Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 610b0d6f05a298d3609a82606a4809a0
SHA1: a3b0c4770b278b64fd5bb08e7c446a3873128d04
SHA256: ccbfaaefc94857266f1114edc95f6f1e91caef9ddb70fed10912499e848f9430
SSDeep: 98304:Z/LJpvkvEqQJPoR/J2EwRm41fRJBFAuXmzQMVGMFkF yDHuC725m:5LvfqQ R/wEH4FRJBFfXcQO4 yLu6
Size: 5822864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: PopularScreensavers
Created at: 2014-07-01 20:38:05
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
7isrchmn.exe:1112
TPIManagerConsole.exe:1252
%original file name%.exe:632
7ibarsvc.exe:556
7ibarsvc.exe:1280
7ibarsvc.exe:1332
00000278T8SETUP.EXE:848
irsetup.exe:484
{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396
7iHighIn.exe:1524
The Trojan injects its code into the following process(es):
AppIntegrator.exe:1532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process TPIManagerConsole.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe (649558 bytes)
The Trojan deletes the following file(s):
%Program Files%\PopularScreensavers_7i\bar\1.bin\{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe (0 bytes)
The process %original file name%.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EXE (188805 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EXE (0 bytes)
The process 00000278T8SETUP.EXE:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iregiet.dll (87 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegrator64.exe (258 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iPlugin.dll (83 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll (98 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll (214 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%System%\config (200 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL (202 bytes)
%System%\config\system (3777 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll (144 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe (13 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibarsvc.exe (90 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iscript.dll (104 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll (145 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7isrchmr.dll (87 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iregfft.dll (85 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idatact.dll (171 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\installKeys.js (206 bytes)
%Program Files%\PopularScreensavers_7i\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CrExtP7i.exe (5442 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8TICKER.DLL (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrchMn.exe (55 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\chrome\7iffxtbr.jar (1829 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk64.dll (147 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll (212 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\Hpg64.dll (220 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll (121 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk.dll (121 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6744 bytes)
%Program Files%\PopularScreensavers_7i\bar\Message\COMMON.T8S (100 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\PopularScreensavers_7i\bar\Settings\s_pid.dat (6 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR.DLL (1629 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskplay.exe (55 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%System%\config\SOFTWARE.LOG (40617 bytes)
%System%\config\software (35872 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iidle.dll (62 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll (5442 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7itpinst.dll (179 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8RES.DLL (196 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7imedint.exe (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll (151 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihkstub.dll (59 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ireghk.dll (80 bytes)
The process irsetup.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\PopularScreensavers\p5PSSavr.scr (39 bytes)
%Program Files%\PopularScreensavers\p5Plugin.dll (60 bytes)
%Program Files%\PopularScreensavers\p5svc.exe (35 bytes)
%Program Files%\PopularScreensavers\uninstall.exe (9213 bytes)
%Program Files%\PopularScreensavers\p5BkgErr.jpg (2192 bytes)
%Program Files%\PopularScreensavers\Uninstall\uni1.tmp (9314 bytes)
%Program Files%\PopularScreensavers\p5wphook.dll (31 bytes)
%Program Files%\PopularScreensavers\p5ScrCtr.dll (3997 bytes)
%Program Files%\PopularScreensavers\Uninstall\uninstall.xml (828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Program Files%\PopularScreensavers\p5MedInt.exe (23 bytes)
%Program Files%\PopularScreensavers\lua5.1.dll (2902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Popular Screensavers Setup Log.txt (336 bytes)
%Program Files%\PopularScreensavers\p5wallpp.dat (305 bytes)
%System%\p5PSSavr.scr (39 bytes)
%Program Files%\PopularScreensavers\p5Html.dll (1137 bytes)
%Program Files%\PopularScreensavers\p5cjpeg.dll (2079 bytes)
%Program Files%\PopularScreensavers\p5spacer.wmv (5 bytes)
%Program Files%\PopularScreensavers\Uninstall\uninstall.dat (2104 bytes)
%Program Files%\PopularScreensavers\NPp5Stub.dll (31 bytes)
The Trojan deletes the following file(s):
%Program Files%\PopularScreensavers\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
The process {12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
Registry activity
The process 7isrchmn.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 B4 6B C8 77 D5 93 DF 88 32 71 D6 04 D1 92 49"
The process TPIManagerConsole.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies\PopularScreensavers]
"FriendlyName" = "PopularScreensavers Helper Software"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies\PopularScreensavers]
"is64bit" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies]
"dependencymanagerpath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 29 C8 8A 55 0A AD 6F 14 B3 92 5B 45 F8 6E 27"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies\PopularScreensavers]
"uninstall" = "1"
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\PopularScreensavers\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\PopularScreensavers\Uninstall\uninstall.xml"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A C4 08 DC 5F 2B 63 D1 92 25 97 70 7E CF F1 62"
[HKCU\Software\PopularScreensavers_7i\Events\EventData]
"00000000_6" = "01 00 00 00 28 99 0F 54 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"OToIData" = "001"
[HKCU\Software\PopularScreensavers_7i\Events\EventData]
"00000000_7" = "01 00 00 00 28 99 0F 54 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"ffTabs" = "0"
"nodns" = "0"
[HKCU\Software\PopularScreensavers_7i\Events\EventData]
"00000000_5" = "01 00 00 00 28 99 0F 54 00 00 00 00 00 00 00 00"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"OToIData"
