Trojan.Win32.Swrort.3_610b0d6f05

by malwarelabrobot on September 11th, 2014 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 610b0d6f05a298d3609a82606a4809a0
SHA1: a3b0c4770b278b64fd5bb08e7c446a3873128d04
SHA256: ccbfaaefc94857266f1114edc95f6f1e91caef9ddb70fed10912499e848f9430
SSDeep: 98304:Z/LJpvkvEqQJPoR/J2EwRm41fRJBFAuXmzQMVGMFkF yDHuC725m:5LvfqQ R/wEH4FRJBFfXcQO4 yLu6
Size: 5822864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: PopularScreensavers
Created at: 2014-07-01 20:38:05
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

7isrchmn.exe:1112
TPIManagerConsole.exe:1252
%original file name%.exe:632
7ibarsvc.exe:556
7ibarsvc.exe:1280
7ibarsvc.exe:1332
00000278T8SETUP.EXE:848
irsetup.exe:484
{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396
7iHighIn.exe:1524

The Trojan injects its code into the following process(es):

AppIntegrator.exe:1532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process TPIManagerConsole.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe (649558 bytes)

The Trojan deletes the following file(s):

%Program Files%\PopularScreensavers_7i\bar\1.bin\{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe (0 bytes)

The process %original file name%.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EX_ (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EXE (188805 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EXE (0 bytes)

The process 00000278T8SETUP.EXE:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\PopularScreensavers_7i\bar\1.bin\7iregiet.dll (87 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegrator64.exe (258 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iPlugin.dll (83 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll (98 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll (214 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%System%\config (200 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL (202 bytes)
%System%\config\system (3777 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll (144 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe (13 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibarsvc.exe (90 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iscript.dll (104 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll (145 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7isrchmr.dll (87 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iregfft.dll (85 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idatact.dll (171 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\installKeys.js (206 bytes)
%Program Files%\PopularScreensavers_7i\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CrExtP7i.exe (5442 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8TICKER.DLL (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrchMn.exe (55 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\chrome\7iffxtbr.jar (1829 bytes)
%System%\config\SYSTEM.LOG (5001 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk64.dll (147 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll (212 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\Hpg64.dll (220 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll (121 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk.dll (121 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6744 bytes)
%Program Files%\PopularScreensavers_7i\bar\Message\COMMON.T8S (100 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\PopularScreensavers_7i\bar\Settings\s_pid.dat (6 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR.DLL (1629 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskplay.exe (55 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%System%\config\SOFTWARE.LOG (40617 bytes)
%System%\config\software (35872 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7iidle.dll (62 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll (5442 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7itpinst.dll (179 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8RES.DLL (196 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7imedint.exe (12 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll (151 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihkstub.dll (59 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\PopularScreensavers_7i\bar\1.bin\7ireghk.dll (80 bytes)

The process irsetup.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\PopularScreensavers\p5PSSavr.scr (39 bytes)
%Program Files%\PopularScreensavers\p5Plugin.dll (60 bytes)
%Program Files%\PopularScreensavers\p5svc.exe (35 bytes)
%Program Files%\PopularScreensavers\uninstall.exe (9213 bytes)
%Program Files%\PopularScreensavers\p5BkgErr.jpg (2192 bytes)
%Program Files%\PopularScreensavers\Uninstall\uni1.tmp (9314 bytes)
%Program Files%\PopularScreensavers\p5wphook.dll (31 bytes)
%Program Files%\PopularScreensavers\p5ScrCtr.dll (3997 bytes)
%Program Files%\PopularScreensavers\Uninstall\uninstall.xml (828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Program Files%\PopularScreensavers\p5MedInt.exe (23 bytes)
%Program Files%\PopularScreensavers\lua5.1.dll (2902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Popular Screensavers Setup Log.txt (336 bytes)
%Program Files%\PopularScreensavers\p5wallpp.dat (305 bytes)
%System%\p5PSSavr.scr (39 bytes)
%Program Files%\PopularScreensavers\p5Html.dll (1137 bytes)
%Program Files%\PopularScreensavers\p5cjpeg.dll (2079 bytes)
%Program Files%\PopularScreensavers\p5spacer.wmv (5 bytes)
%Program Files%\PopularScreensavers\Uninstall\uninstall.dat (2104 bytes)
%Program Files%\PopularScreensavers\NPp5Stub.dll (31 bytes)

The Trojan deletes the following file(s):

%Program Files%\PopularScreensavers\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process {12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

Registry activity

The process 7isrchmn.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 B4 6B C8 77 D5 93 DF 88 32 71 D6 04 D1 92 49"

The process TPIManagerConsole.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies\PopularScreensavers]
"FriendlyName" = "PopularScreensavers Helper Software"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies\PopularScreensavers]
"is64bit" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies]
"dependencymanagerpath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 29 C8 8A 55 0A AD 6F 14 B3 92 5B 45 F8 6E 27"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\PopularScreensavers_7i\Dependencies\PopularScreensavers]
"uninstall" = "1"
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\PopularScreensavers\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\PopularScreensavers\Uninstall\uninstall.xml"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A C4 08 DC 5F 2B 63 D1 92 25 97 70 7E CF F1 62"

[HKCU\Software\PopularScreensavers_7i\Events\EventData]
"00000000_6" = "01 00 00 00 28 99 0F 54 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"OToIData" = "001"

[HKCU\Software\PopularScreensavers_7i\Events\EventData]
"00000000_7" = "01 00 00 00 28 99 0F 54 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"ffTabs" = "0"
"nodns" = "0"

[HKCU\Software\PopularScreensavers_7i\Events\EventData]
"00000000_5" = "01 00 00 00 28 99 0F 54 00 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"OToIData"

The process 7ibarsvc.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 0A 02 13 4F 1F 3E F3 69 4C CA A5 6B D6 C3 3A"

The process 7ibarsvc.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CC 77 EE 36 72 72 DB 48 AB 27 1C BD 0F 69 48"

The process 7ibarsvc.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 64 8C 81 EF A1 9B EF 34 21 A4 55 DF 1E E2 43"

The process AppIntegrator.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 FD 5B 83 B9 58 4D 8E B4 41 F2 BD 62 3F E8 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process 00000278T8SETUP.EXE:848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"

[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"AssistMonitor.dll" = ""

[HKCR\CLSID\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f339a07f-9578-412d-85e0-b8a80277151a}" = ""

[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}\TypeLib]
"(Default)" = "{fd4d02f2-ea24-4809-b0b6-805031110e8c}"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2497c4b-ac5c-45df-8b83-adc99791a299}]
"Policy" = "3"

[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\PopularScreensavers_7i.ThirdPartyInstaller]
"(Default)" = "PopularScreensavers Third Party Installer"

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll"

[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}]
"(Default)" = "ITemplateBarMenu"

[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}]
"(Default)" = "IIEInstalledToolbar"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}]
"(Default)" = "PopularScreensavers_7i HTML"

