar.dll |
| b3dae11b5316528e6853a94d39e141e3 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57barsvc.exe |
| af8c7080961317cac447e67700994ca4 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll |
| 6953cf1fd63ee9198a5fb6c365e0945d | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57datact.dll |
| 80f1bbb9dda5d7d20358a89a28a5f251 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll |
| 920dcbae5836293e750eb01db436f26e | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57dlghk64.dll |
| 69b288297ea754cea5b71956c023a7e7 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll |
| 1c86678ebf794d7c48ac6e2a663d4d46 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57highin.exe |
| 259b188c17120d2ef9d18157e6f48919 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57hkstub.dll |
| 3277a89130679dae008092ccdd41e38c | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll |
| 27133aaae9b940a1b3a9944ffbf18c06 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57httpct.dll |
| 913a5f893b78b675cd44dc717e89c4ec | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57idle.dll |
| df5ce0e2d96d747ed9fd82d6128cd393 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57medint.exe |
| 76cfb8166a80ffbfc4a06aecd34b6225 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll |
| 6d305157b71047492823aa863084f088 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57regfft.dll |
| d2afbb79efdb9acea481fc2e6b79d67d | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57reghk.dll |
| 24f53c8a074e9e032d8547fe1e159346 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57regiet.dll |
| 5d08b5c3cc87b48281dddd12216b6e22 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57script.dll |
| fedb7ed64a20fc2aaa6c09869e3b0998 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57skin.dll |
| 96f758be1ee0d60e164b22b797e6eec8 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57skplay.exe |
| 29e27800a11bbaa06e857da4bde64eec | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57srchmr.dll |
| cf0646bb879911192c833e314e0afc57 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll |
| b6940fe9d6fc34ef59f1028ae6018fe1 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATOR.EXE |
| cc497b6397bf8e3cf1550df4b9cee39b | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATORSTUB.DLL |
| 28df17d03fb2cc24b06d9a56be8701ec | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR.DLL |
| e8bcea8410248511f0cff7530297d4b0 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR64.DLL |
| 143d634f4f93155d3a4d430c2cf60d11 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\AppIntegrator64.exe |
| dbf0a4be10e5a7a5815845a3394f5ec7 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\AppIntegratorStub64.dll |
| 43ad3c8b42d0e87d0e61e94602e50f37 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\CREXT.DLL |
| 92bac85f49bbd97e53fd94fac848736d | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\CrExtP57.exe |
| b61deef118eb941a8063e6d2ad31415a | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL |
| a36c8e9a6cdca2c18cb2e550562cd882 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\FF-NativeMessagingDispatcher.dll |
| 2f738b52cab5a1722ba7d250c24fbf4c | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\HKFXMGR.DLL |
| 12561f359a0665b4ef531a06b42e1178 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\HKFXMGR64.DLL |
| 211572b1a80337431576521c82bf0ab6 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\HPG.DLL |
| 3e2dafd1255ee62ffab9a00f926c1f0a | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\Hpg64.dll |
| af689b0f09dde27d1a50d7a2963eafae | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\T8EPMSUP.DLL |
| 85aa773c5b3fe1b2fc4db60bfcb0e6f9 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\T8EXTEX.DLL |
| 64d6eb8eb2882837bc4f29ce02e1a6f9 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\T8EXTPEX.DLL |
| b1dd705f66a0aac955be5b5003d87852 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL |
| ee0e74eaf8cf98d23d0f281d74f2e0d2 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\T8RES.DLL |
| 7dca62cf49f4f29fb2a4002bf9a3a17c | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\T8TICKER.DLL |
| 8199bfbaf45163fc6ac4a3360fe239c3 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD.DLL |
| 7aaf4b9657c26a93da0e6e2d5ba11372 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD64.DLL |
| 4711f1264df5fd7a7e0fcf04b946652c | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\TPIMANAGERCONSOLE.EXE |
| d245830ad93d799bbca6dc055045d8c0 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\VERIFY.DLL |
| b0ffe041fb0c9fb55e1fc9394354d459 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL |
| 649fba6a4b539b295f19e736a311101d | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL |
| 12bc7c0af14464243f5794a4a06f537f | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE |
| f26bd34edd1beacc23aa126de231cac1 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER.DLL |
| b3d3b34968fb171bb79c20123a455ac9 | c:\Program Files\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER64.DLL |
| aa9a671de609ea1df67bff830612e120 | c:\Program Files\SereneScreen\Marine Aquarium Lite\unins000.exe |
| 0a019d7541cb33bd9b88d6e95e4d07e6 | c:\WINDOWS\system32\MarineAquariumLite.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
57srchmn.exe:1556
MALiteSetup.tmp:252
TPIManagerConsole.exe:364
{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500
00000294T8SETUP.EXE:1276
57HighIn.exe:1900
MALiteSetup.exe:160
57barsvc.exe:1284
57barsvc.exe:1016
57barsvc.exe:1564
%original file name%.exe:660
irsetup.exe:1968 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.dat (2064 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-AN6HM.tmp (7150 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium on the Web.lnk (981 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\www.SereneScreen.com.url (310 bytes)
%System%\is-0I46C.tmp (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium Lite.lnk (706 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-IABLG.tmp (195 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Marine Aquarium Lite.lnk (706 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-BO418.tmp (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Documents and Settings%\%current user%\Desktop\SereneScreen Marine Aquarium Lite.lnk (688 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-BVAE0.tmp (35 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\Prolific Publishing on the Web.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L4Z4NAVX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (136 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe (1495258 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9AB3MJ6C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VO9Z1ANT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDL92Q1D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll (145 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll (144 bytes)
