Trojan.Win32.Swrort.3_0be704485e

by malwarelabrobot on June 2nd, 2015 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0be704485ea6708752270c4f6340b29f
SHA1: 749f18a50db72b41d3b0ae9ce1826e29e98901d7
SHA256: fe6bb2c06805dbd1c0e04f9d238c7455351a3127572b00c18d591b924eb92c7a
SSDeep: 98304:kqNn57GPzaNfEHOC6ocg/RcG6orUled5z7UKZKy8N/mGvjymJ1AkxIKkKv2 /2d:pNZGPzMEHKocg/R5X2ed5z7HZWjyTkKJ
Size: 5822800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: SafePCRepair
Created at: 2015-05-08 17:12:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

89HighIn.exe:1900
89barsvc.exe:1112
89barsvc.exe:1532
89barsvc.exe:368
TPIManagerConsole.exe:1716
ioloToolService.exe:252
ngen.exe:2032
irsetup.exe:916
{9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe:1996
%original file name%.exe:1676
regsvr32.exe:804
0000068cT8SETUP.EXE:948

The Trojan injects its code into the following process(es):

mscorsvw.exe:1232
AppIntegrator.exe:1072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process TPIManagerConsole.exe:1716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (145 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\{9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe (980519 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)

The Trojan deletes the following file(s):

%Program Files%\SafePCRepair_89\bar\1.bin\{9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe (0 bytes)

The process ngen.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen.log (1284 bytes)

The process irsetup.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SafePCRepair\ioloToolService.exe (26412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SafePCRepair Setup Log.txt (4268 bytes)
%Program Files%\SafePCRepair\MindSparkTools.dll (20511 bytes)
%Program Files%\SafePCRepair\Microsoft.Expression.Drawing.dll (1137 bytes)
%Program Files%\SafePCRepair\Newtonsoft.Json.dll (4793 bytes)
%Program Files%\SafePCRepair\SPR.exe.config (885 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (13093 bytes)
%Program Files%\SafePCRepair\TaskDialog.dll (1137 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.dat (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
%Program Files%\SafePCRepair\IoloServiceWrapper.dll (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (5 bytes)
%Program Files%\SafePCRepair\log4net.dll (3888 bytes)
%Program Files%\SafePCRepair\Uninstall\IRIMG1.PNG (5 bytes)
%Program Files%\SafePCRepair\uninstall.exe (9213 bytes)
%Program Files%\SafePCRepair\SPR.exe (19172 bytes)
%Program Files%\SafePCRepair\ioloToolService.dll (24 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.xml (1198 bytes)
%Program Files%\SafePCRepair\lua5.1.dll (2902 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process {9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe:1996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process mscorsvw.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)

The process %original file name%.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0000068cT8SETUP.EXE (196915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000068cT8SETUP.EX_ (39950 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0000068cT8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0000068cT8SETUP.EX_ (0 bytes)

The process 0000068cT8SETUP.EXE:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll (5442 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regiet.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skplay.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89medint.exe (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe (265 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89idle.dll (61 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CREXT.DLL (6424 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regfft.dll (85 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\SafePCRepair_89\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\SafePCRepair_89\bar\Settings\s_pid.dat (8 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe (13 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\chrome\89ffxtbr.jar (1829 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
%System%\config\SOFTWARE.LOG (39777 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll (179 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\installKeys.js (207 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll (145 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll (98 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CrExtP89.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89barsvc.exe (90 bytes)
%System%\config\system (3777 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL (1681 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll (146 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll (151 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk64.dll (147 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\SafePCRepair_89\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll (121 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89Plugin.dll (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8RES.DLL (198 bytes)
%System%\config (200 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll (212 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
%System%\config\software (33085 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\SafePCRepair_89\bar\Message\COMMON.T8S (106 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll (214 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6744 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll (104 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL (79 bytes)

Registry activity

The process 89HighIn.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 65 69 90 B2 9B 56 5A A4 4B C8 7C C6 C4 AE BF"

The process 89barsvc.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 31 F6 17 BA B8 1C D1 70 2E 13 8D 39 76 73 23"

The process 89barsvc.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 11 6A B2 27 05 80 94 62 95 58 A1 BE F3 D4 26"

The process 89barsvc.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 2A 58 2B 05 97 9E A7 2E 92 65 99 79 4B 7E 9A"

The process TPIManagerConsole.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"is64bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"FriendlyName" = "Safe PC Repair"

"uninstall" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies]
"dependencymanagerpath" = "%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL"

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\SafePCRepair\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\SafePCRepair\Uninstall\uninstall.xml"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 9F 5F 6B 97 0F 2F 85 C3 B1 BA 31 A9 2E FF 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ioloToolService.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SAFEPC~2\IOLOTO~1.EXE"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\ProgID]
"(Default)" = "ioloToolService.ToolManager"

[HKCR\ioloToolService.ToolManager\Clsid]
"(Default)" = "{7D6E502F-02F7-46E9-AA46-D3364038B6F7}"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCU\Software\CodeGear\Locales\%Program Files%\SafePCRepair]
"ioloToolService.exe" = "en"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}]
"(Default)" = "ITool"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}]
"(Default)" = "IToolProfile"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ioloToolService.ToolManager]
"(Default)" = "ToolManager Object"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0]
"(Default)" = "ioloToolService"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\AppID\{CFBE264C-912E-4DA5-B67B-790B27D6D338}]
"LocalService" = "ioloService"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}]
"(Default)" = "ISession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}]
"AppID" = "{CFBE264C-912E-4DA5-B67B-790B27D6D338}"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}]
"(Default)" = "IAsyncResult"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}]
"(Default)" = "IToolProgressSink"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
"(Default)" = ""