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}\TypeLib]
"(Default)" = "{32416a28-daa5-4ee2-a5a1-6e9cb952c19d}"

[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\PopularScreensavers_7i\bar\1.bin\7iBar.dll,O mindsparktoolbarkey=PopularScreensavers_7i uninstalltype=FF"

[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.SettingsPlugin"

[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}]
"(Default)" = "SKINSETTINGS_INTERFACE"

[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\TypeLib]
"(Default)" = "{a5f237f3-1da6-43af-8ca5-cfd7be9259a2}"

[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"

[HKCR\PopularScreensavers_7i.ScriptButton.1\CLSID]
"(Default)" = "{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}"

[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"PID" = "^ZR"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{0953a3a2-9223-4990-a1c9-efb4d4686ef2}]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"Version" = "1.1.1.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"

[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}]
"(Default)" = "IDataCtrl"

[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\TypeLib]
"(Default)" = "{9e4d1125-cc72-42e5-82bd-de141214c313}"

[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"ToolbarGuard.dll" = ""

[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}\InprocServer32]
"(Default)" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7ibar.dll"

[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}]
"(Default)" = "ITemplateBarControl"

[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}]
"(Default)" = ""

[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\TypeLib]
"(Default)" = "{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}"

[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\PopularScreensavers_7i.ToolbarProtector\CurVer]
"(Default)" = "PopularScreensavers_7i.ToolbarProtector.1"

[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\TypeLib]
"(Default)" = "{46A5C277-35A6-4C87-A0D2-D34D30D5A363}"

[HKCR\PopularScreensavers_7i.ThirdPartyInstaller\CLSID]
"(Default)" = "{17b0b148-1491-4668-ad7d-1f39972e03e5}"

[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}]
"(Default)" = "IHttpControl"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"Build" = "103.35314"
"CurInstall" = "1"
"Maximized" = "1"

[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\905"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c5b17a30-3a2b-444e-852d-74abb98cf48a}]
"(Default)" = ""

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"hpp" = "0"

[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93e4ad7f-b2dd-4273-9ad9-e6de2a2670e8}]
"Policy" = "3"

[HKCR\PopularScreensavers_7i.HTMLPanel.1\CLSID]
"(Default)" = "{406463e6-91b4-4bbe-8182-e41fdca2b2b3}"

[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.SettingsPlugin]
"(Default)" = ""

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"dir" = "%Program Files%\PopularScreensavers_7i\bar\"

[HKCR\PopularScreensavers_7i.SettingsPlugin\CLSID]
"(Default)" = "{c5b17a30-3a2b-444e-852d-74abb98cf48a}"

[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\TypeLib]
"Version" = "1.0"

[HKCR\PopularScreensavers_7i.ThirdPartyInstaller\CurVer]
"(Default)" = "PopularScreensavers_7i.ThirdPartyInstaller.1"

[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1807"

[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}]
"(Default)" = "_ITemplateBarSettingsEvents"

[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\TypeLib]
"(Default)" = "{61588674-DE5D-416E-8F66-7AA6128A3669}"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7itpinst.dll"

[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1104"

[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1406"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"ok" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"DisplayName" = "PopularScreensavers Internet Explorer Toolbar"

[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}]
"(Default)" = "ISessionData"

[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"PartnerPixelNotSet" = ""

[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}]
"(Default)" = "DataCtrl Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"

"pl" = "9"

[HKCR\PopularScreensavers_7i.SettingsPlugin\CurVer]
"(Default)" = "PopularScreensavers_7i.SettingsPlugin.1"

[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"

[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\TypeLib]
"(Default)" = "{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.ToolbarProtector"

[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"

[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\ProgID]
"(Default)" = "PopularScreensavers_7i.ToolbarProtector.1"

[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\ProgID]
"(Default)" = "PopularScreensavers_7i.HTMLMenu.1"

[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll"

[HKCR\PopularScreensavers_7i.SettingsPlugin.1\CLSID]
"(Default)" = "{c5b17a30-3a2b-444e-852d-74abb98cf48a}"

[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\TypeLib]
"(Default)" = "{679dd02b-bfd7-439d-adff-20d7ed92ffd4}"

[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7idatact.dll"

[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}]
"(Default)" = "IThirdPartyInstaller"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87085ae6-dc1b-4e6b-98a7-6f4ac5f1eb49}]
"Policy" = "3"

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93e4ad7f-b2dd-4273-9ad9-e6de2a2670e8}]
"AppName" = "7iSlSrch.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"Description" = "PopularScreensavers Plugin"

[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\TypeLib]
"Version" = "1.0"

[HKCR\PopularScreensavers_7i.HTMLPanel\CLSID]
"(Default)" = "{406463e6-91b4-4bbe-8182-e41fdca2b2b3}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"Policy" = "3"

[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"

[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0]
"(Default)" = "Skin 1.0 Type Library"

[HKCU\Software\Classes\CLSID\{0953a3a2-9223-4990-a1c9-efb4d4686ef2}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"ID" = "E70B1C4A-B554-42BA-AA6B-C13DAB894AE1"

[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9B304586-1389-4B2A-A89B-34C7D1F7ED04}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\TypeLib]
"(Default)" = "{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7f9bad37-202c-468d-a046-ebdef588616d}]
"(Default)" = ""

[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.HTMLMenu"

[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"

[HKCR\PopularScreensavers_7i.FeedManager\CurVer]
"(Default)" = "PopularScreensavers_7i.FeedManager.1"

[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\TypeLib]
"(Default)" = "{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}"

[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"

[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}]
"(Default)" = "ProtectorControl Class"

[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\TypeLib]
"(Default)" = "{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}"

[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.PseudoTransparentPlugin"

[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{7f9bad37-202c-468d-a046-ebdef588616d}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{73643b10-6ee2-48be-8280-37aa35e0dfa6}]
"AppName" = "7imedint.exe"

[HKCR\CLSID\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}]
"(Default)" = "Search Assistant BHO"

[HKCR\PopularScreensavers_7i.MultipleButton]
"(Default)" = ""

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}]
"(Default)" = "PopularScreensavers_7i HTML Menu"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"DeletedCustomizations" = "1"

[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\TypeLib]
"(Default)" = "{9E4D1125-CC72-42E5-82BD-DE141214C313}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"HPG.dll" = ""

[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.MultipleButton\CLSID]
"(Default)" = "{5c0a85b9-3980-475d-aa36-ea2ef138ec04}"

[HKCR\PopularScreensavers_7i.ToolbarProtector.1\CLSID]
"(Default)" = "{bfc81c68-2bbe-492d-b60e-c104cf4896ac}"

[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\ProgID]
"(Default)" = "PopularScreensavers_7i.ThirdPartyInstaller.1"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}]
"(Default)" = "Toolbar BHO"

[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"UninstallString" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe 7ibar.dll,O uninstalltype=IE"

