Trojan.Win32.Swrort.3_6110b87e66

by malwarelabrobot on October 31st, 2014 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6110b87e6694431f0ceb8a55f20f5465
SHA1: 186f1ca347586dffe8c98dcac3c3b60b7f9885fe
SHA256: ae7767fc8804290a9bdb9744ae17acde19eaa3138b6875a5e6dd8edd47a189bc
SSDeep: 98304:4Ui1OUdqeM5whl7gj0C6QBx8NgSKU3Z3v3ZbAdowaQ2dhg0qV5:4d5M5whl7glx8NFP3Z/3ZbkowsAP
Size: 5822848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: SafePCRepair
Created at: 2014-07-01 20:38:05
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

89HighIn.exe:1324
89barsvc.exe:876
89barsvc.exe:304
89barsvc.exe:1944
TPIManagerConsole.exe:936
%original file name%.exe:1352
ioloToolService.exe:472
regsvr32.exe:1540
00000548T8SETUP.EXE:1180
{988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe:732
89srchmn.exe:1272
irsetup.exe:1092

The Trojan injects its code into the following process(es):

AppIntegrator.exe:1580

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process TPIManagerConsole.exe:936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VKEM6ZJP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\{988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe (1047471 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FTXE3DPE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WRI0UJBT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LEIQM67U\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Program Files%\SafePCRepair_89\bar\1.bin\{988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe (0 bytes)

The process %original file name%.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00000548T8SETUP.EXE (190298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000548T8SETUP.EX_ (39950 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00000548T8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000548T8SETUP.EX_ (0 bytes)

The process 00000548T8SETUP.EXE:1180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll (5442 bytes)
%Program Files%\SafePCRepair_89\bar\Message\COMMON.T8S (100 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regiet.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skplay.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89medint.exe (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe (264 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89idle.dll (62 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\Hpg64.dll (220 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89regfft.dll (85 bytes)
%System%\config\system (3482 bytes)
%Program Files%\SafePCRepair_89\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\SafePCRepair_89\bar\Settings\s_pid.dat (8 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe (13 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\chrome\89ffxtbr.jar (1829 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%System%\config\SOFTWARE.LOG (34985 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll (179 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89hkstub.dll (59 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll (145 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll (98 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll (121 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\CrExtP89.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89barsvc.exe (90 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\VERIFY.DLL (70 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89srchmr.dll (87 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL (1628 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll (144 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll (151 bytes)
%System%\config\SYSTEM.LOG (5289 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk64.dll (147 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89reghk.dll (80 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\installKeys.js (207 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\SafePCRepair_89\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (4896 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89Plugin.dll (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL (102 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8RES.DLL (198 bytes)
%System%\config (200 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE (229 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89SrchMn.exe (55 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll (212 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%System%\config\software (31988 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8TICKER.DLL (171 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll (214 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (2112 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll (104 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL (217 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL (1729 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Program Files%\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL (79 bytes)

The process {988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe:732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process irsetup.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SafePCRepair Setup Log.txt (3398 bytes)
%Program Files%\SafePCRepair\Newtonsoft.Json.dll (4895 bytes)
%Program Files%\SafePCRepair\SPR.exe.config (885 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (11621 bytes)
%Program Files%\SafePCRepair\SPR.exe (18790 bytes)
%Program Files%\SafePCRepair\IoloServiceWrapper.dll (34 bytes)
%Program Files%\SafePCRepair\log4net.dll (2807 bytes)
%Program Files%\SafePCRepair\Uninstall\Wow64.lmd (601 bytes)
%Program Files%\SafePCRepair\uninstall.exe (9213 bytes)
%Program Files%\SafePCRepair\ioloToolService.dll (24 bytes)
%Program Files%\SafePCRepair\ioloToolService.exe (22524 bytes)
%Program Files%\SafePCRepair\MindSparkTools.dll (20641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
%Program Files%\SafePCRepair\Microsoft.Expression.Drawing.dll (1137 bytes)
%Program Files%\SafePCRepair\Uninstall\IRIMG1.PNG (5 bytes)
%Program Files%\SafePCRepair\TaskDialog.dll (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\spr.ico (5 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.dat (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Program Files%\SafePCRepair\lua5.1.dll (2902 bytes)
%Program Files%\SafePCRepair\Uninstall\uninstall.xml (1201 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\spr.ico (0 bytes)
%Program Files%\SafePCRepair\Uninstall\uni1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)

Registry activity

The process 89HighIn.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E DE 71 89 52 08 92 67 11 21 62 79 7C 6E 3F 6E"

The process 89barsvc.exe:876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 EE 14 14 54 B3 BE 02 7E C9 3A A8 22 50 F5 ED"

The process 89barsvc.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 B1 94 0D 5A 25 34 70 91 62 FB 77 48 EE 20 5D"

The process 89barsvc.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 61 18 D1 7A 78 09 85 A2 42 26 98 6A A8 E7 48"

The process TPIManagerConsole.exe:936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"is64bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"FriendlyName" = "Safe PC Repair"

"uninstall" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies]
"dependencymanagerpath" = "%Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL"

[HKLM\SOFTWARE\SafePCRepair_89\Dependencies\SafePCRepair]
"UninstallString" = "${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\SafePCRepair\uninstall.exe /U:${reg[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion:ProgramFilesDir]}\SafePCRepair\Uninstall\uninstall.xml"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 75 E8 4A C6 3D 0A F1 D8 74 1D E9 0D 9A 73 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 42 B8 C5 22 38 38 F8 33 24 6D 18 E5 14 0A BB"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nodns" = "0"
"ffTabs" = "0"

[HKCU\Software\SafePCRepair_89\Events\EventData]
"00000000_5" = "01 00 00 00 98 46 52 54 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 98 46 52 54 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 98 46 52 54 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"OToIData" = "001"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"OToIData"

The process ioloToolService.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SAFEPC~2\IOLOTO~1.EXE"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\ProgID]
"(Default)" = "ioloToolService.ToolManager"

[HKCR\ioloToolService.ToolManager\Clsid]
"(Default)" = "{7D6E502F-02F7-46E9-AA46-D3364038B6F7}"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCU\Software\CodeGear\Locales\%Program Files%\SafePCRepair]
"ioloToolService.exe" = "en"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}]
"(Default)" = "ITool"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}]
"(Default)" = "IToolProfile"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ioloToolService.ToolManager]
"(Default)" = "ToolManager Object"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0]
"(Default)" = "ioloToolService"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\AppID\{CFBE264C-912E-4DA5-B67B-790B27D6D338}]
"LocalService" = "ioloService"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}]
"(Default)" = "ISession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}]
"AppID" = "{CFBE264C-912E-4DA5-B67B-790B27D6D338}"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}]
"(Default)" = "IAsyncResult"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}]
"(Default)" = "IToolProgressSink"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
"(Default)" = ""