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}]
"(Default)" = "IEnumTool"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\ioloToolService.exe]
"AppID" = "{CFBE264C-912E-4DA5-B67B-790B27D6D338}"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}]
"(Default)" = "IToolManager"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 CE 57 50 AC 55 C6 C4 F5 1C DA 88 E7 F2 9E D6"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}]
"(Default)" = "IFileInfo"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}]
"(Default)" = "IDataManager"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}]
"(Default)" = "IEnumToolProfile"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair\ioloToolService.exe"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}]
"(Default)" = "ToolManager Object"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair\"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

The process ngen.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 93 09 4D F4 9E 2E D1 13 21 FF 66 E3 49 6A B5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/SafePCRepair/SPR.exe\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/SafePCRepair/SPR.exe\0]
"Scenario" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\C:/Program Files/SafePCRepair/SPR.exe]
"Status" = "3"

The process irsetup.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"Contact" = "Mindspark Interactive Network Support Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"URLInfoAbout" = "http://www.mindspark.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"DisplayName" = "SafePCRepair"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"DisplayVersion" = "1.1.fc5ad1f323753d875dced1851d6f03d65627e1c5.22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"Publisher" = "Mindspark Interactive Network"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"DisplayIcon" = "%Program Files%\SafePCRepair\SPR.exe,0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"InstallLocation" = "%Program Files%\SafePCRepair"
"HelpLink" = "http://www.mindspark.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\AppDataLow\Software\Mindspark\SafePCRepair]
"InstallDir" = "%Program Files%\SafePCRepair\"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 7E 8D CA 22 65 29 2D 4A 01 A7 3F 01 B9 36 4C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mindspark SafePCRepair]
"UninstallString" = "%Program Files%\SafePCRepair\uninstall.exe /U:%Program Files%\SafePCRepair\Uninstall\uninstall.xml"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process {9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 96 BD DF 93 65 91 2C E2 3A AF F4 DF EE 36 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process mscorsvw.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 B7 29 E9 6D B8 8C F7 D1 C0 BE 50 27 AF 14 0F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

The process %original file name%.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 79 E4 D2 D1 0C B4 91 65 64 19 1F 90 C2 42 C5"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nodns" = "0"
"ffTabs" = "0"

[HKCU\Software\SafePCRepair_89\Events\EventData]
"00000000_5" = "01 00 00 00 8F C2 6C 55 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 8F C2 6C 55 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 8F C2 6C 55 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"OToIData" = "001"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"OToIData"

The process regsvr32.exe:804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C A3 E1 ED A2 76 0A 15 B8 C0 0A F5 75 F2 BB 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\150]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"

[HKCU\Software\CodeGear\Locales\%System%]
"regsvr32.exe" = "en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\170]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\140]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"

The process AppIntegrator.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 43 AD D0 12 4F D7 4D E9 41 0A A9 6C CC 23 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process 0000068cT8SETUP.EXE:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}]
"(Default)" = "IIEInstalledToolbar"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\TypeLib]
"(Default)" = "{154690a0-7778-41b5-a3ab-eb51e2482b74}"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\ProgID]
"(Default)" = "SafePCRepair_89.HTMLPanel.1"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"hpp" = "0"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"ID" = "AA48D7CA-4BA6-4B1B-974F-42A10A1F43E1"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin"

[HKCR\SafePCRepair_89.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{50066dbf-71b9-4489-b62e-4188d3048db2}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\ProgID]
"(Default)" = "SafePCRepair_89.HTMLMenu.1"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}]
"(Default)" = "IThirdPartyInstaller"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\SAFEPC~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\TypeLib]
"(Default)" = "{C78CCE0D-F991-44F4-B450-33C4FD189E38}"

[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.ThirdPartyInstaller]
"(Default)" = "SafePCRepair Third Party Installer"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"

[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
"(Default)" = "Search Assistant BHO"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\TypeLib]
"(Default)" = "{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP89.exe" = "0"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\TypeLib]
"(Default)" = "{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}"

[HKCR\SafePCRepair_89.FeedManager.1\CLSID]
"(Default)" = "{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5806dc83-95c8-4120-a305-cbce6260adf1}]
"(Default)" = ""

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"dir" = "%Program Files%\SafePCRepair_89\bar\"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PID" = "^AW7"

[HKCR\SafePCRepair_89.SettingsPlugin\CurVer]
"(Default)" = "SafePCRepair_89.SettingsPlugin.1"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{be823b8c-a7ec-4078-a321-0f8046cbb48a}" = ""

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\TypeLib]
"(Default)" = "{63498647-b3ef-4a8a-8c98-163ecf8048fe}"

[HKCR\SafePCRepair_89.FeedManager\CLSID]
"(Default)" = "{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}"

[HKLM\SOFTWARE\SafePCRepair_89\SkinTools]
"PlayerPath" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SkPlay.exe"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}]
"(Default)" = "Toolbar BHO"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}]
"(Default)" = "SKINSETTINGS_INTERFACE"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"

[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"AppName" = "89SkPlay.exe"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin\MimeTypes\application/x-safepcrepair_89plugin]
"Suffixes" = "89"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0]
"(Default)" = "HTML 1.0 Type Library"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}]
"(Default)" = "_ITemplateBarSettingsEvents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\SafePCRepair_89\bar\1.bin\89Bar.dll,O mindsparktoolbarkey=SafePCRepair_89 uninstalltype=FF"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.SettingsPlugin.1\CLSID]
"(Default)" = "{e81003f0-8f21-4a23-8142-403d821198ac}"

[HKCR\SafePCRepair_89.ScriptButton.1]
"(Default)" = ""

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}]
"(Default)" = ""

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"

[HKCR\SafePCRepair_89.ScriptButton\CurVer]
"(Default)" = "SafePCRepair_89.ScriptButton.1"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.ThirdPartyInstaller\CurVer]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller.1"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\SafePCRepair_89.ScriptButton]
"(Default)" = ""

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin\CurVer]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin.1"