%System%\config (200 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\MarineAquarium3Free_57\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrchMn.exe (55 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CrExtP57.exe (5442 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57medint.exe (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR.DLL (1629 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegrator64.exe (258 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57hkstub.dll (59 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll (121 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk64.dll (147 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57srchmr.dll (87 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll (179 bytes)
%System%\config\SOFTWARE.LOG (42313 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57regfft.dll (85 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57barsvc.exe (90 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll (214 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57idle.dll (62 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8TICKER.DLL (171 bytes)
%System%\config\system (2812 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\Hpg64.dll (220 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57Plugin.dll (83 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6408 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll (98 bytes)
%Program Files%\MarineAquarium3Free_57\bar\Settings\s_pid.dat (6 bytes)
%Program Files%\MarineAquarium3Free_57\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll (121 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57datact.dll (171 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57regiet.dll (87 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57script.dll (104 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skplay.exe (55 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57httpct.dll (151 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll (5442 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%System%\config\software (34218 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\chrome\57ffxtbr.jar (1829 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll (212 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe (13 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\VERIFY.DLL (70 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\MarineAquarium3Free_57\bar\Message\COMMON.T8S (100 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8RES.DLL (196 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57reghk.dll (80 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\installKeys.js (206 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp\MALiteSetup.tmp (3790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EXE (188805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MarineAquarium Setup Log.txt (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MALiteSetup.exe (33812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite Search Scope Monitor" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57srchmn.exe /m=2 /w /h"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite AppIntegrator 32-bit" = "C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite" = "rundll32 C:\PROGRA~1\MARINE~1\bar\1.bin\57bar.dll,S" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Marine Aquarium Lite
Product Name: Marine Aquarium Lite
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 57Setup.exe
Internal Name: 57Setup
File Version: 2, 0, 5, 6
File Description: Marine Aquarium Lite
Comments:
Language: English (United States)
Company Name: Marine Aquarium LiteProduct Name: Marine Aquarium LiteProduct Version: 2, 0, 5, 6Legal Copyright: Copyright (c) 2009 - 2014Legal Trademarks: Original Filename: 57Setup.exeInternal Name: 57SetupFile Version: 2, 0, 5, 6File Description: Marine Aquarium LiteComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 7790 | 8192 | 4.27339 | e28848bc1d5d86f7e6683c7388b6f4e3 |
| .rdata | 12288 | 8748 | 12288 | 1.8146 | 54d4345e14337da28a15cecee7310cba |
| .data | 24576 | 2126 | 4096 | 1.25261 | bd3b98bd12a6d75e5000fdd5f5af2920 |
| .rsrc | 28672 | 5786104 | 5787648 | 5.38401 | 1f30ac8c1424c02bb062b24a9ea9ba4b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1255.g.akamai.net/images/nocache/vicinio/executable-packages/MarineAquariumLite/1389714302414/MarineAquariumWrapper.exe | |
| hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
| hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
| hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl | |
| hxxp://ak.imgfarm.com/images/nocache/vicinio/executable-packages/MarineAquariumLite/1389714302414/MarineAquariumWrapper.exe | 205.237.69.73 |
| hxxp://crl.thawte.com/ThawteTimestampingCA.crl | 23.9.117.163 |
| hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.9.117.163 |
| hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl | 23.9.117.163 |
| hxxp://crl.verisign.com/pca3-g5.crl | 23.9.117.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "dad74562eea63e24f12699a6f02c517d:1403752510"
Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT
Accept-Ranges: bytes
Content-Length: 533
Date: Tue, 16 Sep 2014 05:22:54 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140617000000Z..140930235959Z0...*.H.............Z.....{.......iV}.pm@..]...q....MT.....c.......[....?....zZ.....,. P.~........*.'.....,......Y..!..s$..;.v..y<.................gf.? ...9#...........O"5u....q1`.H....3...>.....l9g.X..i7.b.N]..<....@....j.IO..V.oU_v2X....kf.q.......oq.j.e?v..o.l..Y.......!..HTTP/1.1 200 OK..Server: Apache..ETag: "dad74562eea63e24f12699a6f02c517d:1403752510"..Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT..Accept-Ranges: bytes..Content-Length: 533..Date: Tue, 16 Sep 2014 05:22:54 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140617000000Z..140930235959Z0...*.H.............Z.....{.......iV}.pm@..]...q....MT.....c.......[....?....zZ.....,. P.~........*.'.....,......Y..!..s$..;.v..y<.................gf.? ...9#...........O"5u....q1`.H....3...>.....l9g.X..i7.b.N]..<....@....j.IO..V.oU_v2X....kf.q.......oq.j.e?v..o.l..Y.......!....