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}]
"(Default)" = "IEnumTool"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\ioloToolService.exe]
"AppID" = "{CFBE264C-912E-4DA5-B67B-790B27D6D338}"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9CDABDB6-9522-4A27-B6C3-F1F0DB584A31}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}]
"(Default)" = "IToolManager"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\Interface\{DD64BDF7-3A2E-452E-BA14-6F17554EB018}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 64 A6 3F A6 11 B2 96 A4 D5 41 04 5B 99 CF B4"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}]
"(Default)" = "IFileInfo"

[HKCR\Interface\{3A98E922-A041-4D48-BE67-85A8E2E9B618}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{56AD4096-50B4-48CA-9159-F05D340DC986}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9007902D-06A3-4BFB-AEAC-9C335E74B91F}]
"(Default)" = "IDataManager"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{5160D776-E6C7-450A-AFB8-3BF0D83641A3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A583156B-8B91-4C89-9ADB-5EE1D305C03C}]
"(Default)" = "IEnumToolProfile"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair\ioloToolService.exe"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}]
"(Default)" = "ToolManager Object"

[HKCR\Interface\{882CEBE6-479B-48C9-BA4C-9E287BFD7ADC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D5731C13-597C-4756-8009-A21C02AF250F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C889A354-08D6-46F5-8C68-C6481023D6DE}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair\"

[HKCR\Interface\{CE2DC737-4634-4A55-A436-9C2C3E857053}\TypeLib]
"(Default)" = "{C889A354-08D6-46F5-8C68-C6481023D6DE}"

The process regsvr32.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 88 09 75 03 A1 E5 6A 74 6C A2 63 45 C2 1F C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\150]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"

[HKCU\Software\CodeGear\Locales\%System%]
"regsvr32.exe" = "en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\170]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7D6E502F-02F7-46E9-AA46-D3364038B6F7}\Tools\{8E27E89C-8CCA-46BE-A4B3-6AF4FA66DA56}\140]
"(Default)" = "%Program Files%\SafePCRepair\MindSparkTools.dll"

The process 00000548T8SETUP.EXE:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}]
"(Default)" = "IIEInstalledToolbar"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\TypeLib]
"(Default)" = "{154690a0-7778-41b5-a3ab-eb51e2482b74}"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\ProgID]
"(Default)" = "SafePCRepair_89.HTMLPanel.1"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"hpp" = "0"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"ID" = "A4D5BA16-1A54-4268-8FCA-EF1C21BC208F"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin"

[HKCR\SafePCRepair_89.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{50066dbf-71b9-4489-b62e-4188d3048db2}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\ProgID]
"(Default)" = "SafePCRepair_89.HTMLMenu.1"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}]
"(Default)" = "IThirdPartyInstaller"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\SAFEPC~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\TypeLib]
"(Default)" = "{C78CCE0D-F991-44F4-B450-33C4FD189E38}"

[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.ThirdPartyInstaller]
"(Default)" = "SafePCRepair Third Party Installer"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"

[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
"(Default)" = "Search Assistant BHO"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c34c0e9f-c070-4b05-b912-563c3cff8555}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\TypeLib]
"(Default)" = "{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP89.exe" = "0"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\TypeLib]
"(Default)" = "{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}"

[HKCR\SafePCRepair_89.FeedManager.1\CLSID]
"(Default)" = "{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5806dc83-95c8-4120-a305-cbce6260adf1}]
"(Default)" = ""

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"dir" = "%Program Files%\SafePCRepair_89\bar\"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PID" = "^AW7"

[HKCR\SafePCRepair_89.SettingsPlugin\CurVer]
"(Default)" = "SafePCRepair_89.SettingsPlugin.1"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{be823b8c-a7ec-4078-a321-0f8046cbb48a}" = ""

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\TypeLib]
"(Default)" = "{63498647-b3ef-4a8a-8c98-163ecf8048fe}"

[HKCR\SafePCRepair_89.FeedManager\CLSID]
"(Default)" = "{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}"

[HKLM\SOFTWARE\SafePCRepair_89\SkinTools]
"PlayerPath" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SkPlay.exe"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}]
"(Default)" = "Toolbar BHO"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}]
"(Default)" = "SKINSETTINGS_INTERFACE"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"

[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"AppName" = "89SkPlay.exe"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin\MimeTypes\application/x-safepcrepair_89plugin]
"Suffixes" = "89"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0]
"(Default)" = "HTML 1.0 Type Library"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}]
"(Default)" = "_ITemplateBarSettingsEvents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\SafePCRepair_89\bar\1.bin\89Bar.dll,O mindsparktoolbarkey=SafePCRepair_89 uninstalltype=FF"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.SettingsPlugin.1\CLSID]
"(Default)" = "{e81003f0-8f21-4a23-8142-403d821198ac}"

[HKCR\SafePCRepair_89.ScriptButton.1]
"(Default)" = ""

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}]
"(Default)" = ""

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"

[HKCR\SafePCRepair_89.ScriptButton\CurVer]
"(Default)" = "SafePCRepair_89.ScriptButton.1"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.ThirdPartyInstaller\CurVer]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller.1"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\SafePCRepair_89.ScriptButton]
"(Default)" = ""

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin\CurVer]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin.1"

[HKCR\SafePCRepair_89.MultipleButton.1\CLSID]
"(Default)" = "{2accb327-7218-4979-8eb7-0e653bc0ea66}"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"SettingsDir" = "%Program Files%\SafePCRepair_89\bar\Settings\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.FeedManager"

[HKCR\SafePCRepair_89.MultipleButton\CurVer]
"(Default)" = "SafePCRepair_89.MultipleButton.1"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}]
"(Default)" = "IDataCtrl"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.MultipleButton"

[HKCR\SafePCRepair_89.HTMLMenu\CLSID]
"(Default)" = "{816098C9-EC16-4106-9FF7-E19580B2C338}"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\TypeLib]
"(Default)" = "{154690A0-7778-41B5-A3AB-EB51E2482B74}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}]
"(Default)" = ""

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"89SrcAs.dll" = ""

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\SafePCRepair_89.FeedManager.1]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Path" = "%Program Files%\SafePCRepair_89\bar\1.bin\NP89Stub.dll"

[HKCR\SafePCRepair_89.ScriptButton.1\CLSID]
"(Default)" = "{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin\CLSID]
"(Default)" = "{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\626"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\TypeLib]
"(Default)" = "{95cd0b4b-5782-435e-993d-ba07b30710a6}"