[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"

[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.MultipleButton.1\CLSID]
"(Default)" = "{5c0a85b9-3980-475d-aa36-ea2ef138ec04}"

[HKCR\PopularScreensavers_7i.ToolbarProtector\CLSID]
"(Default)" = "{bfc81c68-2bbe-492d-b60e-c104cf4896ac}"

[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{13431DEE-CAD4-403C-BDC2-F36F3F3F0852}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\PopularScreensavers_7i.FeedManager\CLSID]
"(Default)" = "{96d0c95f-bfe7-430e-a406-d8e2d33fee48}"

[HKCR\PopularScreensavers_7i.HTMLMenu]
"(Default)" = "PopularScreensavers_7i HTML Menu"

[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.ScriptButton"

[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}]
"(Default)" = "SEARCHSCOPE_INTERFACE"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.FeedManager"

[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

[HKCR\PopularScreensavers_7i.ScriptButton.1]
"(Default)" = ""

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0953a3a2-9223-4990-a1c9-efb4d4686ef2}" = ""

[HKCR\PopularScreensavers_7i.ScriptButton]
"(Default)" = ""

[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\TypeLib]
"(Default)" = "{46A5C277-35A6-4C87-A0D2-D34D30D5A363}"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}]
"(Default)" = ""

[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87085ae6-dc1b-4e6b-98a7-6f4ac5f1eb49}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"PluginPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\"
"SettingsDir" = "%Program Files%\PopularScreensavers_7i\bar\Settings\"

[HKCR\PopularScreensavers_7i.HTMLMenu.1\CLSID]
"(Default)" = "{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}"

[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\TypeLib]
"(Default)" = "{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\ProgID]
"(Default)" = "PopularScreensavers_7i.FeedManager.1"

[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\TypeLib]
"(Default)" = "{9E4D1125-CC72-42E5-82BD-DE141214C313}"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll"

[HKCR\PopularScreensavers_7i.ScriptButton\CurVer]
"(Default)" = "PopularScreensavers_7i.ScriptButton.1"

[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"Path" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\NP7iStub.dll"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"nd" = "0"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}]
"(Default)" = "PopularScreensavers Third Party Installer"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"nk" = "0"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2497c4b-ac5c-45df-8b83-adc99791a299}]
"AppName" = "7iSrchMn.exe"

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\TypeLib]
"(Default)" = "{a5f237f3-1da6-43af-8ca5-cfd7be9259a2}"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0a80369-0c8a-44d9-b7cd-4d9c24dca4e1}]
"Policy" = "3"

[HKCR\PopularScreensavers_7i.ThirdPartyInstaller.1]
"(Default)" = "PopularScreensavers Third Party Installer"

[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin\CLSID]
"(Default)" = "{7f9bad37-202c-468d-a046-ebdef588616d}"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"(Default)" = "Skin Settings"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0a80369-0c8a-44d9-b7cd-4d9c24dca4e1}]
"AppName" = "AppIntegrator.exe"

[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{87085ae6-dc1b-4e6b-98a7-6f4ac5f1eb49}]
"AppName" = "CrExtP7i.exe"

[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk.dll"

[HKCR\PopularScreensavers_7i.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{17b0b148-1491-4668-ad7d-1f39972e03e5}"

[HKCR\PopularScreensavers_7i.SettingsPlugin.1]
"(Default)" = ""

[HKCR\PopularScreensavers_7i.HTMLMenu.1]
"(Default)" = "PopularScreensavers_7i HTML Menu"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"au" = "1"

[HKCR\PopularScreensavers_7i.ToolbarProtector]
"(Default)" = "ProtectorControl Class"

[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"

[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{667B44BE-C66D-4A45-A1E4-330AA24FEB01}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\ProgID]
"(Default)" = "PopularScreensavers_7i.MultipleButton.1"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"

[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.MultipleButton\CurVer]
"(Default)" = "PopularScreensavers_7i.MultipleButton.1"

[HKCR\TypeLib\{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\CLSID\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll"

[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\405"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{B408BA55-A542-4840-BACD-16B70B3D60C6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\ProgID]
"(Default)" = "PopularScreensavers_7i.SettingsPlugin.1"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}]
"(Default)" = "BARFEED_INTERFACE"

[HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631}\TypeLib]
"(Default)" = "{bbb1a756-c3a5-42cf-8fa3-ba0bd4c6f386}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"Visible" = "1"

[HKCR\Interface\{C9A1508E-85AC-4651-A4D6-BF483075742B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5c0a85b9-3980-475d-aa36-ea2ef138ec04}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.MultipleButton"

[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\TypeLib]
"(Default)" = "{46a5c277-35a6-4c87-a0d2-d34d30d5a363}"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.ThirdPartyInstaller"

[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}\TypeLib]
"(Default)" = "{FD4D02F2-EA24-4809-B0B6-805031110E8C}"

[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\TypeLib]
"(Default)" = "{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"7iSrcAs.dll" = ""

[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\TypeLib]
"(Default)" = "{61588674-DE5D-416E-8F66-7AA6128A3669}"

[HKCR\CLSID\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll"

[HKCR\TypeLib\{FD4D02F2-EA24-4809-B0B6-805031110E8C}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\625"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{73643b10-6ee2-48be-8280-37aa35e0dfa6}]
"Policy" = "3"

[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Integrators]
"7iDlgHk.dll" = ""

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\ProgID]
"(Default)" = "PopularScreensavers_7i.HTMLPanel.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"un" = "PopularScreensavers"

[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{5469582e-6a71-4c2c-ab43-ab183058c88c}]
"(Default)" = "Disable Addon Rebuttal Control"

[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP7i.exe" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\POPULA~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8107c112-6dd7-4cf7-a887-79cafd232b30}]
"AppName" = "7iSkPlay.exe"

[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}]
"(Default)" = "SKINWINDOW_INTERFACE"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{A0A80369-0C8A-44D9-B7CD-4D9C24DCA4E1}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"od" = "1"

[HKCR\Interface\{50CE9C1E-AFA8-494D-98F1-FFEC8965EA0A}]
"(Default)" = "_IThirdPartyInstallerEvents"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"sr" = "0"

[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.MultipleButton.1]
"(Default)" = ""

[HKCR\Interface\{3C3F0488-3600-4A42-A1A2-C61581965081}]
"(Default)" = "ITemplateBarButtonRect"

[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}]
"(Default)" = "ITemplateBarSettings"

[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin\MimeTypes\application/x-popularscreensavers_7iplugin]
"Suffixes" = "7i"

[HKCR\CLSID\{bfc81c68-2bbe-492d-b60e-c104cf4896ac}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll"

[HKLM\SOFTWARE\PopularScreensavers_7i\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\VersionIndependentProgID]
"(Default)" = "PopularScreensavers_7i.HTMLPanel"

[HKCR\CLSID\{6833e938-d47a-4bca-b7d4-a712cd561127}]
"(Default)" = "HttpControl Class"