[HKCR\SafePCRepair_89.MultipleButton.1\CLSID]
"(Default)" = "{2accb327-7218-4979-8eb7-0e653bc0ea66}"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"SettingsDir" = "%Program Files%\SafePCRepair_89\bar\Settings\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.FeedManager"

[HKCR\SafePCRepair_89.MultipleButton\CurVer]
"(Default)" = "SafePCRepair_89.MultipleButton.1"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}]
"(Default)" = "IDataCtrl"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.MultipleButton"

[HKCR\SafePCRepair_89.HTMLMenu\CLSID]
"(Default)" = "{816098C9-EC16-4106-9FF7-E19580B2C338}"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\TypeLib]
"(Default)" = "{154690A0-7778-41B5-A3AB-EB51E2482B74}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}]
"(Default)" = ""

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"89SrcAs.dll" = ""

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\SafePCRepair_89.FeedManager.1]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Path" = "%Program Files%\SafePCRepair_89\bar\1.bin\NP89Stub.dll"

[HKCR\SafePCRepair_89.ScriptButton.1\CLSID]
"(Default)" = "{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin\CLSID]
"(Default)" = "{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\626"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}]
"(Default)" = "HttpControl Class"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Visible" = "1"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}]
"(Default)" = "SafePCRepair_89 HTML Menu"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"ua" = "0"

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}]
"(Default)" = "SafePCRepair_89 HTML"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\ProgID]
"(Default)" = "SafePCRepair_89.ScriptButton.1"

[HKCR\SafePCRepair_89.ToolbarProtector.1\CLSID]
"(Default)" = "{b6de1d4c-f21b-4056-a99c-1727fd6400ce}"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.SettingsPlugin"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"vendor" = "SafePCRepair_89"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"DeletedCustomizations" = "1"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}]
"(Default)" = "IDisableAddonRebuttal"

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"AppName" = "89SlSrch.exe"

[HKCR\SafePCRepair_89.HTMLMenu]
"(Default)" = "SafePCRepair_89 HTML Menu"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"UninstallFFString" = "%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe 89bar.dll,O uninstalltype=FF"
"sr" = "0"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PartnerPixelNotSet" = ""

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\SafePCRepair_89.MultipleButton]
"(Default)" = ""

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}" = ""

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0]
"(Default)" = "Skin 1.0 Type Library"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}\InprocServer32]
"(Default)" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll"

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\ProgID]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin.1"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}]
"(Default)" = "ProtectorControl Class"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\TypeLib]
"Version" = "1.0"

[HKCR\SafePCRepair_89.ThirdPartyInstaller\CLSID]
"(Default)" = "{50066dbf-71b9-4489-b62e-4188d3048db2}"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"AppName" = "89medint.exe"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\TypeLib]
"(Default)" = "{6c227856-d369-4b3f-a317-89e4b1cd1a83}"

[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}]
"(Default)" = "Disable Addon Rebuttal Control"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}]
"(Default)" = "ITemplateBarSettings"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1104"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Description" = "SafePCRepair Plugin"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"od" = "1"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\ProgID]
"(Default)" = "SafePCRepair_89.ToolbarProtector.1"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}]
"(Default)" = "ITemplateBarButtonRect"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"ok" = "1"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"tiec" = "208976"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ToolbarProtector"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll"

[HKCR\SafePCRepair_89.SettingsPlugin\CLSID]
"(Default)" = "{e81003f0-8f21-4a23-8142-403d821198ac}"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}]
"(Default)" = "SKINWINDOW_INTERFACE"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}]
"(Default)" = "ITemplatePopupMenu"

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\905"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}]
"(Default)" = "HTMLPANEL_INTERFACE"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"RegisteredWithFirefox" = "1"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}]
"(Default)" = "IHttpControlEvents"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1506"

[HKCR\SafePCRepair_89.HTMLMenu.1]
"(Default)" = "SafePCRepair_89 HTML Menu"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}]
"(Default)" = "IProtectorControl"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"Policy" = "3"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\ProgID]
"(Default)" = "SafePCRepair_89.FeedManager.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\SafePCRepair_89\bar\1.bin\89Bar.dll,O mindsparktoolbarkey=SafePCRepair_89 uninstalltype=IE"

[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}]
"(Default)" = "ITemplateHTMLMenu"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}]
"(Default)" = "ISessionData"

[HKLM\SOFTWARE\SafePCRepair_89\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.HTMLPanel.1]
"(Default)" = "SafePCRepair_89 HTML Panel"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Build" = "163.45625"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\TypeLib]
"(Default)" = "{0bc5607d-dc04-410a-b137-73f2ee733596}"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\ProgID]
"(Default)" = "SafePCRepair_89.SettingsPlugin.1"

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}]
"(Default)" = "DataCtrl Class"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\SafePCRepair_89.MultipleButton.1]
"(Default)" = ""

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"Policy" = "3"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ScriptButton"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}]
"(Default)" = ""

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"Policy" = "3"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}]
"(Default)" = "Popup Menu Plugin"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1406"

[HKCR\SafePCRepair_89.FeedManager\CurVer]
"(Default)" = "SafePCRepair_89.FeedManager.1"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}]
"(Default)" = "BARFEED_INTERFACE"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Version" = "1.1.1.1"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"CurInstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"DisplayName" = "SafePCRepair Internet Explorer Toolbar"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"HiddenToolbarReminder.dll" = ""

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\ProgID]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller.1"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"AssistMonitor.dll" = ""

[HKCR\SafePCRepair_89.SettingsPlugin]
"(Default)" = ""

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\TypeLib]
"(Default)" = "{c78cce0d-f991-44f4-b450-33c4fd189e38}"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\TypeLib]
"Version" = "1.0"

[HKCR\SafePCRepair_89.ToolbarProtector\CurVer]
"(Default)" = "SafePCRepair_89.ToolbarProtector.1"