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}]
"(Default)" = "HttpControl Class"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Visible" = "1"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}]
"(Default)" = "SafePCRepair_89 HTML Menu"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"ua" = "0"

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}]
"(Default)" = "SafePCRepair_89 HTML"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\ProgID]
"(Default)" = "SafePCRepair_89.ScriptButton.1"

[HKCR\SafePCRepair_89.ToolbarProtector.1\CLSID]
"(Default)" = "{b6de1d4c-f21b-4056-a99c-1727fd6400ce}"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.SettingsPlugin"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"vendor" = "SafePCRepair_89"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"DeletedCustomizations" = "1"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}]
"(Default)" = "IDisableAddonRebuttal"

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"AppName" = "89SlSrch.exe"

[HKCR\SafePCRepair_89.HTMLMenu]
"(Default)" = "SafePCRepair_89 HTML Menu"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"UninstallFFString" = "%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe 89bar.dll,O uninstalltype=FF"
"sr" = "0"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PartnerPixelNotSet" = ""

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\SafePCRepair_89.MultipleButton]
"(Default)" = ""

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}" = ""

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0]
"(Default)" = "Skin 1.0 Type Library"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1fc509df-4b29-4ab3-96e6-47c178d60287}\InprocServer32]
"(Default)" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll"

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\ProgID]
"(Default)" = "SafePCRepair_89.PseudoTransparentPlugin.1"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}]
"(Default)" = "ProtectorControl Class"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\TypeLib]
"Version" = "1.0"

[HKCR\SafePCRepair_89.ThirdPartyInstaller\CLSID]
"(Default)" = "{50066dbf-71b9-4489-b62e-4188d3048db2}"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"AppName" = "89medint.exe"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\TypeLib]
"(Default)" = "{6c227856-d369-4b3f-a317-89e4b1cd1a83}"

[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}]
"(Default)" = "Disable Addon Rebuttal Control"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}]
"(Default)" = "ITemplateBarSettings"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1104"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Description" = "SafePCRepair Plugin"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"od" = "1"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\ProgID]
"(Default)" = "SafePCRepair_89.ToolbarProtector.1"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}]
"(Default)" = "ITemplateBarButtonRect"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"ok" = "1"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"tiec" = "208976"

[HKCR\CLSID\{b6de1d4c-f21b-4056-a99c-1727fd6400ce}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ToolbarProtector"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll"

[HKCR\SafePCRepair_89.SettingsPlugin\CLSID]
"(Default)" = "{e81003f0-8f21-4a23-8142-403d821198ac}"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}]
"(Default)" = "SKINWINDOW_INTERFACE"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}]
"(Default)" = "ITemplatePopupMenu"

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\905"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}]
"(Default)" = "HTMLPANEL_INTERFACE"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"RegisteredWithFirefox" = "1"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}]
"(Default)" = "IHttpControlEvents"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1506"

[HKCR\SafePCRepair_89.HTMLMenu.1]
"(Default)" = "SafePCRepair_89 HTML Menu"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}]
"(Default)" = "IProtectorControl"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"Policy" = "3"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\ProgID]
"(Default)" = "SafePCRepair_89.FeedManager.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\SafePCRepair_89\bar\1.bin\89Bar.dll,O mindsparktoolbarkey=SafePCRepair_89 uninstalltype=IE"

[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}]
"(Default)" = "ITemplateHTMLMenu"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3C6E6F5A-8105-423A-AD2C-892FDAC11F49}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}]
"(Default)" = "ISessionData"

[HKLM\SOFTWARE\SafePCRepair_89\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.HTMLPanel.1]
"(Default)" = "SafePCRepair_89 HTML Panel"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Build" = "134.63519"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89script.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\TypeLib]
"(Default)" = "{0bc5607d-dc04-410a-b137-73f2ee733596}"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\ProgID]
"(Default)" = "SafePCRepair_89.SettingsPlugin.1"

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}]
"(Default)" = "DataCtrl Class"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{C78CCE0D-F991-44F4-B450-33C4FD189E38}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\SafePCRepair_89.MultipleButton.1]
"(Default)" = ""

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6E2A759A-C5FC-45BA-92B8-85A6131B1324}\TypeLib]
"(Default)" = "{F7B9F27C-2E1A-429C-972A-DA83F1165B74}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\TypeLib\{0BC5607D-DC04-410A-B137-73F2EE733596}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"Policy" = "3"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.ScriptButton"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}]
"(Default)" = ""

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ddeae50-1858-4f3a-8fa9-4774f02eef86}]
"Policy" = "3"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}]
"(Default)" = "Popup Menu Plugin"

[HKCR\SafePCRepair_89.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1406"

[HKCR\SafePCRepair_89.FeedManager\CurVer]
"(Default)" = "SafePCRepair_89.FeedManager.1"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}]
"(Default)" = "BARFEED_INTERFACE"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin]
"Version" = "1.1.1.1"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"CurInstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"DisplayName" = "SafePCRepair Internet Explorer Toolbar"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\ProgID]
"(Default)" = "SafePCRepair_89.ThirdPartyInstaller.1"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"AssistMonitor.dll" = ""

[HKCR\SafePCRepair_89.SettingsPlugin]
"(Default)" = ""

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"RegHookPath" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89reghk"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\TypeLib]
"(Default)" = "{c78cce0d-f991-44f4-b450-33c4fd189e38}"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\TypeLib]
"Version" = "1.0"

[HKCR\SafePCRepair_89.ToolbarProtector\CurVer]
"(Default)" = "SafePCRepair_89.ToolbarProtector.1"

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\405"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0]
"(Default)" = "TYPELIB_NAME"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"pl" = "9"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{95CD0B4B-5782-435E-993D-BA07B30710A6}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}]
"(Default)" = "POPUPMENU_INTERFACE"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=780CC5E8&p2=^AW7&ptb=A4D5BA16-1A54-4268-8FCA-EF1C21BC208F"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.HTMLPanel\CurVer]
"(Default)" = "SafePCRepair_89.HTMLPanel.1"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}]
"(Default)" = "SEARCHSCOPE_INTERFACE"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\TypeLib]
"(Default)" = "{95CD0B4B-5782-435E-993D-BA07B30710A6}"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\100"

[HKLM\SOFTWARE\MozillaPlugins\@SafePCRepair_89.com/Plugin\MimeTypes\application/x-safepcrepair_89plugin]
"Description" = "SafePCRepair Plugin"