[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\Interface\{5E13D5ED-1190-49CD-BD35-7E6225A865F7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"lidate" = "2014-09-10T00:19:49Z"

[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{ACA10773-9320-4DB0-8594-7F84FA38ACC6}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a0a80369-0c8a-44d9-b7cd-4d9c24dca4e1}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCU\Software\Classes\CLSID\{0953a3a2-9223-4990-a1c9-efb4d4686ef2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}]
"(Default)" = "IProtectorControl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}]
"(Default)" = ""

[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}]
"(Default)" = "POPUPMENU_INTERFACE"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{7f9bad37-202c-468d-a046-ebdef588616d}\ProgID]
"(Default)" = "PopularScreensavers_7i.PseudoTransparentPlugin.1"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"tiec" = "208976"

[HKCR\Interface\{A40F7F79-8927-4A4A-B0FC-D41A8BE8C018}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=780C96FB&p2=^ZR&ptb=E70B1C4A-B554-42BA-AA6B-C13DAB894AE1"
"RegHookPath" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7ireghk"

[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}]
"(Default)" = "IIEInstalledToolbars"

[HKCR\PopularScreensavers_7i.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"

[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\100"

[HKCR\Interface\{D40A5080-2E18-4F53-84B7-6254AB5FE904}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\626"

[HKCR\PopularScreensavers_7i.FeedManager.1\CLSID]
"(Default)" = "{96d0c95f-bfe7-430e-a406-d8e2d33fee48}"

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1506"

[HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2}\TypeLib]
"(Default)" = "{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d2497c4b-ac5c-45df-8b83-adc99791a299}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\ProgID]
"(Default)" = "PopularScreensavers_7i.ScriptButton.1"

[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iscript.dll"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin]
"vendor" = "PopularScreensavers_7i"

[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.HTMLMenu\CurVer]
"(Default)" = "PopularScreensavers_7i.HTMLMenu.1"

[HKCR\TypeLib\{9E4D1125-CC72-42E5-82BD-DE141214C313}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"

[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"

[HKCR\CLSID\{406463e6-91b4-4bbe-8182-e41fdca2b2b3}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\TypeLib]
"(Default)" = "{a5f237f3-1da6-43af-8ca5-cfd7be9259a2}"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}]
"(Default)" = ""

[HKCR\TypeLib\{679DD02B-BFD7-439D-ADFF-20D7ED92FFD4}\1.0]
"(Default)" = "HTML 1.0 Type Library"

[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\TypeLib]
"(Default)" = "{497d9ad2-83eb-4cb4-9ba2-36dd99457bfc}"

[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\TypeLib]
"(Default)" = "{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}"

[HKCR\TypeLib\{CCEC4CA8-9CE0-48E2-B203-C0239AA97A62}\1.0]
"(Default)" = "TYPELIB_NAME"

[HKCR\Interface\{93861BEF-E5FA-4BB2-A040-584F6155A989}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{f339a07f-9578-412d-85e0-b8a80277151a}]
"(Default)" = "PopularScreensavers"

[HKCR\Interface\{BB926DE1-C745-42D9-A47A-D52BFC3D9492}]
"(Default)" = "_IDataCtrlEvents"

[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 6A 86 D8 D5 7E F4 F8 0D C2 16 E1 CE 80 65 65"

[HKCR\Interface\{66376EFC-73B3-41CB-8403-C19EA5A60623}\TypeLib]
"Version" = "1.0"

[HKCR\PopularScreensavers_7i.FeedManager]
"(Default)" = ""

[HKCR\TypeLib\{BBB1A756-C3A5-42CF-8FA3-BA0BD4C6F386}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"

[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{46A5C277-35A6-4C87-A0D2-D34D30D5A363}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll"

[HKCR\TypeLib\{61588674-DE5D-416E-8F66-7AA6128A3669}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\t8res.dll\1604"

[HKCR\CLSID\{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}]
"(Default)" = ""

[HKCR\PopularScreensavers_7i.ScriptButton\CLSID]
"(Default)" = "{b7c7e5c1-f49c-476a-a7e9-f45e5c85c995}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{B74556FC-60E9-42B4-A260-6AFA185C34EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E82D3858-2273-4EB8-A0D5-A97D90FFB83A}]
"(Default)" = "HTMLPANEL_INTERFACE"

[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PopularScreensavers_7i.HTMLPanel.1]
"(Default)" = "PopularScreensavers_7i HTML Panel"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"oldhpp" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{73643b10-6ee2-48be-8280-37aa35e0dfa6}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"ua" = "0"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\TypeLib]
"(Default)" = "{ccec4ca8-9ce0-48e2-b203-c0239aa97a62}"

[HKCR\Interface\{0D198245-3DC9-48D4-8FE0-4C50ECF6FD7F}]
"(Default)" = "ITemplateHTMLMenu"

[HKCR\CLSID\{17b0b148-1491-4668-ad7d-1f39972e03e5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{25ECB661-F98B-4230-9086-26F2E61947A3}\TypeLib]
"(Default)" = "{9E4D1125-CC72-42E5-82BD-DE141214C313}"

[HKCR\Interface\{C91E811C-4C64-4705-9C79-6DCF4184CE2C}]
"(Default)" = "IDisableAddonRebuttal"

[HKCR\CLSID\{f339a07f-9578-412d-85e0-b8a80277151a}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{DB7BEEC6-3F03-46D2-BC57-22EC633FA5F5}\TypeLib]
"(Default)" = "{32416A28-DAA5-4EE2-A5A1-6E9CB952C19D}"

[HKCR\PopularScreensavers_7i.PseudoTransparentPlugin\CurVer]
"(Default)" = "PopularScreensavers_7i.PseudoTransparentPlugin.1"

[HKCR\CLSID\{f339a07f-9578-412d-85e0-b8a80277151a}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll"

[HKCR\Interface\{B956E151-3D90-489F-B109-97D5B4545D36}]
"(Default)" = "IHttpControlEvents"

[HKCR\PopularScreensavers_7i.HTMLPanel\CurVer]
"(Default)" = "PopularScreensavers_7i.HTMLPanel.1"

[HKCR\Interface\{93E4AD7F-B2DD-4273-9AD9-E6DE2A2670E8}\TypeLib]
"(Default)" = "{497D9AD2-83EB-4CB4-9BA2-36DD99457BFC}"

[HKCR\PopularScreensavers_7i.FeedManager.1]
"(Default)" = ""

[HKCR\CLSID\{a1fafccb-7ba7-4b5a-9c5b-4949b7f9a11c}]
"(Default)" = "Popup Menu Plugin"

[HKCR\CLSID\{8107c112-6dd7-4cf7-a887-79cafd232b30}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"UninstallFFString" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe 7ibar.dll,O uninstalltype=FF"