<<< skipped >>>
GET /images/nocache/vicinio/executable-packages/MarineAquariumLite/1389714302414/MarineAquariumWrapper.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.imgfarm.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 14 Jan 2014 15:45:22 GMT
ETag: "1254474-542f68-4eff0148856a8"
Accept-Ranges: bytes
Content-Length: 5517160
Cache-Control: max-age=296421497
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Tue, 16 Sep 2014 05:22:42 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L......R.................X...........).......p....@..........................P......ggT...@.................................<...d........n............T.`....0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....n.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A..............H
<<< skipped >>>
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "aec0b5c56b604d702a55dde13a8fa0c1:1410815112"
Last-Modified: Mon, 15 Sep 2014 21:05:12 GMT
Date: Tue, 16 Sep 2014 05:22:54 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0....0.......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..140915210003Z..140929210003Z0....0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>
GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "93e608fe017e91051dfab6a332933d77:1410815792"
Last-Modified: Mon, 15 Sep 2014 21:16:32 GMT
Date: Tue, 16 Sep 2014 05:22:56 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..140915210111Z..140925210111Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......E0...*.H.............=...=&..l........#.Q...... ...S..............b.........o'.h/.C..O.......(M.....*.2..3...bf..A.)i...Y.j.g{..(.J...u.8.,.6.`..@. ...P..3..[....Z... .... .k.gw.I&b..}R./!#]...y......!A...^.......v..*....
GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"
Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT
Accept-Ranges: bytes
Content-Length: 341
Date: Tue, 16 Sep 2014 05:22:56 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H...............pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..kHTTP/1.1 200 OK..Server: Apache..ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"..Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT..Accept-Ranges: bytes..Content-Length: 341..Date: Tue, 16 Sep 2014 05:22:56 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H...............pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..k..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
57HighIn.exe_1900:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\t8HighIn.pdb
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\t8HighIn.pdb
1.0.7.205
1.0.7.205
t8HighIn.exe
t8HighIn.exe
2.5.15.0
2.5.15.0
AppIntegrator.exe_1088:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
SHELL32.dll
SHELL32.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
MaxPolicyElementKey
MaxPolicyElementKey
AppIntegrator.cpp
AppIntegrator.cpp
IAC::AppIntegrator::Application::SetupWindowsHook
IAC::AppIntegrator::Application::SetupWindowsHook
C Exception thrown in %s: %s
C Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
Unknown exception thrown in %s
RegOpenKeyTransactedW
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\AppIntegrator.pdb
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCloseUSKey
SHRegCreateUSKeyW
SHRegCreateUSKeyW
SHLWAPI.dll
SHLWAPI.dll
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
AppIntegrator.exe
AppIntegrator.exe
zcÃ
zcÃ
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
3 3$3(34383
3 3$3(34383
2$2
2$2
6,686@6`6
6,686@6`6
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
ieframe.dll
ieframe.dll
Already running! %s
Already running! %s
The %s event cannot be created (%u)
The %s event cannot be created (%u)
\AppIntegratorStub.dll
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling GetProcAddress %u
Error calling SetWindowsHookEx %u
Error calling SetWindowsHookEx %u
Failed to enable heap terminate-on-corruption with LastError %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: %S
Error: 0x%0x
Error: 0x%0x
TraceLogUnitTest.exe
TraceLogUnitTest.exe
TraceLog.cfg
TraceLog.cfg
).csv
).csv
\StringFileInfo\XX\OriginalFilename
\StringFileInfo\XX\OriginalFilename
@t8res.dll
@t8res.dll
Advapi32.dll
Advapi32.dll
C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\MARINE~1\bar\1.bin
C:\PROGRA~1\MARINE~1\bar\1.bin
@C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe
@C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe
1.0.7.205
1.0.7.205
2.5.15.0
2.5.15.0