[HKCR\CLSID\{10019e3c-1039-4c6a-8231-0c657afc4bc4}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"89SrcAs.dll" = "0"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\SafePCRepair_89.ThirdPartyInstaller.1]
"(Default)" = "SafePCRepair Third Party Installer"

[HKCR\SafePCRepair_89.SettingsPlugin.1]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{63f9f932-ba95-42af-bb2b-51d8431db9b9}]
"AppName" = "CrExtP89.exe"

[HKCR\CLSID\{43223489-51e1-4e5c-bbc4-3645dce39afe}\TypeLib]
"(Default)" = "{ccb31621-e2c6-43e7-b5d8-2b161973d5c3}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"Maximized" = "1"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\TypeLib]
"(Default)" = "{B2A921D8-E831-468F-BBC6-16416342C0A7}"

[HKCR\CLSID\{a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1}]
"(Default)" = "SafePCRepair"

[HKCR\Interface\{A42FD199-B78F-452F-B31F-5755D6105704}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{590CFF64-4C98-4B32-887C-4F6BC8C89899}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"AppName" = "AppIntegrator.exe"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1807"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nd" = "0"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.HTMLPanel"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"

[HKCR\SafePCRepair_89.HTMLPanel.1\CLSID]
"(Default)" = "{5806dc83-95c8-4120-a305-cbce6260adf1}"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}]
"(Default)" = "_IThirdPartyInstallerEvents"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"nk" = "0"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\SafePCRepair_89.HTMLMenu.1\CLSID]
"(Default)" = "{816098C9-EC16-4106-9FF7-E19580B2C338}"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"HPG.dll" = ""

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\1604"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"lidate" = "2014-10-30T14:09:16Z"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair_89bar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"

[HKCR\Interface\{34930B93-003D-4FF8-BF64-6A6F27547B0E}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\TypeLib\{63498647-B3EF-4A8A-8C98-163ECF8048FE}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c34c0e9f-c070-4b05-b912-563c3cff8555}]
"Policy" = "3"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\TypeLib]
"(Default)" = "{b2a921d8-e831-468f-bbc6-16416342c0a7}"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\0\win32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\t8res.dll\625"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"PluginPath" = "%Program Files%\SafePCRepair_89\bar\1.bin\"

[HKCR\CLSID\{2accb327-7218-4979-8eb7-0e653bc0ea66}\ProgID]
"(Default)" = "SafePCRepair_89.MultipleButton.1"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\TypeLib]
"(Default)" = "{C78CCE0D-F991-44F4-B450-33C4FD189E38}"

[HKCR\CLSID\{fe97fe9a-ef03-47e0-9df9-8ebb728c5d93}]
"(Default)" = "Pseudo Transparent Plugin"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"ToolbarGuard.dll" = ""

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"

[HKCR\CLSID\{79223c67-251e-4447-94fe-762be858d73e}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"Policy" = "3"

[HKCR\CLSID\{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"UninstallString" = "%Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe 89bar.dll,O uninstalltype=IE"

[HKCR\SafePCRepair_89.ToolbarProtector]
"(Default)" = "ProtectorControl Class"

[HKCR\CLSID\{5806dc83-95c8-4120-a305-cbce6260adf1}\Version]
"(Default)" = "1.0"

[HKCU\Software\Classes\CLSID\{be823b8c-a7ec-4078-a321-0f8046cbb48a}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\SafePCRepair_89.MultipleButton\CLSID]
"(Default)" = "{2accb327-7218-4979-8eb7-0e653bc0ea66}"

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{F7B9F27C-2E1A-429C-972A-DA83F1165B74}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{816098C9-EC16-4106-9FF7-E19580B2C338}\VersionIndependentProgID]
"(Default)" = "SafePCRepair_89.HTMLMenu"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Integrators]
"89DlgHk.dll" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 CD BE 0C 25 9C 25 2C EC 5F F0 55 2C CB AC 36"

[HKCR\SafePCRepair_89.HTMLMenu\CurVer]
"(Default)" = "SafePCRepair_89.HTMLMenu.1"

[HKCR\Interface\{41A55DD5-AF6C-482F-9FED-0F3326D71800}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{7E84E65B-E911-4DC3-B316-E2E854343D1B}]
"(Default)" = "IHttpControl"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e81003f0-8f21-4a23-8142-403d821198ac}]
"(Default)" = ""

[HKCR\SafePCRepair_89.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"

[HKCR\TypeLib\{CCB31621-E2C6-43E7-B5D8-2B161973D5C3}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{154690A0-7778-41B5-A3AB-EB51E2482B74}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\Interface\{394E9A2F-F433-43F1-9A2E-EAC2C6BB8D80}\TypeLib]
"(Default)" = "{6C227856-D369-4B3F-A317-89E4B1CD1A83}"

[HKCR\SafePCRepair_89.FeedManager]
"(Default)" = ""

[HKCR\Interface\{A0222970-4A74-4E1D-B0B7-F83D42AEB676}\TypeLib]
"(Default)" = "{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}"

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"au" = "1"

[HKCR\Interface\{2438F6B7-0532-4C8C-9C5C-B34935DD3D70}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{50066dbf-71b9-4489-b62e-4188d3048db2}]
"(Default)" = ""

[HKCR\Interface\{C62485E9-50DB-4F12-AE49-5D0A9B8BAC2C}\TypeLib]
"(Default)" = "{63498647-B3EF-4A8A-8C98-163ECF8048FE}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"un" = "SafePCRepair"

[HKCR\SafePCRepair_89.ToolbarProtector\CLSID]
"(Default)" = "{b6de1d4c-f21b-4056-a99c-1727fd6400ce}"

[HKCR\TypeLib\{6C227856-D369-4B3F-A317-89E4B1CD1A83}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{35C03DE9-8BA0-4B87-B3D1-51944C349FF1}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}]
"(Default)" = "SafePCRepair Third Party Installer"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}]
"(Default)" = "Skin Settings"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{816098C9-EC16-4106-9FF7-E19580B2C338}]
"(Default)" = ""

[HKCR\CLSID\{76816fb7-2009-45ec-a3d7-0d45c67d5bd7}]
"(Default)" = ""

[HKCR\Interface\{565ABC73-E8CB-4261-8FDE-C281445CA53D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{535062C7-0E84-4CD0-BEB2-59F41DD1A8F5}]
"(Default)" = "ITemplateBarControl"

[HKCR\Interface\{9E6E74B8-655A-4E4E-B5E0-6930412A7D55}\TypeLib]
"(Default)" = "{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c34c0e9f-c070-4b05-b912-563c3cff8555}]
"AppName" = "89SrchMn.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a983b26d-76cb-41c6-947e-4eeff0906747}]
"AppPath" = "%Program Files%\SafePCRepair_89\bar\1.bin"