The process 7ibarsvc.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 0A 02 13 4F 1F 3E F3 69 4C CA A5 6B D6 C3 3A"
The process 7ibarsvc.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CC 77 EE 36 72 72 DB 48 AB 27 1C BD 0F 69 48"
The process 7ibarsvc.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 64 8C 81 EF A1 9B EF 34 21 A4 55 DF 1E E2 43"
The process AppIntegrator.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 FD 5B 83 B9 58 4D 8E B4 41 F2 BD 62 3F E8 8B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process 00000278T8SETUP.EXE:848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"
[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"AssistMonitor.dll" = ""
[HKCR\CLSID\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f339a07f-9578-412d-85e0-b8a80277151a}" = ""
[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}\TypeLib]
"(Default)" = "{fd4d02f2-ea24-4809-b0b6-805031110e8c}"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2497c4b-ac5c-45df-8b83-adc99791a299}]
"Policy" = "3"
[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\PopularScreensavers_7i.ThirdPartyInstaller]
"(Default)" = "PopularScreensavers Third Party Installer"
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll"
[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}]
"(Default)" = "ITemplateBarMenu"
[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}]
"(Default)" = "IIEInstalledToolbar"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}]
"(Default)" = "PopularScreensavers_7i HTML"
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}\TypeLib]
"(Default)" = "{32416a28-daa5-4ee2-a5a1-6e9cb952c19d}"
[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\PopularScreensavers_7i\bar\1.bin\7iBar.dll,O mindsparktoolbarkey=PopularScreensavers_7i uninstalltype=FF"
[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.SettingsPlugin"
[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}]
"(Default)" = "SKINSETTINGS_INTERFACE"
[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\TypeLib]
"(Default)" = "{a5f237f3-1da6-43af-8ca5-cfd7be9259a2}"
[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"
[HKCR\PopularScreensavers_7i.ScriptButton.1\CLSID]
"(Default)" = "{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}"
[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"PID" = "^ZR"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{0953a3a2-9223-4990-a1c9-efb4d4686ef2}]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"Version" = "1.1.1.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"
[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}]
"(Default)" = "IDataCtrl"
[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\TypeLib]
"(Default)" = "{9e4d1125-cc72-42e5-82bd-de141214c313}"
[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"ToolbarGuard.dll" = ""
[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}\InprocServer32]
"(Default)" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7ibar.dll"
[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}]
"(Default)" = "ITemplateBarControl"
[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}]
"(Default)" = ""
[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\TypeLib]
"(Default)" = "{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}"
[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\PopularScreensavers_7i.ToolbarProtector\CurVer]
"(Default)" = "PopularScreensavers_7i.ToolbarProtector.1"
[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\TypeLib]
"(Default)" = "{46A5C277-35A6-4C87-A0D2-D34D30D5A363}"
[HKCR\PopularScreensavers_7i.ThirdPartyInstaller\CLSID]
"(Default)" = "{17b0b148-1491-4668-ad7d-1f39972e03e5}"
[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}]
"(Default)" = "IHttpControl"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"Build" = "103.35314"
"CurInstall" = "1"
"Maximized" = "1"
[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\905"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c5b17a30-3a2b-444e-852d-74abb98cf48a}]
"(Default)" = ""
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"hpp" = "0"
[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93e4ad7f-b2dd-4273-9ad9-e6de2a2670e8}]
"Policy" = "3"
[HKCR\PopularScreensavers_7i.HTMLPanel.1\CLSID]
"(Default)" = "{406463e6-91b4-4bbe-8182-e41fdca2b2b3}"
[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.SettingsPlugin]
"(Default)" = ""
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"dir" = "%Program Files%\PopularScreensavers_7i\bar\"
[HKCR\PopularScreensavers_7i.SettingsPlugin\CLSID]
"(Default)" = "{c5b17a30-3a2b-444e-852d-74abb98cf48a}"
[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\TypeLib]
"Version" = "1.0"
[HKCR\PopularScreensavers_7i.ThirdPartyInstaller\CurVer]
"(Default)" = "PopularScreensavers_7i.ThirdPartyInstaller.1"
[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1807"
[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}]
"(Default)" = "_ITemplateBarSettingsEvents"
[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\TypeLib]
"(Default)" = "{61588674-DE5D-416E-8F66-7AA6128A3669}"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7itpinst.dll"
[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1104"
[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1406"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"ok" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"DisplayName" = "PopularScreensavers Internet Explorer Toolbar"
[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}]
"(Default)" = "ISessionData"
[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"PartnerPixelNotSet" = ""
[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}]
"(Default)" = "DataCtrl Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"
"pl" = "9"
[HKCR\PopularScreensavers_7i.SettingsPlugin\CurVer]
"(Default)" = "PopularScreensavers_7i.SettingsPlugin.1"
[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"
[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\TypeLib]
"(Default)" = "{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.ToolbarProtector"
[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"
[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\ProgID]
"(Default)" = "PopularScreensavers_7i.ToolbarProtector.1"
[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\ProgID]
"(Default)" = "PopularScreensavers_7i.HTMLMenu.1"
[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll"
[HKCR\PopularScreensavers_7i.SettingsPlugin.1\CLSID]
"(Default)" = "{c5b17a30-3a2b-444e-852d-74abb98cf48a}"
[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\TypeLib]
"(Default)" = "{679dd02b-bfd7-439d-adff-20d7ed92ffd4}"
[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7idatact.dll"
[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}]
"(Default)" = "IThirdPartyInstaller"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87085ae6-dc1b-4e6b-98a7-6f4ac5f1eb49}]
"Policy" = "3"
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93e4ad7f-b2dd-4273-9ad9-e6de2a2670e8}]