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\405"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0]
"(Default)" = "TYPELIB_NAME"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"pl" = "9"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}]
"(Default)" = "POPUPMENU_INTERFACE"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=781B609B&p2=^AW7&ptb=AA48D7CA-4BA6-4B1B-974F-42A10A1F43E1"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.HTMLPanel\CurVer]
"(Default)" = "SafePCRepair_89.HTMLPanel.1"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}]
"(Default)" = "SEARCHSCOPE_INTERFACE"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\100"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin\MimeTypes\application/x-safepcrepair_89plugin]
"Description" = "SafePCRepair Plugin"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"89SrcAs.dll" = "0"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\SafePCRepair_89.ThirdPartyInstaller.1]
"(Default)" = "SafePCRepair Third Party Installer"

[HKCR\SafePCRepair_89.SettingsPlugin.1]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"AppName" = "CrExtP89.exe"

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\TypeLib]
"(Default)" = "{ccb31621-e2c6-43e7-b5d8-2b161973d5c3}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Maximized" = "1"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\TypeLib]
"(Default)" = "{B2A921D8-E831-468F-BBC6-16416342C0A7}"

[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}]
"(Default)" = "SafePCRepair"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"AppName" = "AppIntegrator.exe"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1807"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nd" = "0"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.HTMLPanel"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"

[HKCR\SafePCRepair_89.HTMLPanel.1\CLSID]
"(Default)" = "{5806dc83-95c8-4120-a305-cbce6260adf1}"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}]
"(Default)" = "_IThirdPartyInstallerEvents"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nk" = "0"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.HTMLMenu.1\CLSID]
"(Default)" = "{816098C9-EC16-4106-9FF7-E19580B2C338}"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1604"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"lidate" = "2015-06-01T20:37:31Z"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\TypeLib]
"(Default)" = "{b2a921d8-e831-468f-bbc6-16416342c0a7}"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\625"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PluginPath" = "%Program Files%\SafePCRepair_89\bar\1.bin\"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\ProgID]
"(Default)" = "SafePCRepair_89.MultipleButton.1"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\TypeLib]
"(Default)" = "{C78CCE0D-F991-44F4-B450-33C4FD189E38}"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}]
"(Default)" = "Pseudo Transparent Plugin"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"ToolbarGuard.dll" = ""

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"Policy" = "3"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"UninstallString" = "%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe 89bar.dll,O uninstalltype=IE"

[HKCR\SafePCRepair_89.ToolbarProtector]
"(Default)" = "ProtectorControl Class"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\Version]
"(Default)" = "1.0"

[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\SafePCRepair_89.MultipleButton\CLSID]
"(Default)" = "{2accb327-7218-4979-8eb7-0e653bc0ea66}"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.HTMLMenu"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"89DlgHk.dll" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 A2 29 68 AF 9C 41 32 B9 3A 59 DE 97 F3 AA A6"

[HKCR\SafePCRepair_89.HTMLMenu\CurVer]
"(Default)" = "SafePCRepair_89.HTMLMenu.1"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}]
"(Default)" = "IHttpControl"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e81003f0-8f21-4a23-8142-403d821198ac}]
"(Default)" = ""

[HKCR\SafePCRepair_89.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\TypeLib]
"(Default)" = "{6C227856-D369-4B3F-A317-89E4B1CD1A83}"

[HKCR\SafePCRepair_89.FeedManager]
"(Default)" = ""

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\TypeLib]
"(Default)" = "{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"au" = "1"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{50066dbf-71b9-4489-b62e-4188d3048db2}]
"(Default)" = ""

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"un" = "SafePCRepair"

[HKCR\SafePCRepair_89.ToolbarProtector\CLSID]
"(Default)" = "{b6de1d4c-f21b-4056-a99c-1727fd6400ce}"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}]
"(Default)" = "SafePCRepair Third Party Installer"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"(Default)" = "Skin Settings"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{816098C9-EC16-4106-9FF7-E19580B2C338}]
"(Default)" = ""

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}]
"(Default)" = ""

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}]
"(Default)" = "ITemplateBarControl"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\TypeLib]
"(Default)" = "{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll"

[HKCR\SafePCRepair_89.ScriptButton\CLSID]
"(Default)" = "{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"

[HKCR\SafePCRepair_89.HTMLPanel\CLSID]
"(Default)" = "{5806dc83-95c8-4120-a305-cbce6260adf1}"

[HKCR\SafePCRepair_89.HTMLPanel]
"(Default)" = "SafePCRepair_89 HTML Panel"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}]
"(Default)" = "IIEInstalledToolbars"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}]
"(Default)" = "ITemplateBarMenu"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\TypeLib]
"(Default)" = "{154690A0-7778-41B5-A3AB-EB51E2482B74}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}]
"(Default)" = "_IDataCtrlEvents"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}]
"(Default)" = ""

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"Policy" = "3"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\TypeLib]
"(Default)" = "{6C227856-D369-4B3F-A317-89E4B1CD1A83}"

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\TypeLib]
"(Default)" = "{f7b9f27c-2e1a-429c-972a-da83f1165b74}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fc509df-4b29-4ab3-96e6-47c178d60287}]
"(Default)" = ""

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair" = "rundll32 C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll,S"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
"(Default)" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair AppIntegrator 32-bit" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"pid2"
"ConfigDateStamp"
"un"