[HKCR\CLSID\{50066dbf-71b9-4489-b62e-4188d3048db2}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll"

[HKCR\SafePCRepair_89.ScriptButton\CLSID]
"(Default)" = "{a8d7fcf9-a855-449b-aa9f-230ba62c4b4e}"

[HKCR\Interface\{B4BCF535-178F-43C9-98B3-1C5447AAF153}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{BD821925-6AEE-4FFF-A8E8-7AB1F50B0F4F}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"

[HKCR\SafePCRepair_89.HTMLPanel\CLSID]
"(Default)" = "{5806dc83-95c8-4120-a305-cbce6260adf1}"

[HKCR\SafePCRepair_89.HTMLPanel]
"(Default)" = "SafePCRepair_89 HTML Panel"

[HKCR\Interface\{356E8E19-4DEB-4F01-8DB4-1A0C99129CE7}]
"(Default)" = "IIEInstalledToolbars"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}]
"(Default)" = "ITemplateBarMenu"

[HKCR\Interface\{E07DD2E8-0B35-4F00-B311-1F079B94A1B4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{499616EC-7C3D-499E-95ED-5D37D7FC7A3F}\TypeLib]
"(Default)" = "{154690A0-7778-41B5-A3AB-EB51E2482B74}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\SafePCRepair_89\bar\Switches]
"oldhpp" = "0"

[HKCR\TypeLib\{B2A921D8-E831-468F-BBC6-16416342C0A7}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\InprocServer32]
"(Default)" = "%Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll"

[HKCR\Interface\{5AB21B6C-9EAA-465D-9C21-A1F75981773C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B98BE44D-266A-45FE-814D-DB708279E238}\TypeLib]
"(Default)" = "{0BC5607D-DC04-410A-B137-73F2EE733596}"

[HKCR\Interface\{2E685A5C-6D12-4C22-AA7B-32E7467FD7A0}]
"(Default)" = "_IDataCtrlEvents"

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B24F3E66-6E22-456F-85F0-43BEF5784F6C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{5ed1334e-4e55-40cd-accb-05ce52ad981d}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{e81003f0-8f21-4a23-8142-403d821198ac}]
"(Default)" = ""

[HKCR\Interface\{A5935A23-63D1-4216-B6B3-7B392880EB21}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A983B26D-76CB-41C6-947E-4EEFF0906747}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2438f6b7-0532-4c8c-9c5c-b34935dd3d70}]
"Policy" = "3"

[HKCR\Interface\{E07714D8-5006-492B-A2B1-B433949D6B1D}\TypeLib]
"(Default)" = "{6C227856-D369-4B3F-A317-89E4B1CD1A83}"

[HKCR\CLSID\{fe617740-9986-4a5b-a4a8-a66d64ce5e7d}\TypeLib]
"(Default)" = "{f7b9f27c-2e1a-429c-972a-da83f1165b74}"

[HKCR\Interface\{59B4F810-41AC-40F0-9FF1-703EAD14C290}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fc509df-4b29-4ab3-96e6-47c178d60287}]
"(Default)" = ""

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair" = "rundll32 C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll,S"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]
"(Default)" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair AppIntegrator 32-bit" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe"

"SafePCRepair Search Scope Monitor" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89srchmn.exe /m=2 /w /h"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d13bf91-ea09-4ed8-9acd-c6bad32617b9}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

[HKLM\SOFTWARE\SafePCRepair_89\bar]
"pid2"
"ConfigDateStamp"
"un"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafePCRepair Search Scope Monitor"

The process {988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe:732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 6D A6 D3 BA 60 E7 C9 DD 21 0A B7 97 B5 B6 CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 89srchmn.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 39 D5 BA EB 22 3D E0 DB D4 77 A4 72 D0 7D 2E"