[HKCR\CLSID\{c5b17a30-3a2b-444e-852d-74abb98cf48a}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopularScreensavers_7ibar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\PopularScreensavers_7i\bar\1.bin\7iBar.dll,O mindsparktoolbarkey=PopularScreensavers_7i uninstalltype=IE"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{93e4ad7f-b2dd-4273-9ad9-e6de2a2670e8}]
"AppPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin"

[HKCR\PopularScreensavers_7i.HTMLPanel]
"(Default)" = "PopularScreensavers_7i HTML Panel"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"RegisteredWithFirefox" = "1"

[HKCR\Interface\{30B470CE-FFC9-463D-A6A3-CF5FCDB84581}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{96d0c95f-bfe7-430e-a406-d8e2d33fee48}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{17b0b148-1491-4668-ad7d-1f39972e03e5}]
"(Default)" = ""

[HKCR\Interface\{8C659C2B-4659-4B17-A7A1-3793EFA7B82E}]
"(Default)" = "ITemplatePopupMenu"

[HKCR\TypeLib\{A5F237F3-1DA6-43AF-8CA5-CFD7BE9259A2}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar\Switches]
"7iSrcAs.dll" = "0"

[HKLM\SOFTWARE\PopularScreensavers_7i\SkinTools]
"PlayerPath" = "%Program Files%\PopularScreensavers_7i\bar\1.bin\7iSkPlay.exe"

[HKCR\Interface\{BB0F9869-32C9-441B-960D-70D0405CB276}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@PopularScreensavers_7i.com/Plugin\MimeTypes\application/x-popularscreensavers_7iplugin]
"Description" = "PopularScreensavers Plugin"

[HKCR\PopularScreensavers_7i.HTMLMenu\CLSID]
"(Default)" = "{E6265C7D-6A14-4511-9AD6-F7B5A2583E7B}"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0709f2cc-d1e6-4b43-9efc-1c0701cb173d}]
"(Default)" = ""

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers Search Scope Monitor" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7isrchmn.exe /m=2 /w /h"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}]
"(Default)" = ""

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers AppIntegrator 32-bit" = "C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe"

"PopularScreensavers" = "rundll32 C:\PROGRA~1\POPULA~1\bar\1.bin\7ibar.dll,S"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a6625a2-591b-4e83-ac3f-8c25eea30ac0}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

[HKLM\SOFTWARE\PopularScreensavers_7i\bar]
"pid2"
"ConfigDateStamp"
"un"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopularScreensavers Search Scope Monitor"

The process irsetup.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\PSS.ScreenSaverControl.1]
"(Default)" = "ScreenSaverControl Class"

[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin\MimeTypes\application/x-pss-popularscreensaversplugin]
"Description" = "Popular Screensavers Plugin"

[HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers\p5Html.dll"

[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8798BBE7-DDF6-448B-AE0E-83C9E28A5598}]
"AppName" = "p5PSSavr.scr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0\0\win32]
"(Default)" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"Version" = "1.1.1.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8798BBE7-DDF6-448B-AE0E-83C9E28A5598}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C39937A9-C59D-4506-A9FC-0A0138192287}]
"(Default)" = ""

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "ScreenSaverControl Class"

[HKCR\PSS.ScreenSaverControl]
"(Default)" = "ScreenSaverControl Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}]
"(Default)" = ""

[HKCR\PSS.HTMLPanel\CLSID]
"(Default)" = "{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\ProgID]
"(Default)" = "PSS.HTMLPanel.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F37BCE7B-6055-418C-A301-E715F36F1E79}]
"Policy" = "3"

[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\TypeLib]
"(Default)" = "{C39937A5-C59D-4506-A9FC-0A0138192287}"

[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\TypeLib]
"(Default)" = "{B2E5F9A4-0587-4525-8602-E08E32510243}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCR\CLSID\{6FB5B50A-863D-4C0D-8E84-92A59565D087}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5cjpeg.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8798BBE7-DDF6-448B-AE0E-83C9E28A5598}]
"AppPath" = "%System%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers\"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 66 8E 02 1E E5 C7 4A BB 2B EE 67 DE 37 34 8E"

[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PopularScreensavers\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\PopularScreensavers\ScreenSaver]
"ImagesDir" = "%Program Files%\PopularScreensavers\ScreenSaver\Images\"

[HKCR\CLSID\{6FB5B50A-863D-4C0D-8E84-92A59565D087}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\MiscStatus\1]
"(Default)" = "131473"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F37BCE7B-6055-418C-A301-E715F36F1E79}]
"AppPath" = "%Program Files%\PopularScreensavers"

[HKCR\PSS.ScreenSaverControl.1\CLSID]
"(Default)" = "{C39937A9-C59D-4506-A9FC-0A0138192287}"

[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0]
"(Default)" = "ScreenSaverControl 1.0 Type Library"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "ExplorerStub Class"

[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}]
"(Default)" = "_IPSSHTMLPanelEvents"

[HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\VersionIndependentProgID]
"(Default)" = "PSS.ScreenSaverControl"

[HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\p5pss]
"runtime" = "1"

[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}\TypeLib]
"(Default)" = "{C39937A5-C59D-4506-A9FC-0A0138192287}"

[HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "IScreenSaverInstaller"

[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}]
"(Default)" = "IMonitorEvents"

[HKCR\PSS.HTMLPanel]
"(Default)" = "PSS HTML Panel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\PSS.ScreenSaverControl\CLSID]
"(Default)" = "{C39937A9-C59D-4506-A9FC-0A0138192287}"

[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"Description" = "Popular Screensavers Plugin"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"

[HKCR\PSS.ScreenSaverControl\CurVer]
"(Default)" = "PSS.ScreenSaverControl.1"

[HKLM\SOFTWARE\PopularScreensavers]
"JpegConversionLib" = "%Program Files%\PopularScreensavers\p5cjpeg.dll"

[HKCR\PSS.HTMLPanel.1]
"(Default)" = "PSS HTML Panel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\p5ScrCtr.dll]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"Path" = "%Program Files%\PopularScreensavers\NPp5Stub.dll"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}]
"(Default)" = "PSS HTML"

[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\TypeLib]
"(Default)" = "{B2E5F9A4-0587-4525-8602-E08E32510243}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dat]
"runtime" = "6"
"Permissions" = "33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F37BCE7B-6055-418C-A301-E715F36F1E79}]
"AppName" = "p5medint.exe"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\VersionIndependentProgID]
"(Default)" = "PSS.HTMLPanel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{C39937A9-C59D-4506-A9FC-0A0138192287}\ProgID]
"(Default)" = "PSS.ScreenSaverControl.1"

[HKCR\CLSID\{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}\InprocServer32]
"(Default)" = "%Program Files%\PopularScreensavers\p5Html.dll"

[HKCR\Interface\{C39937AB-C59D-4506-A9FC-0A0138192287}\TypeLib]
"(Default)" = "{C39937A5-C59D-4506-A9FC-0A0138192287}"