Dropped PE files

MD5 File path
814678ec2aadb5420bc99d7409399625 c:\Program Files\SafePCRepair\IoloServiceWrapper.dll
1208c1a27701aeee5349db295cadb8bb c:\Program Files\SafePCRepair\Microsoft.Expression.Drawing.dll
4a551488b90c47ab5c2f8288f69905fe c:\Program Files\SafePCRepair\MindSparkTools.dll
21232aa53907058ba012c2c378c8be58 c:\Program Files\SafePCRepair\Newtonsoft.Json.dll
07dc9157a848108df83fc711bf37f3ab c:\Program Files\SafePCRepair\SPR.exe
78d410a2095d1f2e86c88a46866a0390 c:\Program Files\SafePCRepair\TaskDialog.dll
4448f4e161df0b63ceb8d92b97daeccc c:\Program Files\SafePCRepair\ioloToolService.dll
3c3784ff3579d217e6d7d009ba18559b c:\Program Files\SafePCRepair\ioloToolService.exe
27e3a4cd9a17f55649443bf858df17b8 c:\Program Files\SafePCRepair\log4net.dll
8c0b6838878f3dd76135f999ddb1c900 c:\Program Files\SafePCRepair\lua5.1.dll
70af52a6055b36a12763807241dcd117 c:\Program Files\SafePCRepair\uninstall.exe
143678734dbbf30ff73b2a1e182970d6 c:\Program Files\SafePCRepair_89\bar\1.bin\89Plugin.dll
feaa90789a41e01caefcb5b02cefede9 c:\Program Files\SafePCRepair_89\bar\1.bin\89SrcAs.dll
99cc9f1e159d11f08cae0e3ae8726011 c:\Program Files\SafePCRepair_89\bar\1.bin\89bar.dll
09c2c30e15dcb3c1d197208e51e8a8f4 c:\Program Files\SafePCRepair_89\bar\1.bin\89barsvc.exe
c0d2405e4d44656a1729b0a8b29123db c:\Program Files\SafePCRepair_89\bar\1.bin\89bprtct.dll
629ea085462a9832c8e1d4804c9131a1 c:\Program Files\SafePCRepair_89\bar\1.bin\89datact.dll
5b723723a3b15807efb90dbfbf9989ec c:\Program Files\SafePCRepair_89\bar\1.bin\89dlghk.dll
c120998d06bf3198dc39a6f6b48a636d c:\Program Files\SafePCRepair_89\bar\1.bin\89dlghk64.dll
cf959830a291941bb68b228492442da5 c:\Program Files\SafePCRepair_89\bar\1.bin\89feedmg.dll
cfcf18eda229d24d880b4eefb2eeaa09 c:\Program Files\SafePCRepair_89\bar\1.bin\89highin.exe
0358525c385bd4246bcbd5cb52c25d84 c:\Program Files\SafePCRepair_89\bar\1.bin\89htmlmu.dll
ba0b181aa48ed4d50ea2fc9e957630d8 c:\Program Files\SafePCRepair_89\bar\1.bin\89httpct.dll
f5e0a300d3c344cbf20538ea61915dca c:\Program Files\SafePCRepair_89\bar\1.bin\89idle.dll
70dc4406538aa6508f51a9b91150082c c:\Program Files\SafePCRepair_89\bar\1.bin\89medint.exe
787f17d71fb75e9539244194bf352fe5 c:\Program Files\SafePCRepair_89\bar\1.bin\89mlbtn.dll
0d05671b86d96031a8a46cde84a0ea16 c:\Program Files\SafePCRepair_89\bar\1.bin\89regfft.dll
541a039e3b5f3859117efe498b062ccc c:\Program Files\SafePCRepair_89\bar\1.bin\89regiet.dll
09325e2140cd35d9f2e303f2943ec075 c:\Program Files\SafePCRepair_89\bar\1.bin\89script.dll
b9892a2d0e2550615db1f7ff60bc7008 c:\Program Files\SafePCRepair_89\bar\1.bin\89skin.dll
18804f338e38b8720ba1538e31c97cc0 c:\Program Files\SafePCRepair_89\bar\1.bin\89skplay.exe
cf0646bb879911192c833e314e0afc57 c:\Program Files\SafePCRepair_89\bar\1.bin\89tpinst.dll
f0c2c3d183a087b51dbe88dd773126b6 c:\Program Files\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE
3d6b337517336594470f070bbc7188dd c:\Program Files\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL
36194eb9cf8c55d41ce917beb9d0cd61 c:\Program Files\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL
ef0439594263d5e3ee0a0b87717d8f30 c:\Program Files\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL
cf182742aa4f29b44dfd95779c3a79d0 c:\Program Files\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe
0da866b437db8560d9bb83f1c14b2e79 c:\Program Files\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll
ed0259fd945476d3e1f5175a22a5281a c:\Program Files\SafePCRepair_89\bar\1.bin\CREXT.DLL
b3e27442407095a8fcee6e827b87baf6 c:\Program Files\SafePCRepair_89\bar\1.bin\CrExtP89.exe
b7887260ed97aa7474c22e0409ec20ba c:\Program Files\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL
bf22cfcd99cacfd5cc557196593a429b c:\Program Files\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll
9e6225a6deab5b28d8971ea09a57881d c:\Program Files\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL
258974b87536c176f852bed3df551146 c:\Program Files\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL
fdb44ebf6a36cb1cd99401e209f53b6a c:\Program Files\SafePCRepair_89\bar\1.bin\HiddenToolbarReminder.dll
99e6d5152ec5ebee8575ae94cd4801eb c:\Program Files\SafePCRepair_89\bar\1.bin\INSTALLENABLER.DLL
a4a441ebd83fd66d03f10895419fadb7 c:\Program Files\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL
c69ec2b5d9e89d5c8e05be1d482e7f82 c:\Program Files\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL
6bc6e9db38a9cfea465b64177606e66d c:\Program Files\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL
32f857d34001b795a898f7c50651af6b c:\Program Files\SafePCRepair_89\bar\1.bin\T8HTML.DLL
1cc1978b0f36bdce4a068974c32a604d c:\Program Files\SafePCRepair_89\bar\1.bin\T8RES.DLL
9294b3d8e5052ecf3c23d31eecab8f07 c:\Program Files\SafePCRepair_89\bar\1.bin\T8TICKER.DLL
b273c99560d26fb5a08e3cebf47e5bb1 c:\Program Files\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL
5d16b944c42a8468f9cf59b96947c917 c:\Program Files\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL
5f9f183a5e7edb2ca5c7f3c0c5813c49 c:\Program Files\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE
eb4aa26e1a5c3cd6256a48b3c88c0059 c:\Program Files\SafePCRepair_89\bar\1.bin\VERIFY.DLL
84960b155e9ff6c931cd21798ce217b2 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\APA\ARBITER.DLL
267202f1663f579b55e3fcb177fd2a77 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\APA\ARBITER64.DLL
994ef00fad9a8e289c9ce0a7c085bfc2 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\APA\bar\ASSIST.EXE
58cb372449dab3a2c798e4c2454bee91 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\APA\dialog\ASSIST.EXE
cbfdb354f658af062be791b6914eb25a c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL
2205c3df09c286a6059415c16023c6e7 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL
e999b0d00082accdf9514b9b18cf27f2 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE
9389f5b1c2c2684adb948a1fb161f0cb c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL
c1285334ce13d734083fc8f5bd0f9a66 c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SafePCRepair
Product Name: SafePCRepair
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 89Setup.exe
Internal Name: 89Setup
File Version: 2, 0, 5, 6
File Description: SafePCRepair
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7790 8192 4.27337 2025105e80249339871a8364b9d6462e
.rdata 12288 8748 12288 1.7971 c1a701f25ede56c5c3106acdde0a2ff8
.data 24576 2126 4096 1.23441 a47f92d38213ea3f932932afa2f5c0f4
.rsrc 28672 5786104 5787648 5.46443 3ef49d2a8fceda42c5f203e9f7a823d5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1834.g2.akamai.net/images/nocache/vicinio/executable-packages/SafePCRepair/1425916752826/SafePCRepairSetup.exe
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl
hxxp://www187.mindspark.com/xt8a.gif?installationResult=Success&dotNetVersionInstalled=&dotNetExistingVersion=4.0.30319&product=SafePCRepair&anxe=Install&osDetail=5.1&defaultBrowser=IEXPLORE.EXE&anxd=2015-03-09&anxv=1.1.0.22&anxa=ProductInstaller&osArchitecture=32
hxxp://ak.dl.safepcrepair.com/images/nocache/vicinio/executable-packages/SafePCRepair/1425916752826/SafePCRepairSetup.exe 194.146.191.105
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl 23.43.133.163
hxxp://anx.mindspark.com/xt8a.gif?installationResult=Success&dotNetVersionInstalled=&dotNetExistingVersion=4.0.30319&product=SafePCRepair&anxe=Install&osDetail=5.1&defaultBrowser=IEXPLORE.EXE&anxd=2015-03-09&anxv=1.1.0.22&anxa=ProductInstaller&osArchitecture=32 74.113.233.187
hxxp://crl.verisign.com/pca3-g5.crl 23.43.133.163
hxxp://crl.thawte.com/ThawteTimestampingCA.crl 23.43.133.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.43.133.163