The process AppIntegrator.exe:1580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 7D 33 FB 97 20 33 F0 AE 8C 5F 97 68 FA B5 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process irsetup.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"DisplayVersion" = "1.0.0.5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"InstallLocation" = "%Program Files%\SafePCRepair"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"HelpLink" = "http://www.mindspark.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"Contact" = "Mindspark Interactive Network Support Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"DisplayIcon" = "%Program Files%\SafePCRepair\SPR.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"UninstallString" = "%Program Files%\SafePCRepair\uninstall.exe /U:%Program Files%\SafePCRepair\Uninstall\uninstall.xml"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C DB 7D 1B 73 E3 29 91 FA 00 21 95 19 3A 04 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\AppDataLow\Software\Mindspark\SafePCRepair]
"InstallDir" = "%Program Files%\SafePCRepair\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"DisplayName" = "SafePCRepair"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafePCRepair]
"URLInfoAbout" = "http://www.mindspark.com/"
"Publisher" = "Mindspark Interactive Network"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
9f283fe65917b09419ac6c2a42ee5c6e c:\Program Files\SafePCRepair\IoloServiceWrapper.dll
df234383c91c6f52386ff064f6521618 c:\Program Files\SafePCRepair\Microsoft.Expression.Drawing.dll
59a16258a357b3dd0eb256dd5372b1a8 c:\Program Files\SafePCRepair\MindSparkTools.dll
8611795b70cd1f321cb5cb5aad95ff7b c:\Program Files\SafePCRepair\Newtonsoft.Json.dll
a5ff44b2560a74c79e9abc231f96f7fe c:\Program Files\SafePCRepair\SPR.exe
50e7046b92b7b001e30fcd5bc5889e48 c:\Program Files\SafePCRepair\TaskDialog.dll
d5c82eaca74946caf9034dd825b6a74f c:\Program Files\SafePCRepair\Uninstall\Wow64.lmd
1fe131b0989428b4915c3db7a3e65890 c:\Program Files\SafePCRepair\ioloToolService.dll
8510762c904e9111e6a8b6bc693270a1 c:\Program Files\SafePCRepair\ioloToolService.exe
a072b04165c379dfef863214ef14eb5f c:\Program Files\SafePCRepair\log4net.dll
8c0b6838878f3dd76135f999ddb1c900 c:\Program Files\SafePCRepair\lua5.1.dll
30da79752cb6b5d9846354ef7ae75627 c:\Program Files\SafePCRepair\uninstall.exe
ccbfb0fb6a1771a6851512c824175a8d c:\Program Files\SafePCRepair_89\bar\1.bin\89Plugin.dll
3b80c3828554d878ba5b06f8bee6c241 c:\Program Files\SafePCRepair_89\bar\1.bin\89SrcAs.dll
6b20f550f0cf310bd0f065eaa97165c7 c:\Program Files\SafePCRepair_89\bar\1.bin\89SrchMn.exe
2f7623e361a623d38bbac524702c3b06 c:\Program Files\SafePCRepair_89\bar\1.bin\89bar.dll
a629f8db2fe3f86b2b3b369ca2d22ead c:\Program Files\SafePCRepair_89\bar\1.bin\89barsvc.exe
aff3aab6d2bc9776ef16b7e310f200f8 c:\Program Files\SafePCRepair_89\bar\1.bin\89bprtct.dll
99cd66b4fc8a4da919615cb00358cd89 c:\Program Files\SafePCRepair_89\bar\1.bin\89datact.dll
678d96f39fc4511c078ae18eedda725a c:\Program Files\SafePCRepair_89\bar\1.bin\89dlghk.dll
47c3d4b1ec799f2410d5c4db3150830c c:\Program Files\SafePCRepair_89\bar\1.bin\89dlghk64.dll
56c388f118e47a46e55c78653bf2ae8a c:\Program Files\SafePCRepair_89\bar\1.bin\89feedmg.dll
9a56a71b3092fcceb6f3ccb45abad7de c:\Program Files\SafePCRepair_89\bar\1.bin\89highin.exe
78f4e5e669f4c0e4d2ab71f432b4f25b c:\Program Files\SafePCRepair_89\bar\1.bin\89hkstub.dll
a28971193059661e64d84eea069331dd c:\Program Files\SafePCRepair_89\bar\1.bin\89htmlmu.dll
4548cae3d2b5256449a777aac73cc253 c:\Program Files\SafePCRepair_89\bar\1.bin\89httpct.dll
1ddc5cffd155ae909c751e4a0104d974 c:\Program Files\SafePCRepair_89\bar\1.bin\89idle.dll
0eb5c27740d39b28e407e25f74a2f23a c:\Program Files\SafePCRepair_89\bar\1.bin\89medint.exe
6dfe507877f8f11f70dd6db55553a165 c:\Program Files\SafePCRepair_89\bar\1.bin\89mlbtn.dll
d05813d47c423da1b8cf674cd1137d59 c:\Program Files\SafePCRepair_89\bar\1.bin\89regfft.dll
ebfc2a20a4a3fbe4cd4468f57ba63e1e c:\Program Files\SafePCRepair_89\bar\1.bin\89reghk.dll
8491754a8000a9265cda69a407f99b0c c:\Program Files\SafePCRepair_89\bar\1.bin\89regiet.dll
cd848ca77df8282a0a4778414808154c c:\Program Files\SafePCRepair_89\bar\1.bin\89script.dll
8d0d0ae3e70363239e19c2da171558a7 c:\Program Files\SafePCRepair_89\bar\1.bin\89skin.dll
cc079d45f96c2ca37f5d938ab437e985 c:\Program Files\SafePCRepair_89\bar\1.bin\89skplay.exe
673d9574e3beb883688975fe2c22556a c:\Program Files\SafePCRepair_89\bar\1.bin\89srchmr.dll
cf0646bb879911192c833e314e0afc57 c:\Program Files\SafePCRepair_89\bar\1.bin\89tpinst.dll
10f7e914cee5636179838d7f7f976b5a c:\Program Files\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE
184f78c50bcc6c2319d56963552f2b7b c:\Program Files\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL
29b69b9f0c61ae41100870500a65d219 c:\Program Files\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL
82cb70126e6223a63316b71f4cc13976 c:\Program Files\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL
aec7ac415e570fa2566769bfbcbc7fd0 c:\Program Files\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe
61568320cac2d0868928f9364a565b1a c:\Program Files\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll
b096c32156bcd51f33e0e7f12a90e304 c:\Program Files\SafePCRepair_89\bar\1.bin\CREXT.DLL
9526b7e071abdd76002bbdbb21beb726 c:\Program Files\SafePCRepair_89\bar\1.bin\CrExtP89.exe
4d346cd5b9d4d5be83563bc7d4af0e5c c:\Program Files\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL
cc8978a1e61f9b95e99a5cd16aa901f9 c:\Program Files\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll
12706849799668a9a88480249b98f060 c:\Program Files\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL
e533043cb8fdb1c96839f22e046c2f20 c:\Program Files\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL
186159381df948b37bfc3bbdb4fd991a c:\Program Files\SafePCRepair_89\bar\1.bin\HPG.DLL
2bd149504e2890da76ddf3e6a891c5cf c:\Program Files\SafePCRepair_89\bar\1.bin\Hpg64.dll
444e9d42e6cb5e3a90680232b4c5dd3b c:\Program Files\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL
abf98ad68d32356d85417b3907617250 c:\Program Files\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL
2b203ef9ed024561e563062fc0d53dc0 c:\Program Files\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL
45d1827ce4abc76965688771b44771d5 c:\Program Files\SafePCRepair_89\bar\1.bin\T8HTML.DLL
59ad9cabbb034e17e3c2960e4cceefd2 c:\Program Files\SafePCRepair_89\bar\1.bin\T8RES.DLL
391e0a8c28c520a3c131c95f9f07bbe9 c:\Program Files\SafePCRepair_89\bar\1.bin\T8TICKER.DLL
5cfde1c7f0a7a974dd610a8bdff23577 c:\Program Files\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL
f2248d813ae3e7c0a53f395a1485b93a c:\Program Files\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL
befc4adf767eba3c5b95ad66ab96f82b c:\Program Files\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE
2f143f9d838217a4db883e8e4e8b5234 c:\Program Files\SafePCRepair_89\bar\1.bin\VERIFY.DLL
9bc04e8e818cdb85b2f0b2ffd8cb78dd c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL
c2af09bff7579b4bf81fa8ae227b15eb c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL
7e0e289b1cf9eea5440162efcebe151b c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE
e8994129fe701fb4dcb2ae5f3c65f4cc c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL
0c42f8320a4f8b87b50acd2c3c987d1e c:\Program Files\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SafePCRepair
Product Name: SafePCRepair
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 89Setup.exe
Internal Name: 89Setup
File Version: 2, 0, 5, 6
File Description: SafePCRepair
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7790 8192 4.27339 e28848bc1d5d86f7e6683c7388b6f4e3
.rdata 12288 8748 12288 1.7971 07d6fef428c96dbe020e31fb83cdd0d0
.data 24576 2126 4096 1.23441 a47f92d38213ea3f932932afa2f5c0f4
.rsrc 28672 5786104 5787648 5.39414 e5699bb5397a68f7fe6064b97e4a4a83