"AppName" = "7iSlSrch.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"Description" = "PopularScreensavers Plugin"
[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\TypeLib]
"Version" = "1.0"
[HKCR\PopularScreensavers_7i.HTMLPanel\CLSID]
"(Default)" = "{406463e6-91b4-4bbe-8182-e41fdca2b2b3}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"Policy" = "3"
[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"
[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0]
"(Default)" = "Skin 1.0 Type Library"
[HKCU\Software\Classes\CLSID\{0953a3a2-9223-4990-a1c9-efb4d4686ef2}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"ID" = "E70B1C4A-B554-42BA-AA6B-C13DAB894AE1"
[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\TypeLib]
"(Default)" = "{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7f9bad37-202c-468d-a046-ebdef588616d}]
"(Default)" = ""
[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.HTMLMenu"
[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"
[HKCR\PopularScreensavers_7i.FeedManager\CurVer]
"(Default)" = "PopularScreensavers_7i.FeedManager.1"
[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\TypeLib]
"(Default)" = "{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}"
[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"
[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}]
"(Default)" = "ProtectorControl Class"
[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\TypeLib]
"(Default)" = "{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}"
[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.PseudoTransparentPlugin"
[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{7f9bad37-202c-468d-a046-ebdef588616d}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{73643b10-6ee2-48be-8280-37aa35e0dfa6}]
"AppName" = "7imedint.exe"
[HKCR\CLSID\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}]
"(Default)" = "Search Assistant BHO"
[HKCR\PopularScreensavers_7i.MultipleButton]
"(Default)" = ""
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}]
"(Default)" = "Pseudo Transparent Plugin"
[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}]
"(Default)" = "PopularScreensavers_7i HTML Menu"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"DeletedCustomizations" = "1"
[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\TypeLib]
"(Default)" = "{9E4D1125-CC72-42E5-82BD-DE141214C313}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"HPG.dll" = ""
[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.MultipleButton\CLSID]
"(Default)" = "{5c0a85b9-3980-475d-aa36-ea2ef138ec04}"
[HKCR\PopularScreensavers_7i.ToolbarProtector.1\CLSID]
"(Default)" = "{bfc81c68-2bbe-492d-b60e-c104cf4896ac}"
[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\ProgID]
"(Default)" = "PopularScreensavers_7i.ThirdPartyInstaller.1"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}]
"(Default)" = "Toolbar BHO"
[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"UninstallString" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe 7ibar.dll,O uninstalltype=IE"
[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"
[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.MultipleButton.1\CLSID]
"(Default)" = "{5c0a85b9-3980-475d-aa36-ea2ef138ec04}"
[HKCR\PopularScreensavers_7i.ToolbarProtector\CLSID]
"(Default)" = "{bfc81c68-2bbe-492d-b60e-c104cf4896ac}"
[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\PopularScreensavers_7i.FeedManager\CLSID]
"(Default)" = "{96d0c95f-bfe7-430e-a406-d8e2d33fee48}"
[HKCR\PopularScreensavers_7i.HTMLMenu]
"(Default)" = "PopularScreensavers_7i HTML Menu"
[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.ScriptButton"
[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}]
"(Default)" = "SEARCHSCOPE_INTERFACE"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.FeedManager"
[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
[HKCR\PopularScreensavers_7i.ScriptButton.1]
"(Default)" = ""
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0953a3a2-9223-4990-a1c9-efb4d4686ef2}" = ""
[HKCR\PopularScreensavers_7i.ScriptButton]
"(Default)" = ""
[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\TypeLib]
"(Default)" = "{46A5C277-35A6-4C87-A0D2-D34D30D5A363}"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}]
"(Default)" = ""
[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87085ae6-dc1b-4e6b-98a7-6f4ac5f1eb49}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"PluginPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\"
"SettingsDir" = "%Program Files%\PopularScreensavers_7i\bar\Settings\"
[HKCR\PopularScreensavers_7i.HTMLMenu.1\CLSID]
"(Default)" = "{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}"
[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\TypeLib]
"(Default)" = "{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\ProgID]
"(Default)" = "PopularScreensavers_7i.FeedManager.1"
[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\TypeLib]
"(Default)" = "{9E4D1125-CC72-42E5-82BD-DE141214C313}"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll"
[HKCR\PopularScreensavers_7i.ScriptButton\CurVer]
"(Default)" = "PopularScreensavers_7i.ScriptButton.1"
[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"Path" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\NP7iStub.dll"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"nd" = "0"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}]
"(Default)" = "PopularScreensavers Third Party Installer"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"nk" = "0"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2497c4b-ac5c-45df-8b83-adc99791a299}]
"AppName" = "7iSrchMn.exe"
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\TypeLib]
"(Default)" = "{a5f237f3-1da6-43af-8ca5-cfd7be9259a2}"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0a80369-0c8a-44d9-b7cd-4d9c24dca4e1}]
"Policy" = "3"
[HKCR\PopularScreensavers_7i.ThirdPartyInstaller.1]
"(Default)" = "PopularScreensavers Third Party Installer"
[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin\CLSID]
"(Default)" = "{7f9bad37-202c-468d-a046-ebdef588616d}"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"(Default)" = "Skin Settings"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0a80369-0c8a-44d9-b7cd-4d9c24dca4e1}]
"AppName" = "AppIntegrator.exe"
[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87085ae6-dc1b-4e6b-98a7-6f4ac5f1eb49}]
"AppName" = "CrExtP7i.exe"
[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk.dll"
[HKCR\PopularScreensavers_7i.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{17b0b148-1491-4668-ad7d-1f39972e03e5}"
[HKCR\PopularScreensavers_7i.SettingsPlugin.1]
"(Default)" = ""
[HKCR\PopularScreensavers_7i.HTMLMenu.1]
"(Default)" = "PopularScreensavers_7i HTML Menu"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"au" = "1"
[HKCR\PopularScreensavers_7i.ToolbarProtector]
"(Default)" = "ProtectorControl Class"
[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"
[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\ProgID]
"(Default)" = "PopularScreensavers_7i.MultipleButton.1"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"