[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\sources]
"p5PopularScreensavers" = "%Program Files%\PopularScreensavers\p5ScrCtr.dll"

[HKCR\TypeLib\{B2E5F9A4-0587-4525-8602-E08E32510243}\1.0]
"(Default)" = "HTML 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin\MimeTypes\application/x-pss-popularscreensaversplugin]
"Suffixes" = "pss"

[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\PSS.HTMLPanel\CurVer]
"(Default)" = "PSS.HTMLPanel.1"

[HKCR\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}]
"(Default)" = "IPSSHTMLPanel"

[HKCR\PSS.HTMLPanel.1\CLSID]
"(Default)" = "{DD55C1D4-CE89-4E93-866E-3F4A4962BD68}"

[HKCR\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}\TypeLib]
"(Default)" = "{B2E5F9A4-0587-4525-8602-E08E32510243}"

[HKLM\SOFTWARE\PopularScreensavers\ScreenSaver]
"PluginPath" = "%Program Files%\PopularScreensavers\"

[HKLM\SOFTWARE\MozillaPlugins\@popularscreensavers.com/Plugin]
"vendor" = "Popular Screensavers"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dat]

The process {12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B B4 3B 5A A2 F3 11 E8 8B 51 69 A4 99 17 AC 48"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 7iHighIn.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 CD 35 C1 F7 05 27 E5 F9 16 CA 68 E4 F9 95 6A"

Dropped PE files

MD5 File path
df2b8cf613b10039bc2a8557642ca041 c:\Program Files\PopularScreensavers\NPp5Stub.dll
b5fc476c1bf08d5161346cc7dd4cb0ba c:\Program Files\PopularScreensavers\lua5.1.dll
ab6a0cfcefbde3da7de476b09c622243 c:\Program Files\PopularScreensavers\p5Html.dll
0b0dac1c129523b486e5b9fc33648ffe c:\Program Files\PopularScreensavers\p5MedInt.exe
5a5c9c76caf3bf3954f5eb21f2da2ee9 c:\Program Files\PopularScreensavers\p5PSSavr.scr
a3e58418c20d479a1a2a1911bc3763d7 c:\Program Files\PopularScreensavers\p5Plugin.dll
da4d621f7913a241945e046d3ae35326 c:\Program Files\PopularScreensavers\p5ScrCtr.dll
91fce1e43fec4729b2f55c94d97e04ec c:\Program Files\PopularScreensavers\p5cjpeg.dll
32dfcd93d3d468d2e75fd330812480de c:\Program Files\PopularScreensavers\p5svc.exe
2056c7fedf8a50ae6abdc6ebda17654c c:\Program Files\PopularScreensavers\p5wphook.dll
cee64b573b69a9b1b43d2065eb0d3320 c:\Program Files\PopularScreensavers\uninstall.exe
313460fa38c68768ec6bd38f795c4636 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iPlugin.dll
779662595f6b51bb86f96eccc230f13c c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll
3c93215de9cc97c60b1892ad8dbe4411 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iSrchMn.exe
21ae5618ae49640455d80de92a741ec7 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibar.dll
b3dae11b5316528e6853a94d39e141e3 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibarsvc.exe
af8c7080961317cac447e67700994ca4 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll
6953cf1fd63ee9198a5fb6c365e0945d c:\Program Files\PopularScreensavers_7i\bar\1.bin\7idatact.dll
80f1bbb9dda5d7d20358a89a28a5f251 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7idlghk.dll
920dcbae5836293e750eb01db436f26e c:\Program Files\PopularScreensavers_7i\bar\1.bin\7idlghk64.dll
69b288297ea754cea5b71956c023a7e7 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll
1c86678ebf794d7c48ac6e2a663d4d46 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihighin.exe
259b188c17120d2ef9d18157e6f48919 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihkstub.dll
3277a89130679dae008092ccdd41e38c c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll
27133aaae9b940a1b3a9944ffbf18c06 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll
913a5f893b78b675cd44dc717e89c4ec c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iidle.dll
df5ce0e2d96d747ed9fd82d6128cd393 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7imedint.exe
76cfb8166a80ffbfc4a06aecd34b6225 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll
6d305157b71047492823aa863084f088 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iregfft.dll
d2afbb79efdb9acea481fc2e6b79d67d c:\Program Files\PopularScreensavers_7i\bar\1.bin\7ireghk.dll
24f53c8a074e9e032d8547fe1e159346 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iregiet.dll
5d08b5c3cc87b48281dddd12216b6e22 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iscript.dll
fedb7ed64a20fc2aaa6c09869e3b0998 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iskin.dll
96f758be1ee0d60e164b22b797e6eec8 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7iskplay.exe
29e27800a11bbaa06e857da4bde64eec c:\Program Files\PopularScreensavers_7i\bar\1.bin\7isrchmr.dll
cf0646bb879911192c833e314e0afc57 c:\Program Files\PopularScreensavers_7i\bar\1.bin\7itpinst.dll
b6940fe9d6fc34ef59f1028ae6018fe1 c:\Program Files\PopularScreensavers_7i\bar\1.bin\APPINTEGRATOR.EXE
cc497b6397bf8e3cf1550df4b9cee39b c:\Program Files\PopularScreensavers_7i\bar\1.bin\APPINTEGRATORSTUB.DLL
28df17d03fb2cc24b06d9a56be8701ec c:\Program Files\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR.DLL
e8bcea8410248511f0cff7530297d4b0 c:\Program Files\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR64.DLL
143d634f4f93155d3a4d430c2cf60d11 c:\Program Files\PopularScreensavers_7i\bar\1.bin\AppIntegrator64.exe
dbf0a4be10e5a7a5815845a3394f5ec7 c:\Program Files\PopularScreensavers_7i\bar\1.bin\AppIntegratorStub64.dll
43ad3c8b42d0e87d0e61e94602e50f37 c:\Program Files\PopularScreensavers_7i\bar\1.bin\CREXT.DLL
92bac85f49bbd97e53fd94fac848736d c:\Program Files\PopularScreensavers_7i\bar\1.bin\CrExtP7i.exe
b61deef118eb941a8063e6d2ad31415a c:\Program Files\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL
a36c8e9a6cdca2c18cb2e550562cd882 c:\Program Files\PopularScreensavers_7i\bar\1.bin\FF-NativeMessagingDispatcher.dll
2f738b52cab5a1722ba7d250c24fbf4c c:\Program Files\PopularScreensavers_7i\bar\1.bin\HKFXMGR.DLL
12561f359a0665b4ef531a06b42e1178 c:\Program Files\PopularScreensavers_7i\bar\1.bin\HKFXMGR64.DLL
211572b1a80337431576521c82bf0ab6 c:\Program Files\PopularScreensavers_7i\bar\1.bin\HPG.DLL
3e2dafd1255ee62ffab9a00f926c1f0a c:\Program Files\PopularScreensavers_7i\bar\1.bin\Hpg64.dll
af689b0f09dde27d1a50d7a2963eafae c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8EPMSUP.DLL
85aa773c5b3fe1b2fc4db60bfcb0e6f9 c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8EXTEX.DLL
64d6eb8eb2882837bc4f29ce02e1a6f9 c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8EXTPEX.DLL
b1dd705f66a0aac955be5b5003d87852 c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL
b0a0ff00bb40b2628f2d35a9e6085335 c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8RES.DLL
7dca62cf49f4f29fb2a4002bf9a3a17c c:\Program Files\PopularScreensavers_7i\bar\1.bin\T8TICKER.DLL
8199bfbaf45163fc6ac4a3360fe239c3 c:\Program Files\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD.DLL
7aaf4b9657c26a93da0e6e2d5ba11372 c:\Program Files\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD64.DLL
5adaa3a9d2034924b2f9552652d457a0 c:\Program Files\PopularScreensavers_7i\bar\1.bin\TPIMANAGERCONSOLE.EXE
d245830ad93d799bbca6dc055045d8c0 c:\Program Files\PopularScreensavers_7i\bar\1.bin\VERIFY.DLL
b0ffe041fb0c9fb55e1fc9394354d459 c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL
649fba6a4b539b295f19e736a311101d c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL
12bc7c0af14464243f5794a4a06f537f c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE
f26bd34edd1beacc23aa126de231cac1 c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER.DLL
b3d3b34968fb171bb79c20123a455ac9 c:\Program Files\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER64.DLL
5a5c9c76caf3bf3954f5eb21f2da2ee9 c:\WINDOWS\system32\p5PSSavr.scr