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1834.g2.akamai.net/images/nocache/vicinio/executable-packages/SafePCRepair/1386165611692/SafePCRepairSetup.exe
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl
hxxp://ak.dl.safepcrepair.com/images/nocache/vicinio/executable-packages/SafePCRepair/1386165611692/SafePCRepairSetup.exe 213.155.152.155
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl 23.43.133.163
hxxp://crl.verisign.com/pca3-g5.crl 23.43.133.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.43.133.163
hxxp://crl.thawte.com/ThawteTimestampingCA.crl 23.43.133.163
anx.mindspark.com 74.113.233.187


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "075003e67d35591a801778336e66e994:1411607711"
Last-Modified: Thu, 25 Sep 2014 01:15:11 GMT
Date: Thu, 30 Oct 2014 14:08:34 GMT
Content-Length: 341
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U..
..Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U..
..Thawte Timestamping CA..140922000000Z..141231235959Z0...*.H.........
......z ...H.....h.......>V......<...Y*.4..m.P{w.yN.*..rH....o7.
_..B.H..$O......D(..Or..E..e3....XR.#!1.5j.h..p......<.#..:.FI..l?.
HTTP/1.1 200 OK..Server: Apache..ETag: "075003e67d35591a801778336e66e9
94:1411607711"..Last-Modified: Thu, 25 Sep 2014 01:15:11 GMT..Date: Th
u, 30 Oct 2014 14:08:34 GMT..Content-Length: 341..Connection: keep-ali
ve..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0..
.U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte
1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..1409
22000000Z..141231235959Z0...*.H...............z ...H.....h.......>V
......<...Y*.4..m.P{w.yN.*..rH....o7._..B.H..$O......D(..Or..E..e3.
...XR.#!1.5j.h..p......<.#..:.FI..l?...



GET /images/nocache/vicinio/executable-packages/SafePCRepair/1386165611692/SafePCRepairSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ak.dl.safepcrepair.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 04 Dec 2013 14:00:24 GMT
ETag: "b0df1f-552f70-4ecb5d5a2befb"
Accept-Ranges: bytes
Content-Length: 5582704
Cache-Control: max-age=286847531
Expires: Sat 02 Apr 1977 17:15:00 GMT
Pragma: no-cache
Content-Type: application/x-msdownload
Date: Thu, 30 Oct 2014 14:08:12 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2...\...\.
..\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\...
......PE..L......R.................X...........).......p....@.........
.................`........U...@.................................<..
.d........|............U.`....@.......................................
...@............p..x............................text....W.......X.....
............. ..`.rdata.......p...0...\..............@[email protected]....
[email protected]....|.......~..................@[email protected]
loc.......@[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U...X......... [email protected].
SVW.}[email protected]@.P..hq@........`........V......SP.......Pp@..
..W..;.}[email protected][email protected]...
@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P..
...u>.......6......P.....~(......:u....~....P......P......P........
[email protected]@[email protected];[email protected].
[email protected]@........u....M._..^3.[.........V..W3.h..
[email protected].....<[email protected]
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "bd6753109994fa1bef1833b34f3e263b:1411514416"
Last-Modified: Tue, 23 Sep 2014 23:20:16 GMT
Date: Thu, 30 Oct 2014 14:08:33 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..140922000000Z..141231235959Z0...*.H.............
O...i.i(.#..s.T....F....${|...xLT.k...(....AC.#.....Y.Ht..}.n..* ...b.
Gs...G..N.|2*.9l....\..H.Y....Wh. .....A.......?/...}.......z.Q..qP_.-
..~......!.UBW...ER..6....:.p...[...../..h...9.J(..<.;i.......?c.I.
t....LV.uD....B..z...~I .6..aR[..(..q............HTTP/1.1 200 OK..Serv
er: Apache..ETag: "bd6753109994fa1bef1833b34f3e263b:1411514416"..Last-
Modified: Tue, 23 Sep 2014 23:20:16 GMT..Date: Thu, 30 Oct 2014 14:08:
33 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: app
lication/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriS
ign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Publ
ic Primary Certification Authority - G5..140922000000Z..141231235959Z0
...*.H.............O...i.i(.#..s.T....F....${|...xLT.k...(....AC.#....
.Y.Ht..}.n..* ...b.Gs...G..N.|2*.9l....\..H.Y....Wh. .....A.......?/..
.}.......z.Q..qP_.-..~......!.UBW...ER..6....:.p...[...../..h...9.J(..
<.;i.......?c.I.t....LV.uD....B..z...~I .6..aR[..(..q..............
<<< skipped >>>


GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "3bd9931c100cf8b7632f8636615fb822:1414660213"
Last-Modified: Thu, 30 Oct 2014 09:10:13 GMT
Date: Thu, 30 Oct 2014 14:08:33 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..!30.. ....0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T...
....130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u..
....130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v.........
.n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.
....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>


GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "f3da2c763a96a66133c1e390985aed0b:1414660298"
Last-Modified: Thu, 30 Oct 2014 09:11:38 GMT
Date: Thu, 30 Oct 2014 14:08:34 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporatio
n100...U...'Symantec Time Stamping Services CA - G2..141030090111Z..14
1109090111Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H..
.............,..N....;.....{.s../...(.[.RM.~..^..Z#W;[email protected]...
."p?.|.v...Z.........v...l..`..=....F..|.I..l$..Z.1...`T.;).O^b.q.V..I
...vw..f..0!v..%...G.u*q2.. ]...T....,.......I.......(D.S.=O....a.'...
...{]A....f2.........m...wf......3:.".......'..&g..X.D.C.HTTP/1.1 200 
OK..Server: Apache..ETag: "f3da2c763a96a66133c1e390985aed0b:1414660298
"..Last-Modified: Thu, 30 Oct 2014 09:11:38 GMT..Date: Thu, 30 Oct 201
4 14:08:34 GMT..Content-Length: 477..Connection: keep-alive..Content-T
ype: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0
...U....Symantec Corporation100...U...'Symantec Time Stamping Services
 CA - G2..141030090111Z..141109090111Z.00.0...U.#..0..._..n\..t...}.?.
.L...0...U........0...*.H...............,..N....;.....{.s../...(.[.RM.
~..^..Z#W;[email protected]...."p?.|.v...Z.........v...l..`..=....F..|.I.
.l$..Z.1...`T.;).O^b.q.V..I...vw..f..0!v..%...G.u*q2.. ]...T....,.....
..I.......(D.S.=O....a.'......{]A....f2.........m...wf......3:."......
.'..&g..X.D.C...