[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.MultipleButton\CurVer]
"(Default)" = "PopularScreensavers_7i.MultipleButton.1"
[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\CLSID\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll"
[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\405"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\ProgID]
"(Default)" = "PopularScreensavers_7i.SettingsPlugin.1"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}]
"(Default)" = "BARFEED_INTERFACE"
[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}\TypeLib]
"(Default)" = "{bbb1a756-c3a5-42cf-8fa3-ba0bd4c6f386}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"Visible" = "1"
[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.MultipleButton"
[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\TypeLib]
"(Default)" = "{46a5c277-35a6-4c87-a0d2-d34d30d5a363}"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.ThirdPartyInstaller"
[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\TypeLib]
"(Default)" = "{FD4D02F2-EA24-4809-B0B6-805031110E8C}"
[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\TypeLib]
"(Default)" = "{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"7iSrcAs.dll" = ""
[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\TypeLib]
"(Default)" = "{61588674-DE5D-416E-8F66-7AA6128A3669}"
[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll"
[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\625"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{73643b10-6ee2-48be-8280-37aa35e0dfa6}]
"Policy" = "3"
[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"7iDlgHk.dll" = ""
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\ProgID]
"(Default)" = "PopularScreensavers_7i.HTMLPanel.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"un" = "PopularScreensavers"
[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}]
"(Default)" = "Disable Addon Rebuttal Control"
[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP7i.exe" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\POPULA~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"AppName" = "7iSkPlay.exe"
[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}]
"(Default)" = "SKINWINDOW_INTERFACE"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"od" = "1"
[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}]
"(Default)" = "_IThirdPartyInstallerEvents"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"sr" = "0"
[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.MultipleButton.1]
"(Default)" = ""
[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}]
"(Default)" = "ITemplateBarButtonRect"
[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}]
"(Default)" = "ITemplateBarSettings"
[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin\MimeTypes\application/x-popularscreensavers_7iplugin]
"Suffixes" = "7i"
[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll"
[HKLM\SOFTWARE\PopularScreensavers_7i\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.HTMLPanel"
[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}]
"(Default)" = "HttpControl Class"
[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"lidate" = "2014-09-10T00:19:49Z"
[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0a80369-0c8a-44d9-b7cd-4d9c24dca4e1}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCU\Software\Classes\CLSID\{0953a3a2-9223-4990-a1c9-efb4d4686ef2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}]
"(Default)" = "IProtectorControl"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}]
"(Default)" = ""
[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}]
"(Default)" = "POPUPMENU_INTERFACE"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\ProgID]
"(Default)" = "PopularScreensavers_7i.PseudoTransparentPlugin.1"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"tiec" = "208976"
[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=780C96FB&p2=^ZR&ptb=E70B1C4A-B554-42BA-AA6B-C13DAB894AE1"
"RegHookPath" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7ireghk"
[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}]
"(Default)" = "IIEInstalledToolbars"
[HKCR\PopularScreensavers_7i.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"
[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\100"
[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\626"
[HKCR\PopularScreensavers_7i.FeedManager.1\CLSID]
"(Default)" = "{96d0c95f-bfe7-430e-a406-d8e2d33fee48}"
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1506"
[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\TypeLib]
"(Default)" = "{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2497c4b-ac5c-45df-8b83-adc99791a299}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\ProgID]
"(Default)" = "PopularScreensavers_7i.ScriptButton.1"
[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iscript.dll"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"vendor" = "PopularScreensavers_7i"
[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.HTMLMenu\CurVer]
"(Default)" = "PopularScreensavers_7i.HTMLMenu.1"
[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"
[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"
[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\TypeLib]
"(Default)" = "{a5f237f3-1da6-43af-8ca5-cfd7be9259a2}"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}]
"(Default)" = ""
[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0]
"(Default)" = "HTML 1.0 Type Library"
[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\TypeLib]
"(Default)" = "{497d9ad2-83eb-4cb4-9ba2-36dd99457bfc}"
[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"
[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0]
"(Default)" = "TYPELIB_NAME"
[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{f339a07f-9578-412d-85e0-b8a80277151a}]
"(Default)" = "PopularScreensavers"
[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}]
"(Default)" = "_IDataCtrlEvents"
[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 6A 86 D8 D5 7E F4 F8 0D C2 16 E1 CE 80 65 65"
[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\TypeLib]
"Version" = "1.0"
[HKCR\PopularScreensavers_7i.FeedManager]
"(Default)" = ""
[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"
[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll"
[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1604"
[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}]
"(Default)" = ""
[HKCR\PopularScreensavers_7i.ScriptButton\CLSID]
"(Default)" = "{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}]
"(Default)" = "HTMLPANEL_INTERFACE"
[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\PopularScreensavers_7i.HTMLPanel.1]
"(Default)" = "PopularScreensavers_7i HTML Panel"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"oldhpp" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{73643b10-6ee2-48be-8280-37aa35e0dfa6}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"ua" = "0"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\TypeLib]