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PopularScreensavers
Product Name: PopularScreensavers
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 7iSetup.exe
Internal Name: 7iSetup
File Version: 2, 0, 5, 6
File Description: PopularScreensavers
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7790 8192 4.27339 e28848bc1d5d86f7e6683c7388b6f4e3
.rdata 12288 8748 12288 1.77924 1e323d94d16689696e28719553f86a44
.data 24576 2126 4096 1.24928 e8e6252ddf5dd1b4b0b1bd8799f0d2e4
.rsrc 28672 5786104 5787648 5.38465 4f5931333e5ee572b9d1008d2810a7dc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1255.g.akamai.net/images/nocache/vicinio/executable-packages/PopularScreensavers/1355930226649/PopularScreensaversSetup.exe
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/crls/gtglobal.crl
hxxp://crl.geotrust.com/crls/gtglobal.crl 23.9.117.163
hxxp://ak.imgfarm.com/images/nocache/vicinio/executable-packages/PopularScreensavers/1355930226649/PopularScreensaversSetup.exe 205.237.69.73
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.9.117.163
hxxp://crl.verisign.com/pca3-g5.crl 23.9.117.163
ts-crl.ws.symantec.com 23.9.117.163


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "3c0c2172dfdd2c5720e1caf87cf59523:1410296711"
Last-Modified: Tue, 09 Sep 2014 21:05:11 GMT
Date: Wed, 10 Sep 2014 00:20:37 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0...L0...3...0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T...
....130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u..
....130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v.........
.n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.
....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>


GET /images/nocache/vicinio/executable-packages/PopularScreensavers/1355930226649/PopularScreensaversSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.imgfarm.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 19 Dec 2012 15:18:08 GMT
ETag: "1433cef-2297b8-4d1361f29c9d4"
Accept-Ranges: bytes
Content-Length: 2267064
Cache-Control: max-age=262350824
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Wed, 10 Sep 2014 00:20:28 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2...\...\.
..\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\...
......PE..L...J..O.................X...........).......p....@.........
.................P......H.#...@.................................<..
.d........n...........}"......0.......................................
...@............p..x............................text....W.......X.....
............. ..`.rdata.......p...0...\..............@[email protected]....
[email protected]..................@[email protected]
[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U...X......... [email protected].
SVW.}[email protected]@.P..hq@........`........V......SP.......Pp@..
..W..;.}[email protected][email protected]...
@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P..
...u>.......6......P.....~(......:u....~....P......P......P........
[email protected]@[email protected];[email protected].
[email protected]@........u....M._..^3.[.........V..W3.h..
[email protected].....<[email protected]
<<< skipped >>>


GET /crls/gtglobal.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.geotrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "4e4eabfe627604434b4760a1a3edf607:1410304211"
Last-Modified: Tue, 09 Sep 2014 23:10:11 GMT
Date: Wed, 10 Sep 2014 00:20:38 GMT
Content-Length: 554
Connection: keep-alive
Content-Type: application/pkix-crl
0..&0...0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U.
...GeoTrust Global CA..140909230300Z..140919230300Z0..0....4...0310111
41952Z0....5...060809140549Z0....4]..020522080843Z0....4\..02052208090
0Z0....5Y..050722125926Z0....6k..070711055050Z0....4Z..020521134804Z0.
..*.H..............aeX.Q.Z..^=&H.]fG) .......p.fa.Y,.(..n.. ........@g
.o....E........wsj=0...|.U.d_...`$.b..i A.. j....oW..k.@.....}....[...
..8..[...Y0.s.0....'...w.29{/.....w.../p...../..j....\L...qqY...4w..WN
...@h ...l..]...$7!..s.q......5r..'..W.o.#..V2.6..c.^.... ].6`..HTTP/1
.1 200 OK..Server: Apache..ETag: "4e4eabfe627604434b4760a1a3edf607:141
0304211"..Last-Modified: Tue, 09 Sep 2014 23:10:11 GMT..Date: Wed, 10 
Sep 2014 00:20:38 GMT..Content-Length: 554..Connection: keep-alive..Co
ntent-Type: application/pkix-crl..0..&0...0...*.H........0B1.0...U....
US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA..140909230300Z
..140919230300Z0..0....4...031011141952Z0....5...060809140549Z0....4].
.020522080843Z0....4\..020522080900Z0....5Y..050722125926Z0....6k..070
711055050Z0....4Z..020521134804Z0...*.H..............aeX.Q.Z..^=&H.]fG
) .......p.fa.Y,.(..n.. [email protected]=0...|.U.d_...`$.b
..i A.. j....oW..k.@.....}....[.....8..[...Y0.s.0....'...w.29{/.....w.
../p...../..j....\L...qqY...4w..WN...@h ...l..]...$7!..s.q......5r..'.
.W.o.#..V2.6..c.^.... ].6`....
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "dad74562eea63e24f12699a6f02c517d:1403752510"
Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT
Accept-Ranges: bytes
Content-Length: 533
Date: Wed, 10 Sep 2014 00:20:37 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..140617000000Z..140930235959Z0...*.H.............
Z.....{.......iV}.pm@..]...q....MT.....c.......[....?....zZ.....,. P.~
........*.'.....,......Y..!..s$..;.v..y<.................gf.? ...9#
...........O"5u....q1`.H....3...>.....l9g.X..i7.b.N]..<....@....
j.IO..V.oU_v2X....kf.q.......oq.j.e?v..o.l..Y.......!..HTTP/1.1 200 OK
..Server: Apache..ETag: "dad74562eea63e24f12699a6f02c517d:1403752510".
.Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT..Accept-Ranges: bytes..C
ontent-Length: 533..Date: Wed, 10 Sep 2014 00:20:37 GMT..Connection: k
eep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0
..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Netw
ork1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U
...<VeriSign Class 3 Public Primary Certification Authority - G5..1
40617000000Z..140930235959Z0...*.H.............Z.....{.......iV}.pm@..
]...q....MT.....c.......[....?....zZ.....,. P.~........*.'.....,......
Y..!..s$..;.v..y<.................gf.? ...9#...........O"5u....q1`.
H....3...>.....l9g.X..i7.b.N]..<[email protected]_v2X....kf.q.
......oq.j.e?v..o.l..Y.......!....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