The Trojan connects to the servers at the folowing location(s):

89HighIn.exe_1324:

.text
`.rdata
@.data
.rsrc
@.reloc
SHLWAPI.dll
KERNEL32.dll
E:\TeamCity\BuildAgent1\work\e76829348a1f1718\Projects\ChromeExtAPI_Dev2\Build.TT\Release.x86\t8HighIn.pdb
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
1.0.7.235
t8HighIn.exe
2.5.15.2

AppIntegrator.exe_1580:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
SHELL32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MaxPolicyElementKey
AppIntegrator.cpp
IAC::AppIntegrator::Application::SetupWindowsHook
C   Exception thrown in %s: %s
ATL Exception thrown in %s: 0xX
Unknown exception thrown in %s
RegOpenKeyTransactedW
E:\TeamCity\BuildAgent1\work\e76829348a1f1718\Projects\ChromeExtAPI_Dev2\Build.TT\Release.x86\AppIntegrator.pdb
KERNEL32.dll
MsgWaitForMultipleObjects
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
SHRegOpenUSKeyW
SHRegCloseUSKey
SHRegCreateUSKeyW
SHLWAPI.dll
USERENV.dll
VERSION.dll
GetProcessHeap
GetCPInfo
AppIntegrator.exe
zcÁ
.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V<lambda14>@?A0xbc07b221@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V<lambda5>@?A0xbc07b221@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@
.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@
.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
< =/=8=\=
>$>,>4><>
6 6$6(6,606
2 2@2\2`2
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
ieframe.dll
g%s:AppIntegratorShutdown
Already running! %s
The %s event cannot be created (%u)
\AppIntegratorStub.dll
Error calling GetProcAddress %u
Error calling SetWindowsHookEx %u
Failed to enable heap terminate-on-corruption with LastError %u
Error: %S
Error: 0x%0x
TraceLogUnitTest.exe
TraceLog.cfg
).csv
\StringFileInfo\XX\OriginalFilename
@t8res.dll
Advapi32.dll
C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
C:\PROGRA~1\SAFEPC~1\bar\1.bin
@C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe
1.0.7.235
2.5.15.2


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    89HighIn.exe:1324
    89barsvc.exe:876
    89barsvc.exe:304
    89barsvc.exe:1944
    TPIManagerConsole.exe:936
    %original file name%.exe:1352
    ioloToolService.exe:472
    regsvr32.exe:1540
    00000548T8SETUP.EXE:1180
    {988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe:732
    89srchmn.exe:1272
    irsetup.exe:1092

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VKEM6ZJP\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\{988F5184-73DD-407D-AC4A-7FFF0A5F8D90}.exe (1047471 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FTXE3DPE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WRI0UJBT\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LEIQM67U\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00000548T8SETUP.EXE (190298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00000548T8SETUP.EX_ (39950 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89bar.dll (5442 bytes)
    %Program Files%\SafePCRepair_89\bar\Message\COMMON.T8S (100 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89regiet.dll (87 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89skplay.exe (55 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89medint.exe (12 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\AppIntegrator64.exe (264 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89idle.dll (62 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\CREXT.DLL (6422 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\Hpg64.dll (220 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\CHROME.MANIFEST (1 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89regfft.dll (85 bytes)
    %System%\config\system (3482 bytes)
    %Program Files%\SafePCRepair_89\bar\assists\COMMON.T8S (138 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89bprtct.dll (121 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8HTML.DLL (202 bytes)
    %Program Files%\SafePCRepair_89\bar\Settings\s_pid.dat (8 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89highin.exe (13 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\chrome\89ffxtbr.jar (1829 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8EXTPEX.DLL (108 bytes)
    %System%\config\SOFTWARE.LOG (34985 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89tpinst.dll (179 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\BOOTSTRAP.JS (20 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89hkstub.dll (59 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89feedmg.dll (145 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\INSTALL.RDF (2 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89mlbtn.dll (98 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89dlghk.dll (121 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\CrExtP89.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89barsvc.exe (90 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\VERIFY.DLL (70 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89srchmr.dll (87 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR.DLL (1628 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89SrcAs.dll (144 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89httpct.dll (151 bytes)
    %System%\config\SYSTEM.LOG (5289 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89dlghk64.dll (147 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89reghk.dll (80 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\installKeys.js (207 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\LOGO.BMP (10 bytes)
    %Program Files%\SafePCRepair_89\bar\gen1\COMMON.T8S (1 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (4896 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89Plugin.dll (83 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8EXTEX.DLL (102 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8RES.DLL (198 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATOR.EXE (229 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89datact.dll (171 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89SrchMn.exe (55 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89skin.dll (212 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
    %System%\config\software (31988 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\HPG.DLL (237 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8TICKER.DLL (171 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89htmlmu.dll (214 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\FF-NativeMessagingDispatcher.dll (1767 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\89script.dll (104 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\DPNMNGR.DLL (217 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\HKFXMGR64.DLL (1729 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
    %Program Files%\SafePCRepair_89\bar\1.bin\T8EPMSUP.DLL (79 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SafePCRepair Setup Log.txt (3398 bytes)
    %Program Files%\SafePCRepair\Newtonsoft.Json.dll (4895 bytes)
    %Program Files%\SafePCRepair\SPR.exe.config (885 bytes)
    %Program Files%\SafePCRepair\Uninstall\uni1.tmp (11621 bytes)
    %Program Files%\SafePCRepair\IoloServiceWrapper.dll (34 bytes)
    %Program Files%\SafePCRepair\log4net.dll (2807 bytes)
    %Program Files%\SafePCRepair\Uninstall\Wow64.lmd (601 bytes)
    %Program Files%\SafePCRepair\uninstall.exe (9213 bytes)
    %Program Files%\SafePCRepair\ioloToolService.dll (24 bytes)
    %Program Files%\SafePCRepair\ioloToolService.exe (22524 bytes)
    %Program Files%\SafePCRepair\MindSparkTools.dll (20641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
    %Program Files%\SafePCRepair\Microsoft.Expression.Drawing.dll (1137 bytes)
    %Program Files%\SafePCRepair\Uninstall\IRIMG1.PNG (5 bytes)
    %Program Files%\SafePCRepair\TaskDialog.dll (1137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\spr.ico (5 bytes)
    %Program Files%\SafePCRepair\Uninstall\uninstall.dat (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
    %Program Files%\SafePCRepair\lua5.1.dll (2902 bytes)
    %Program Files%\SafePCRepair\Uninstall\uninstall.xml (1201 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SafePCRepair" = "rundll32 C:\PROGRA~1\SAFEPC~1\bar\1.bin\89bar.dll,S"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SafePCRepair AppIntegrator 32-bit" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\AppIntegrator.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SafePCRepair Search Scope Monitor" = "C:\PROGRA~1\SAFEPC~1\bar\1.bin\89srchmn.exe /m=2 /w /h"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now