"(Default)" = "{ccec4ca8-9ce0-48e2-b203-c0239aa97a62}"
[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}]
"(Default)" = "ITemplateHTMLMenu"
[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\TypeLib]
"(Default)" = "{9E4D1125-CC72-42E5-82BD-DE141214C313}"
[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}]
"(Default)" = "IDisableAddonRebuttal"
[HKCR\CLSID\{f339a07f-9578-412d-85e0-b8a80277151a}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\TypeLib]
"(Default)" = "{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}"
[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin\CurVer]
"(Default)" = "PopularScreensavers_7i.PseudoTransparentPlugin.1"
[HKCR\CLSID\{f339a07f-9578-412d-85e0-b8a80277151a}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll"
[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}]
"(Default)" = "IHttpControlEvents"
[HKCR\PopularScreensavers_7i.HTMLPanel\CurVer]
"(Default)" = "PopularScreensavers_7i.HTMLPanel.1"
[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"
[HKCR\PopularScreensavers_7i.FeedManager.1]
"(Default)" = ""
[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}]
"(Default)" = "Popup Menu Plugin"
[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"UninstallFFString" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe 7ibar.dll,O uninstalltype=FF"
[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\PopularScreensavers_7i\bar\1.bin\7iBar.dll,O mindsparktoolbarkey=PopularScreensavers_7i uninstalltype=IE"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93e4ad7f-b2dd-4273-9ad9-e6de2a2670e8}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"
[HKCR\PopularScreensavers_7i.HTMLPanel]
"(Default)" = "PopularScreensavers_7i HTML Panel"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"RegisteredWithFirefox" = "1"
[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{17b0b148-1491-4668-ad7d-1f39972e03e5}]
"(Default)" = ""
[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}]
"(Default)" = "ITemplatePopupMenu"
[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"7iSrcAs.dll" = "0"
[HKLM\SOFTWARE\PopularScreensavers_7i\SkinTools]
"PlayerPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSkPlay.exe"
[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin\MimeTypes\application/x-popularscreensavers_7iplugin]
"Description" = "PopularScreensavers Plugin"
[HKCR\PopularScreensavers_7i.HTMLMenu\CLSID]
"(Default)" = "{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}]
"(Default)" = ""
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers Search Scope Monitor" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7isrchmn.exe /m=2 /w /h"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}]
"(Default)" = ""
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers AppIntegrator 32-bit" = "C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe"
"PopularScreensavers" = "rundll32 C:\PROGRA~1\POPULA~1\bar\1.bin\7ibar.dll,S"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"
[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"pid2"
"ConfigDateStamp"
"un"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers Search Scope Monitor"
The process irsetup.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\PSS.ScreenSaverControl.1]
"(Default)" = "ScreenSaverControl Class"
[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin\MimeTypes\application/x-pss-popularscreensaversplugin]
"Description" = "Popular Screensavers Plugin"
[HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers\p5Html.dll"
[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8798BBE7-DDF6-448B-AE0E-83C9E28A5598}]
"AppName" = "p5PSSavr.scr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"Version" = "1.1.1.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8798BBE7-DDF6-448B-AE0E-83C9E28A5598}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C39937A9-C59D-4506-A9FC-0A0138192287}]
"(Default)" = ""
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "ScreenSaverControl Class"
[HKCR\PSS.ScreenSaverControl]
"(Default)" = "ScreenSaverControl Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}]
"(Default)" = ""
[HKCR\PSS.HTMLPanel\CLSID]
"(Default)" = "{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\ProgID]
"(Default)" = "PSS.HTMLPanel.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F37BCE7B-6055-418C-A301-E715F36F1E79}]
"Policy" = "3"
[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\TypeLib]
"(Default)" = "{C39937A5-C59D-4506-A9FC-0A0138192287}"
[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\TypeLib]
"(Default)" = "{B2E5F9A4-0587-4525-8602-E08E32510243}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCR\CLSID\{6FB5B50A-863D-4C0D-8E84-92A59565D087}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5cjpeg.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8798BBE7-DDF6-448B-AE0E-83C9E28A5598}]
"AppPath" = "%System%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers\"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 66 8E 02 1E E5 C7 4A BB 2B EE 67 DE 37 34 8E"
[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\PopularScreensavers\ScreenSaver]
"ImagesDir" = "%Program Files%\PopularScreensavers\ScreenSaver\Images\"
[HKCR\CLSID\{6FB5B50A-863D-4C0D-8E84-92A59565D087}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\MiscStatus\1]
"(Default)" = "131473"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F37BCE7B-6055-418C-A301-E715F36F1E79}]
"AppPath" = "%Program Files%\PopularScreensavers"
[HKCR\PSS.ScreenSaverControl.1\CLSID]
"(Default)" = "{C39937A9-C59D-4506-A9FC-0A0138192287}"
[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0]
"(Default)" = "ScreenSaverControl 1.0 Type Library"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "ExplorerStub Class"
[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}]
"(Default)" = "_IPSSHTMLPanelEvents"
[HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\VersionIndependentProgID]
"(Default)" = "PSS.ScreenSaverControl"
[HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\p5pss]
"runtime" = "1"
[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\TypeLib]
"(Default)" = "{C39937A5-C59D-4506-A9FC-0A0138192287}"
[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "IScreenSaverInstaller"
[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "IMonitorEvents"
[HKCR\PSS.HTMLPanel]
"(Default)" = "PSS HTML Panel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\PSS.ScreenSaverControl\CLSID]
"(Default)" = "{C39937A9-C59D-4506-A9FC-0A0138192287}"
[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"Description" = "Popular Screensavers Plugin"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"
[HKCR\PSS.ScreenSaverControl\CurVer]
"(Default)" = "PSS.ScreenSaverControl.1"
[HKLM\SOFTWARE\PopularScreensavers]
"JpegConversionLib" = "%Program Files%\PopularScreensavers\p5cjpeg.dll"
[HKCR\PSS.HTMLPanel.1]
"(Default)" = "PSS HTML Panel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\p5ScrCtr.dll]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"Path" = "%Program Files%\PopularScreensavers\NPp5Stub.dll"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}]