7iHighIn.exe_1524:

.text
`.rdata
@.data
.rsrc
@.reloc
SHLWAPI.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\t8HighIn.pdb
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
1.0.7.205
t8HighIn.exe
2.5.15.0

AppIntegrator.exe_1532:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
SHELL32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MaxPolicyElementKey
AppIntegrator.cpp
IAC::AppIntegrator::Application::SetupWindowsHook
C   Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
MsgWaitForMultipleObjects
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCreateUSKeyW
SHLWAPI.dll
USERENV.dll
VERSION.dll
GetProcessHeap
GetCPInfo
AppIntegrator.exe
zcÁ
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V<lambda14>@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V<lambda5>@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
3 3$3(34383<3
< <$<(<,<0<
2$2<2@2`2
6,686@6`6
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
ieframe.dll
Already running! %s
The %s event cannot be created (%u)
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling SetWindowsHookEx %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: 0x%0x
TraceLogUnitTest.exe
TraceLog.cfg
).csv
\StringFileInfo\XX\OriginalFilename
@t8res.dll
Advapi32.dll
C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\POPULA~1\bar\1.bin
@C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe
1.0.7.205
2.5.15.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    7isrchmn.exe:1112
    TPIManagerConsole.exe:1252
    %original file name%.exe:632
    7ibarsvc.exe:556
    7ibarsvc.exe:1280
    7ibarsvc.exe:1332
    00000278T8SETUP.EXE:848
    irsetup.exe:484
    {12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe:396
    7iHighIn.exe:1524

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (135 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\{12394820-BF55-4B6A-8EB2-B9461AF724D9}.exe (649558 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EX_ (39950 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00000278T8SETUP.EXE (188805 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iregiet.dll (87 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegrator64.exe (258 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iPlugin.dll (83 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\CREXT.DLL (6422 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7imlbtn.dll (98 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ihtmlmu.dll (214 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
    %System%\config (200 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\T8HTML.DLL (202 bytes)
    %System%\config\system (3777 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrcAs.dll (144 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\VERIFY.DLL (70 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ihighin.exe (13 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
    %Program Files%\PopularScreensavers_7i\bar\assists\COMMON.T8S (138 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ibarsvc.exe (90 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iscript.dll (104 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ifeedmg.dll (145 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7isrchmr.dll (87 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iregfft.dll (85 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7idatact.dll (171 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\LOGO.BMP (10 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\installKeys.js (206 bytes)
    %Program Files%\PopularScreensavers_7i\bar\gen1\COMMON.T8S (1 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\CrExtP7i.exe (5442 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\T8TICKER.DLL (171 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\INSTALL.RDF (2 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iSrchMn.exe (55 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\chrome\7iffxtbr.jar (1829 bytes)
    %System%\config\SYSTEM.LOG (5001 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk64.dll (147 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iskin.dll (212 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\Hpg64.dll (220 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ibprtct.dll (121 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\T8EPMSUP.DLL (79 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7idlghk.dll (121 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (9272 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTEX.DLL (102 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\CHROME.MANIFEST (1 bytes)
    %Program Files%\PopularScreensavers_7i\bar\Message\COMMON.T8S (100 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\HPG.DLL (237 bytes)
    %Program Files%\PopularScreensavers_7i\bar\Settings\s_pid.dat (6 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\HKFXMGR.DLL (1629 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iskplay.exe (55 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
    %System%\config\SOFTWARE.LOG (40617 bytes)
    %System%\config\software (35872 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7iidle.dll (62 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ibar.dll (5442 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7itpinst.dll (179 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\T8RES.DLL (196 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\BOOTSTRAP.JS (20 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7imedint.exe (12 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\DPNMNGR.DLL (218 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\T8EXTPEX.DLL (108 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ihttpct.dll (151 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ihkstub.dll (59 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
    %Program Files%\PopularScreensavers_7i\bar\1.bin\7ireghk.dll (80 bytes)
    %Program Files%\PopularScreensavers\p5PSSavr.scr (39 bytes)
    %Program Files%\PopularScreensavers\p5Plugin.dll (60 bytes)
    %Program Files%\PopularScreensavers\p5svc.exe (35 bytes)
    %Program Files%\PopularScreensavers\uninstall.exe (9213 bytes)
    %Program Files%\PopularScreensavers\p5BkgErr.jpg (2192 bytes)
    %Program Files%\PopularScreensavers\Uninstall\uni1.tmp (9314 bytes)
    %Program Files%\PopularScreensavers\p5wphook.dll (31 bytes)
    %Program Files%\PopularScreensavers\p5ScrCtr.dll (3997 bytes)
    %Program Files%\PopularScreensavers\Uninstall\uninstall.xml (828 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
    %Program Files%\PopularScreensavers\p5MedInt.exe (23 bytes)
    %Program Files%\PopularScreensavers\lua5.1.dll (2902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Popular Screensavers Setup Log.txt (336 bytes)
    %Program Files%\PopularScreensavers\p5wallpp.dat (305 bytes)
    %System%\p5PSSavr.scr (39 bytes)
    %Program Files%\PopularScreensavers\p5Html.dll (1137 bytes)
    %Program Files%\PopularScreensavers\p5cjpeg.dll (2079 bytes)
    %Program Files%\PopularScreensavers\p5spacer.wmv (5 bytes)
    %Program Files%\PopularScreensavers\Uninstall\uninstall.dat (2104 bytes)
    %Program Files%\PopularScreensavers\NPp5Stub.dll (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PopularScreensavers Search Scope Monitor" = "C:\PROGRA~1\POPULA~1\bar\1.bin\7isrchmn.exe /m=2 /w /h"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PopularScreensavers AppIntegrator 32-bit" = "C:\PROGRA~1\POPULA~1\bar\1.bin\AppIntegrator.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PopularScreensavers" = "rundll32 C:\PROGRA~1\POPULA~1\bar\1.bin\7ibar.dll,S"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now