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /images/nocache/vicinio/executable-packages/SafePCRepair/1425916752826/SafePCRepairSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.dl.safepcrepair.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 09 Mar 2015 15:59:57 GMT
ETag: "8335ab-549330-510dd202a1940"
Accept-Ranges: bytes
Content-Length: 5542704
Cache-Control: max-age=308085741
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Mon, 01 Jun 2015 20:37:35 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2...\...\.
..\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\...
......PE..L......R.................X...........).......p....@.........
.................P.......^U...@.................................<..
.d........n...........yT.`....0.......................................
...@............p..x............................text....W.......X.....
............. ..`.rdata.......p...0...\..............@[email protected]....
[email protected]..................@[email protected]
[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U...X......... [email protected].
SVW.}[email protected]@.P..hq@........`........V......SP.......Pp@..
..W..;.}[email protected][email protected]...
@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P..
...u>.......6......P.....~(......:u....~....P......P......P........
[email protected]@[email protected];[email protected].
[email protected]@........u....M._..^3.[.........V..W3.h..
[email protected].....<[email protected]
<<< skipped >>>


GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "311df0f1b79559ee9cf26b3ec2b14cdf:1433149600"
Last-Modified: Mon, 01 Jun 2015 09:06:40 GMT
Date: Mon, 01 Jun 2015 20:37:58 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporatio
n100...U...'Symantec Time Stamping Services CA - G2..150601090115Z..15
0611090115Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......`0...*.H..
...............D..O..;..]].......X.<.F,....t...........)...~......X
..n..T...q......j...mYnA".m.f.>.......O..V..D..:.. .o..v..J(..o'S..
.Q..E...).c........T.......;[email protected]...:Lw.....n...pp...@...'.R...I
.B...L4.Xn..$q......Z...=g.........1g..d.......nx...1..B.r...h.HTTP/1.
1 200 OK..Server: Apache..ETag: "311df0f1b79559ee9cf26b3ec2b14cdf:1433
149600"..Last-Modified: Mon, 01 Jun 2015 09:06:40 GMT..Date: Mon, 01 J
un 2015 20:37:58 GMT..Content-Length: 477..Connection: keep-alive..Con
tent-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U...
.US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Se
rvices CA - G2..150601090115Z..150611090115Z.00.0...U.#..0..._..n\..t.
..}.?..L...0...U.......`0...*.H.................D..O..;..]].......X.&l
t;.F,....t...........)...~......X..n..T...q......j...mYnA".m.f.>...
....O..V..D..:.. .o..v..J(..o'S...Q..E...).c........T.......;[email protected]
.Q...:Lw.....n...pp...@...'.R...I.B...L4.Xn..$q......Z...=g.........1g
..d.......nx...1..B.r...h...



GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "02e277383c1ef089951c3afe285accbd:1427488519"
Last-Modified: Fri, 27 Mar 2015 20:35:19 GMT
Date: Mon, 01 Jun 2015 20:37:58 GMT
Content-Length: 341
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U..
..Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U..
..Thawte Timestamping CA..150318000000Z..150630235959Z0...*.H.........
.....-0.u.f..0.C..O. ..._....m....V......Zb.=.!`...@..[.Q.c...#..}b...
Q..c...q....X.....}u}........K..}A([email protected].[........P9G^..HTTP/1.1 
200 OK..Server: Apache..ETag: "02e277383c1ef089951c3afe285accbd:142748
8519"..Last-Modified: Fri, 27 Mar 2015 20:35:19 GMT..Date: Mon, 01 Jun
 2015 20:37:58 GMT..Content-Length: 341..Connection: keep-alive..Conte
nt-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1
.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U..
..Thawte Certification1.0...U....Thawte Timestamping CA..150318000000Z
..150630235959Z0...*.H..............-0.u.f..0.C..O. ..._....m....V....
..Zb.=.!`...@..[.Q.c...#..}b...Q..c...q....X.....}u}........K..}A(...b
[email protected].[........P9G^....



GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "3dc027a2e3f5c2fd7ea9c7167c8c2099:1433149516"
Last-Modified: Mon, 01 Jun 2015 09:05:16 GMT
Date: Mon, 01 Jun 2015 20:37:57 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..9C0..8*...0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..
0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o
....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;
}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y..
.p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "97b93bbbb813910cb8bfc80753e88aff:1427247319"
Last-Modified: Wed, 25 Mar 2015 01:35:19 GMT
Date: Mon, 01 Jun 2015 20:37:57 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..150318000000Z..150630235959Z0...*.H.............
R.`Ts.......... .p.....V,..E...n]...T....R.....5.....j.I*J.:q.......^.
.2...p..3...!)Oo6[...D.............|..$......R$.......<(........Ohl
.....'...C......X.......r......c.........G.....K.j/.L....7O<G....X.
.4s....2.J.1.8`......?....-(#h.i.p.Z..HB;.-g#...#q..HTTP/1.1 200 OK..S
erver: Apache..ETag: "97b93bbbb813910cb8bfc80753e88aff:1427247319"..La
st-Modified: Wed, 25 Mar 2015 01:35:19 GMT..Date: Mon, 01 Jun 2015 20:
37:57 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: 
application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G5..150318000000Z..15063023595
9Z0...*.H.............R.`Ts.......... .p.....V,..E...n]...T....R.....5
.....j.I*J.:q.......^..2...p..3...!)Oo6[...D.............|..$......R$.
......<(........Ohl.....'...C......X.......r......c.........G.....K
.j/.L....7O<G....X..4s....2.J.1.8`......?....-(#h.i.p.Z..HB;.-g#...
#q....
<<< skipped >>>


GET /xt8a.gif?installationResult=Success&dotNetVersionInstalled=&dotNetExistingVersion=4.0.30319&product=SafePCRepair&anxe=Install&osDetail=5.1&defaultBrowser=IEXPLORE.EXE&anxd=2015-03-09&anxv=1.1.0.22&anxa=ProductInstaller&osArchitecture=32 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: anx.mindspark.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 204 No Content
Server: nginx/1.0.10
Date: Mon, 01 Jun 2015 20:38:01 GMT
Connection: close
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: max-age=0







The Trojan connects to the servers at the folowing location(s):







89HighIn.exe_1900:




.text
`.rdata
@.data
.rsrc
@.reloc
SHLWAPI.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\t8HighIn.pdb
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
1.0.7.247
t8HighIn.exe
2.5.15.15

AppIntegrator.exe_1072:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
SHELL32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MaxPolicyElementKey
AppIntegrator.cpp
Application.cpp
IAC::AppIntegrator::CApplication::SetupWindowsHook
C   Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\98c5fc4468decace\Projects\ChromeExtAPI_Dev3\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
UnhookWindowsHookEx
MsgWaitForMultipleObjects
SetWindowsHookExW
USER32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCreateUSKeyW
SHLWAPI.dll
USERENV.dll
VERSION.dll
GetProcessHeap
GetCPInfo
AppIntegrator.exe
zcÁ
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V<lambda5>@?A0x28971da0@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V<lambda0>@?A0x2c9b22d2@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
;(;7;<;~;
0#0'0 0/030:0
:&;.;6;>;~;
6 6$6(6,6064686<6@6
< <$<(<,<0<4<8<
> >$>(>,>0>4>8><>@>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
ieframe.dll
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: 0x%0x
%s:AppIntegratorShutdown
Already running! %s
The %s event cannot be created (%u)
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling CApplicationBase::SetWindowsHookEx %u
TraceLogUnitTest.exe
TraceLog.cfg
).csv
\StringFileInfo\XX\OriginalFilename
@t8res.dll
Advapi32.dll
C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\SAFEPC~1\bar\1.bin
@C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
1.0.7.247
2.5.15.15

mscorsvw.exe_1232:




.text
`.data
.rsrc
@.reloc
EX_CATCH line %d
CACHE_S_FORMATETC_NOTSUPPORTED
CTL_E_GETNOTSUPPORTEDATRUNTIME
CTL_E_GETNOTSUPPORTED
CTL_E_SETNOTSUPPORTEDATRUNTIME
CTL_E_SETNOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
CO_E_INIT_SCM_EXEC_FAILURE
EX_THROW Type = 0x%x HR = 0x%x, line %d
ThrowHR: HR = %x
mscorsvw.pdb
_amsg_exit
_acmdln
MSVCR100_CLR0400.dll
_crt_debugger_hook
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW
ADVAPI32.dll
GetWindowsDirectoryW
GetCPInfo
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjectsEx
USER32.dll
mscoree.dll
ole32.dll
OLEAUT32.dll
.PAVException@@
v1.0.3705
.PAVOutOfMemoryException@@
.PAVHRException@@
7 7$7(7,7074787
6$6,686\6|6
advapi32.dll
Wtsapi32.dll
kernel32.dll
mscorsvc.dll
Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been uninstalled
Failed to uninstall Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been installed
Failed to install Microsoft .NET Runtime Optimization Service
Failed to retrieve Microsoft .NET Runtime Optimization Service interface
Set service status to %d
Service control handler op %u, event type %u
\ndpsetup.bat
Created repair process in session %d, process ID %d
Unable to create repair process, error %d
Microsoft.NET\NETFXRepair.exe
Error changing token session ID, error %d
Error duplicating current process token, error %d
Error getting current process token, error %d
Session %u has become active.
Aborting repair due to unexpected wait status %u
Found active session %u
Aborting repair due to error %u from WTSEnumerateSessions
StartServiceCtrlDispatcher failed with error %d. Will try slow path
\fusion.localgac
\v2.0.50727
SOFTWARE\Microsoft\.NetFramework
v4.0.0
SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
ngenrootstorelock.dat
ngenservicelock.dat
FastStartupCheck(isPrivateRuntime=%d)
yKERNEL32.DLL
Software\Microsoft\.NETFramework
RestrictedGCStressExe
EnableInternetHREFexes
NGENServiceWaitPassiveWork
NGENServicePassiveWorkWaitTimeout
NGENServicePassiveHardDiskIdleTimeout
NGENServicePassiveExceptInputTimeout
MD_ForceNoColDesSharing
UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException
DbgTransportProxyAddress
DbgRedirectCreateCmd
DbgRedirectCommonCmd
DbgRedirectAttachCmd
mscorrc.dll
v4.0.30319
.NET Runtime Optimization Service
4.0.30319.1 (RTMRel.030319-0100)
mscorsvw.exe
.NET Framework
4.0.30319.1






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    89HighIn.exe:1900
    89barsvc.exe:1112
    89barsvc.exe:1532
    89barsvc.exe:368
    TPIManagerConsole.exe:1716
    ioloToolService.exe:252
    ngen.exe:2032
    irsetup.exe:916
    {9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe:1996
    %original file name%.exe:1676
    regsvr32.exe:804
    0000068cT8SETUP.EXE:948
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (145 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\{9A5F7D0A-7205-4964-AA06-FC72C9318B5A}.exe (980519 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen.log (1284 bytes)
    %Program Files%\SafePCRepair\ioloToolService.exe (26412 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SafePCRepair Setup Log.txt (4268 bytes)
    %Program Files%\SafePCRepair\MindSparkTools.dll (20511 bytes)
    %Program Files%\SafePCRepair\Microsoft.Expression.Drawing.dll (1137 bytes)
    %Program Files%\SafePCRepair\Newtonsoft.Json.dll (4793 bytes)
    %Program Files%\SafePCRepair\SPR.exe.config (885 bytes)
    %Program Files%\SafePCRepair\Uninstall\uni1.tmp (13093 bytes)
    %Program Files%\SafePCRepair\TaskDialog.dll (1137 bytes)
    %Program Files%\SafePCRepair\Uninstall\uninstall.dat (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
    %Program Files%\SafePCRepair\IoloServiceWrapper.dll (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (5 bytes)
    %Program Files%\SafePCRepair\log4net.dll (3888 bytes)
    %Program Files%\SafePCRepair\Uninstall\IRIMG1.PNG (5 bytes)
    %Program Files%\SafePCRepair\uninstall.exe (9213 bytes)
    %Program Files%\SafePCRepair\ioloToolService.dll (24 bytes)
    %Program Files%\SafePCRepair\Uninstall\uninstall.xml (1198 bytes)
    %Program Files%\SafePCRepair\lua5.1.dll (2902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0000068cT8SETUP.EXE (196915 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0000068cT8SETUP.EX_ (39950 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll (5442 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\dialog\ASSIST.EXE (237 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89regiet.dll (87 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89skplay.exe (55 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89medint.exe (12 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\CHROME.MANIFEST (1 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\bar\CONFIG.XML (859 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe (265 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL (245 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89idle.dll (61 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\CREXT.DLL (6424 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89regfft.dll (85 bytes)
    %System%\config\SYSTEM.LOG (5001 bytes)
    %Program Files%\SafePCRepair_89\bar\assists\COMMON.T8S (138 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\HiddenToolbarReminder.dll (250 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL (202 bytes)
    %Program Files%\SafePCRepair_89\bar\Settings\s_pid.dat (8 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe (13 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\chrome\89ffxtbr.jar (1829 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL (108 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\ARBITER64.DLL (13 bytes)
    %System%\config\SOFTWARE.LOG (39777 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll (179 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\BOOTSTRAP.JS (20 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\installKeys.js (207 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\bar\ASSIST.EXE (202 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll (145 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\INSTALL.RDF (2 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll (98 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll (121 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\CrExtP89.exe (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89barsvc.exe (90 bytes)
    %System%\config\system (3777 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\VERIFY.DLL (70 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL (1681 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\INSTALLENABLER.DLL (155 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll (146 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll (151 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89dlghk64.dll (147 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL (249 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\dialog\CONFIG.XML (545 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\LOGO.BMP (10 bytes)
    %Program Files%\SafePCRepair_89\bar\gen1\COMMON.T8S (1 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll (121 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89Plugin.dll (82 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL (102 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8RES.DLL (198 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL (275 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE (230 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll (171 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8TICKER.DLL (171 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll (212 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL (199 bytes)
    %System%\config\software (33085 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
    %Program Files%\SafePCRepair_89\bar\Message\COMMON.T8S (106 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll (214 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll (214 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89script.dll (104 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL (238 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\APA\ARBITER.DLL (12 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL (218 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL (1800 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL (79 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SafePCRepair" = "rundll32 C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll,S"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SafePCRepair AppIntegrator 32-bit" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now