"(Default)" = "PSS HTML"
[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\TypeLib]
"(Default)" = "{B2E5F9A4-0587-4525-8602-E08E32510243}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dat]
"runtime" = "6"
"Permissions" = "33"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F37BCE7B-6055-418C-A301-E715F36F1E79}]
"AppName" = "p5medint.exe"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\VersionIndependentProgID]
"(Default)" = "PSS.HTMLPanel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\ProgID]
"(Default)" = "PSS.ScreenSaverControl.1"
[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5Html.dll"
[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\TypeLib]
"(Default)" = "{C39937A5-C59D-4506-A9FC-0A0138192287}"
[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\sources]
"p5PopularScreensavers" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"
[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0]
"(Default)" = "HTML 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin\MimeTypes\application/x-pss-popularscreensaversplugin]
"Suffixes" = "pss"
[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\PSS.HTMLPanel\CurVer]
"(Default)" = "PSS.HTMLPanel.1"
[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}]
"(Default)" = "IPSSHTMLPanel"
[HKCR\PSS.HTMLPanel.1\CLSID]
"(Default)" = "{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}"
[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\TypeLib]
"(Default)" = "{B2E5F9A4-0587-4525-8602-E08E32510243}"
[HKLM\SOFTWARE\PopularScreensavers\ScreenSaver]
"PluginPath" = "%Program Files%\PopularScreensavers\"
[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"vendor" = "Popular Screensavers"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dat]
The process {12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B B4 3B 5A A2 F3 11 E8 8B 51 69 A4 99 17 AC 48"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process 7iHighIn.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 CD 35 C1 F7 05 27 E5 F9 16 CA 68 E4 F9 95 6A"
Dropped PE files
| MD5 | File path |
|---|---|
| df2b8cf613b10039bc2a8557642ca041 | c:\Program Files\PopularScreensavers\NPp5Stub.dll |
| b5fc476c1bf08d5161346cc7dd4cb0ba | c:\Program Files\PopularScreensavers\lua5.1.dll |
| ab6a0cfcefbde3da7de476b09c622243 | c:\Program Files\PopularScreensavers\p5Html.dll |
| 0b0dac1c129523b486e5b9fc33648ffe | c:\Program Files\PopularScreensavers\p5MedInt.exe |
| 5a5c9c76caf3bf3954f5eb21f2da2ee9 | c:\Program Files\PopularScreensavers\p5PSSavr.scr |
| a3e58418c20d479a1a2a1911bc3763d7 | c:\Program Files\PopularScreensavers\p5Plugin.dll |
| da4d621f7913a241945e046d3ae35326 | c:\Program Files\PopularScreensavers\p5ScrCtr.dll |
| 91fce1e43fec4729b2f55c94d97e04ec | c:\Program Files\PopularScreensavers\p5cjpeg.dll |
| 32dfcd93d3d468d2e75fd330812480de | c:\Program Files\PopularScreensavers\p5svc.exe |
| 2056c7fedf8a50ae6abdc6ebda17654c | c:\Program Files\PopularScreensavers\p5wphook.dll |
| cee64b573b69a9b1b43d2065eb0d3320 | c:\Program Files\PopularScreensavers\uninstall.exe |
| 313460fa38c68768ec6bd38f795c4636 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iPlugin.dll |
| 779662595f6b51bb86f96eccc230f13c | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll |
| 3c93215de9cc97c60b1892ad8dbe4411 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iSrchMn.exe |
| 21ae5618ae49640455d80de92a741ec7 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibar.dll |
| b3dae11b5316528e6853a94d39e141e3 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibarsvc.exe |
| af8c7080961317cac447e67700994ca4 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll |
| 6953cf1fd63ee9198a5fb6c365e0945d | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7idatact.dll |
| 80f1bbb9dda5d7d20358a89a28a5f251 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7idlghk.dll |
| 920dcbae5836293e750eb01db436f26e | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7idlghk64.dll |
| 69b288297ea754cea5b71956c023a7e7 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll |
| 1c86678ebf794d7c48ac6e2a663d4d46 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihighin.exe |
| 259b188c17120d2ef9d18157e6f48919 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihkstub.dll |
| 3277a89130679dae008092ccdd41e38c | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll |
| 27133aaae9b940a1b3a9944ffbf18c06 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll |
| 913a5f893b78b675cd44dc717e89c4ec | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iidle.dll |
| df5ce0e2d96d747ed9fd82d6128cd393 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7imedint.exe |
| 76cfb8166a80ffbfc4a06aecd34b6225 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll |
| 6d305157b71047492823aa863084f088 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iregfft.dll |
| d2afbb79efdb9acea481fc2e6b79d67d | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ireghk.dll |
| 24f53c8a074e9e032d8547fe1e159346 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iregiet.dll |
| 5d08b5c3cc87b48281dddd12216b6e22 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iscript.dll |
| fedb7ed64a20fc2aaa6c09869e3b0998 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iskin.dll |
| 96f758be1ee0d60e164b22b797e6eec8 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iskplay.exe |
| 29e27800a11bbaa06e857da4bde64eec | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7isrchmr.dll |
| cf0646bb879911192c833e314e0afc57 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\7itpinst.dll |
| b6940fe9d6fc34ef59f1028ae6018fe1 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\APPINTEGRATOR.EXE |
| cc497b6397bf8e3cf1550df4b9cee39b | c:\Program Files\PopularScreensavers_7i\bar\1.bin\APPINTEGRATORSTUB.DLL |
| 28df17d03fb2cc24b06d9a56be8701ec | c:\Program Files\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR.DLL |
| e8bcea8410248511f0cff7530297d4b0 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR64.DLL |
| 143d634f4f93155d3a4d430c2cf60d11 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\AppIntegrator64.exe |
| dbf0a4be10e5a7a5815845a3394f5ec7 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\AppIntegratorStub64.dll |
| 43ad3c8b42d0e87d0e61e94602e50f37 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\CREXT.DLL |
| 92bac85f49bbd97e53fd94fac848736d | c:\Program Files\PopularScreensavers_7i\bar\1.bin\CrExtP7i.exe |
| b61deef118eb941a8063e6d2ad31415a | c:\Program Files\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL |
| a36c8e9a6cdca2c18cb2e550562cd882 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\FF-NativeMessagingDispatcher.dll |
| 2f738b52cab5a1722ba7d250c24fbf4c | c:\Program Files\PopularScreensavers_7i\bar\1.bin\HKFXMGR.DLL |
| 12561f359a0665b4ef531a06b42e1178 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\HKFXMGR64.DLL |
| 211572b1a80337431576521c82bf0ab6 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\HPG.DLL |
| 3e2dafd1255ee62ffab9a00f926c1f0a | c:\Program Files\PopularScreensavers_7i\bar\1.bin\Hpg64.dll |
| af689b0f09dde27d1a50d7a2963eafae | c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8EPMSUP.DLL |
| 85aa773c5b3fe1b2fc4db60bfcb0e6f9 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8EXTEX.DLL |
| 64d6eb8eb2882837bc4f29ce02e1a6f9 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8EXTPEX.DLL |
| b1dd705f66a0aac955be5b5003d87852 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL |
| b0a0ff00bb40b2628f2d35a9e6085335 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8RES.DLL |
| 7dca62cf49f4f29fb2a4002bf9a3a17c | c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8TICKER.DLL |
| 8199bfbaf45163fc6ac4a3360fe239c3 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD.DLL |
| 7aaf4b9657c26a93da0e6e2d5ba11372 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD64.DLL |
| 5adaa3a9d2034924b2f9552652d457a0 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\TPIMANAGERCONSOLE.EXE |
| d245830ad93d799bbca6dc055045d8c0 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\VERIFY.DLL |
| b0ffe041fb0c9fb55e1fc9394354d459 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL |
| 649fba6a4b539b295f19e736a311101d | c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL |
| 12bc7c0af14464243f5794a4a06f537f | c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE |
| f26bd34edd1beacc23aa126de231cac1 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER.DLL |
| b3d3b34968fb171bb79c20123a455ac9 | c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER64.DLL |
| 5a5c9c76caf3bf3954f5eb21f2da2ee9 | c:\WINDOWS\system32\p5PSSavr.scr |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
7isrchmn.exe:1112
TPIManagerConsole.exe:1252
%original file name%.exe:632
7ibarsvc.exe:556
7ibarsvc.exe:1280
7ibarsvc.exe:1332
00000278T8SETUP.EXE:848
irsetup.exe:484
{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396
7iHighIn.exe:1524 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe (649558 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EXE (188805 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iregiet.dll (87 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegrator64.exe (258 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iPlugin.dll (83 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll (98 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll (214 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%System%\config (200 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL (202 bytes)
%System%\config\system (3777 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll (144 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe (13 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibarsvc.exe (90 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iscript.dll (104 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll (145 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7isrchmr.dll (87 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iregfft.dll (85 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idatact.dll (171 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\installKeys.js (206 bytes)
%Program Files%\PopularScreensavers_7i\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CrExtP7i.exe (5442 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8TICKER.DLL (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrchMn.exe (55 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\chrome\7iffxtbr.jar (1829 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk64.dll (147 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll (212 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\Hpg64.dll (220 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll (121 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk.dll (121 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\PopularScreensavers_7i\bar\Message\COMMON.T8S (100 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\PopularScreensavers_7i\bar\Settings\s_pid.dat (6 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR.DLL (1629 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskplay.exe (55 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%System%\config\SOFTWARE.LOG (40617 bytes)
%System%\config\software (35872 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iidle.dll (62 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll (5442 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7itpinst.dll (179 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8RES.DLL (196 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7imedint.exe (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll (151 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihkstub.dll (59 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ireghk.dll (80 bytes)
%Program Files%\PopularScreensavers\p5PSSavr.scr (39 bytes)
%Program Files%\PopularScreensavers\p5Plugin.dll (60 bytes)
%Program Files%\PopularScreensavers\p5svc.exe (35 bytes)
%Program Files%\PopularScreensavers\uninstall.exe (9213 bytes)
%Program Files%\PopularScreensavers\p5BkgErr.jpg (2192 bytes)
%Program Files%\PopularScreensavers\Uninstall\uni1.tmp (9314 bytes)
%Program Files%\PopularScreensavers\p5wphook.dll (31 bytes)
%Program Files%\PopularScreensavers\p5ScrCtr.dll (3997 bytes)
%Program Files%\PopularScreensavers\Uninstall\uninstall.xml (828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Program Files%\PopularScreensavers\p5MedInt.exe (23 bytes)
%Program Files%\PopularScreensavers\lua5.1.dll (2902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Popular Screensavers Setup Log.txt (336 bytes)
%Program Files%\PopularScreensavers\p5wallpp.dat (305 bytes)
%System%\p5PSSavr.scr (39 bytes)
%Program Files%\PopularScreensavers\p5Html.dll (1137 bytes)
%Program Files%\PopularScreensavers\p5cjpeg.dll (2079 bytes)
%Program Files%\PopularScreensavers\p5spacer.wmv (5 bytes)
%Program Files%\PopularScreensavers\Uninstall\uninstall.dat (2104 bytes)
%Program Files%\PopularScreensavers\NPp5Stub.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers Search Scope Monitor" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7isrchmn.exe /m=2 /w /h"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers AppIntegrator 32-bit" = "C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers" = "rundll32 C:\PROGRA~1\POPULA~1\bar\1.bin\7ibar.dll,S" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: PopularScreensavers
Product Name: PopularScreensavers
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 7iSetup.exe
Internal Name: 7iSetup
File Version: 2, 0, 5, 6
File Description: PopularScreensavers
Comments:
Language: English (United States)
Company Name: PopularScreensaversProduct Name: PopularScreensaversProduct Version: 2, 0, 5, 6Legal Copyright: Copyright (c) 2009 - 2014Legal Trademarks: Original Filename: 7iSetup.exeInternal Name: 7iSetupFile Version: 2, 0, 5, 6File Description: PopularScreensaversComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 7790 | 8192 | 4.27339 | e28848bc1d5d86f7e6683c7388b6f4e3 |
| .rdata | 12288 | 8748 | 12288 | 1.77924 | 1e323d94d16689696e28719553f86a44 |
| .data | 24576 | 2126 | 4096 | 1.24928 | e8e6252ddf5dd1b4b0b1bd8799f0d2e4 |
| .rsrc | 28672 | 5786104 | 5787648 | 5.38465 | 4f5931333e5ee572b9d1008d2810a7dc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1255.g.akamai.net/images/nocache/vicinio/executable-packages/PopularScreensavers/1355930226649/PopularScreensaversSetup.exe | |
| hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
| hxxp://e6845.ce.akamaiedge.net/crls/gtglobal.crl | |
| hxxp://crl.geotrust.com/crls/gtglobal.crl | 23.9.117.163 |
| hxxp://ak.imgfarm.com/images/nocache/vicinio/executable-packages/PopularScreensavers/1355930226649/PopularScreensaversSetup.exe | 205.237.69.73 |
| hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.9.117.163 |
| hxxp://crl.verisign.com/pca3-g5.crl | 23.9.117.163 |
| ts-crl.ws.symantec.com | 23.9.117.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "3c0c2172dfdd2c5720e1caf87cf59523:1410296711"
Last-Modified: Tue, 09 Sep 2014 21:05:11 GMT
Date: Wed, 10 Sep 2014 00:20:37 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0...L0...3...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..140909210003Z..140923210003Z0....0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>
GET /images/nocache/vicinio/executable-packages/PopularScreensavers/1355930226649/PopularScreensaversSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.imgfarm.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 19 Dec 2012 15:18:08 GMT
ETag: "1433cef-2297b8-4d1361f29c9d4"
Accept-Ranges: bytes
Content-Length: 2267064
Cache-Control: max-age=262350824
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Wed, 10 Sep 2014 00:20:28 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L...J..O.................X...........).......p....@..........................P......H.#...@.................................<...d........n...........}"......0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....n.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A..............H
<<< skipped >>>
GET /crls/gtglobal.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.geotrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "4e4eabfe627604434b4760a1a3edf607:1410304211"
Last-Modified: Tue, 09 Sep 2014 23:10:11 GMT
Date: Wed, 10 Sep 2014 00:20:38 GMT
Content-Length: 554
Connection: keep-alive
Content-Type: application/pkix-crl
0..&0...0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA..140909230300Z..140919230300Z0..0....4...031011141952Z0....5...060809140549Z0....4]..020522080843Z0....4\..020522080900Z0....5Y..050722125926Z0....6k..070711055050Z0....4Z..020521134804Z0...*.H..............aeX.Q.Z..^=&H.]fG) .......p.fa.Y,.(..n.. ........@g.o....E........wsj=0...|.U.d_...`$.b..i A.. j....oW..k.@.....}....[.....8..[...Y0.s.0....'...w.29{/.....w.../p...../..j....\L...qqY...4w..WN...@h ...l..]...$7!..s.q......5r..'..W.o.#..V2.6..c.^.... ].6`..HTTP/1.1 200 OK..Server: Apache..ETag: "4e4eabfe627604434b4760a1a3edf607:1410304211"..Last-Modified: Tue, 09 Sep 2014 23:10:11 GMT..Date: Wed, 10 Sep 2014 00:20:38 GMT..Content-Length: 554..Connection: keep-alive..Content-Type: application/pkix-crl..0..&0...0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA..140909230300Z..140919230300Z0..0....4...031011141952Z0....5...060809140549Z0....4]..020522080843Z0....4\..020522080900Z0....5Y..050722125926Z0....6k..070711055050Z0....4Z..020521134804Z0...*.H..............aeX.Q.Z..^=&H.]fG) .......p.fa.Y,.(..n.. ........@g.o....E........wsj=0...|.U.d_...`$.b..i A.. j....oW..k.@.....}....[.....8..[...Y0.s.0....'...w.29{/.....w.../p...../..j....\L...qqY...4w..WN...@h ...l..]...$7!..s.q......5r..'..W.o.#..V2.6..c.^.... ].6`....
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "dad74562eea63e24f12699a6f02c517d:1403752510"
Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT
Accept-Ranges: bytes
Content-Length: 533
Date: Wed, 10 Sep 2014 00:20:37 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140617000000Z..140930235959Z0...*.H.............Z.....{.......iV}.pm@..]...q....MT.....c.......[....?....zZ.....,. P.~........*.'.....,......Y..!..s$..;.v..y<.................gf.? ...9#...........O"5u....q1`.H....3...>.....l9g.X..i7.b.N]..<....@....j.IO..V.oU_v2X....kf.q.......oq.j.e?v..o.l..Y.......!..HTTP/1.1 200 OK..Server: Apache..ETag: "dad74562eea63e24f12699a6f02c517d:1403752510"..Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT..Accept-Ranges: bytes..Content-Length: 533..Date: Wed, 10 Sep 2014 00:20:37 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140617000000Z..140930235959Z0...*.H.............Z.....{.......iV}.pm@..]...q....MT.....c.......[....?....zZ.....,. P.~........*.'.....,......Y..!..s$..;.v..y<.................gf.? ...9#...........O"5u....q1`.H....3...>.....l9g.X..i7.b.N]..<....@....j.IO..V.oU_v2X....kf.q.......oq.j.e?v..o.l..Y.......!....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
7iHighIn.exe_1524:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHLWAPI.dll
SHLWAPI.dll
KERNEL32.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\t8HighIn.pdb
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\t8HighIn.pdb
1.0.7.205
1.0.7.205
t8HighIn.exe
t8HighIn.exe
2.5.15.0
2.5.15.0
AppIntegrator.exe_1532:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
SHELL32.dll
SHELL32.dll
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
MaxPolicyElementKey
MaxPolicyElementKey
AppIntegrator.cpp
AppIntegrator.cpp
IAC::AppIntegrator::Application::SetupWindowsHook
IAC::AppIntegrator::Application::SetupWindowsHook
C Exception thrown in %s: %s
C Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
Unknown exception thrown in %s
RegOpenKeyTransactedW
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\AppIntegrator.pdb
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCloseUSKey
SHRegCreateUSKeyW
SHRegCreateUSKeyW
SHLWAPI.dll
SHLWAPI.dll
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
AppIntegrator.exe
AppIntegrator.exe
zcÃ
zcÃ
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
3 3$3(34383
3 3$3(34383
2$2
2$2
6,686@6`6
6,686@6`6
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
ieframe.dll
ieframe.dll
Already running! %s
Already running! %s
The %s event cannot be created (%u)
The %s event cannot be created (%u)
\AppIntegratorStub.dll
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling GetProcAddress %u
Error calling SetWindowsHookEx %u
Error calling SetWindowsHookEx %u
Failed to enable heap terminate-on-corruption with LastError %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: %S
Error: 0x%0x
Error: 0x%0x
TraceLogUnitTest.exe
TraceLogUnitTest.exe
TraceLog.cfg
TraceLog.cfg
).csv
).csv
\StringFileInfo\XX\OriginalFilename
\StringFileInfo\XX\OriginalFilename
@t8res.dll
@t8res.dll
Advapi32.dll
Advapi32.dll
C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\POPULA~1\bar\1.bin
C:\PROGRA~1\POPULA~1\bar\1.bin
@C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe
@C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe
1.0.7.205
1.0.7.205
2.5.15.0
2.5.15.0