MD5: 61c23fbe048e7ca377ce60389f235414
SHA1: b926fb363b922816896a7f17bcf2e6df579e4aa3
SHA256: 15150cafc7f60248798a87e50549384e23f223dabfa80ed30af499772231cacc
SSDeep: 98304:pDJw/LJpxkvEqQJPoR/J2EwRm41fRJBFAuXmzixMVGMFkF yDHxj4e3:paLxfqQ R/wEH4FRJBFfXcixO4 yLx/3
Size: 5822864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Marine Aquarium Lite
Created at: 2014-07-01 20:38:05
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

57srchmn.exe:1556
MALiteSetup.tmp:252
TPIManagerConsole.exe:364
{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500
00000294T8SETUP.EXE:1276
57HighIn.exe:1900
MALiteSetup.exe:160
57barsvc.exe:1284
57barsvc.exe:1016
57barsvc.exe:1564
%original file name%.exe:660
irsetup.exe:1968

The Trojan injects its code into the following process(es):

AppIntegrator.exe:1088

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MALiteSetup.tmp:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.dat (2064 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-AN6HM.tmp (7150 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium on the Web.lnk (981 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\www.SereneScreen.com.url (310 bytes)
%System%\is-0I46C.tmp (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium Lite.lnk (706 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-IABLG.tmp (195 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Marine Aquarium Lite.lnk (706 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-BO418.tmp (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Documents and Settings%\%current user%\Desktop\SereneScreen Marine Aquarium Lite.lnk (688 bytes)
%Program Files%\SereneScreen\Marine Aquarium Lite\is-BVAE0.tmp (35 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\Prolific Publishing on the Web.lnk (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup (0 bytes)

The process TPIManagerConsole.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L4Z4NAVX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (136 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe (1495258 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9AB3MJ6C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VO9Z1ANT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDL92Q1D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)

The Trojan deletes the following file(s):

%Program Files%\MarineAquarium3Free_57\bar\1.bin\{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe (0 bytes)

The process {D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process 00000294T8SETUP.EXE:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll (145 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll (144 bytes)
%System%\config (200 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\INSTALL.RDF (2 bytes)
%Program Files%\MarineAquarium3Free_57\bar\assists\COMMON.T8S (138 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\BOOTSTRAP.JS (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrchMn.exe (55 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CrExtP57.exe (5442 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57medint.exe (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CHROME.MANIFEST (1 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HPG.DLL (237 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR.DLL (1629 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegrator64.exe (258 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57hkstub.dll (59 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll (121 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk64.dll (147 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57srchmr.dll (87 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll (179 bytes)
%System%\config\SOFTWARE.LOG (42313 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57regfft.dll (85 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57barsvc.exe (90 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll (214 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57idle.dll (62 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTPEX.DLL (108 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL (202 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8TICKER.DLL (171 bytes)
%System%\config\system (2812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (1564 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\Hpg64.dll (220 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57Plugin.dll (83 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6408 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll (98 bytes)
%Program Files%\MarineAquarium3Free_57\bar\Settings\s_pid.dat (6 bytes)
%Program Files%\MarineAquarium3Free_57\bar\gen1\COMMON.T8S (1 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll (121 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL (218 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57datact.dll (171 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57regiet.dll (87 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EPMSUP.DLL (79 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57script.dll (104 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skplay.exe (55 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57httpct.dll (151 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll (5442 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\LOGO.BMP (10 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
%System%\config\software (34218 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\chrome\57ffxtbr.jar (1829 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll (212 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe (13 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3544 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\VERIFY.DLL (70 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
%Program Files%\MarineAquarium3Free_57\bar\Message\COMMON.T8S (100 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8RES.DLL (196 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\CREXT.DLL (6422 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\57reghk.dll (80 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\installKeys.js (206 bytes)
%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTEX.DLL (102 bytes)

The process MALiteSetup.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp\MALiteSetup.tmp (3790 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp\MALiteSetup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp (0 bytes)

The process %original file name%.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EXE (188805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EX_ (39950 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EX_ (0 bytes)

The process irsetup.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MarineAquarium Setup Log.txt (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MALiteSetup.exe (33812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MALiteSetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW1.tmp (0 bytes)

Registry activity

The process 57srchmn.exe:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 33 FE 5D DC 19 F3 E7 6D 8C 69 31 FB 63 3D EA"

The process MALiteSetup.tmp:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Publisher" = "Prolific Publishing, Inc."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayName" = "SereneScreen Marine Aquarium Lite"
"Inno Setup: User" = "%CurrentUserName%"
"MinorVersion" = "0"
"Inno Setup: Icon Group" = "SereneScreen"
"Inno Setup: App Path" = "%Program Files%\SereneScreen\Marine Aquarium Lite"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayIcon" = "%System%\MarineAquariumLite.exe"
"URLUpdateInfo" = "http://www.SereneScreen.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\SereneScreen\MarineAquariumLite]
"EXE" = "%System%\MarineAquariumLite.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{936872f0-5423-11e1-b86c-0800200c9a66}]
"AppName" = "MarineAquariumLite.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayVersion" = "3.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{936872f0-5423-11e1-b86c-0800200c9a66}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"MajorVersion" = "3"
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"

[HKCU\Control Panel\Desktop]
"ScreenSaveTimeOut" = "120"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"InstallDate" = "20140916"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"URLInfoAbout" = "http://www.ProlificPublishingInc.com"
"Inno Setup: Setup Version" = "5.3.11 (a)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"InstallLocation" = "%Program Files%\SereneScreen\Marine Aquarium Lite\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"NoRepair" = "1"
"UninstallString" = "%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Inno Setup: Language" = "en"
"QuietUninstallString" = "%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.exe /SILENT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "MarineAquariumLite.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Readme" = ".\Readme.txt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{936872f0-5423-11e1-b86c-0800200c9a66}]
"AppPath" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 2F F4 D4 FB 8F D3 EC B5 82 A4 93 7F FA 5E 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"Inno Setup: Deselected Tasks" = ""
"HelpLink" = "http://www.SereneScreen.com"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]

The process TPIManagerConsole.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 6F 6C 70 1E A6 4D FD 50 63 F5 FE 8B 55 62 2D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\MarineAquarium3Free_57\Dependencies]
"dependencymanagerpath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL"

[HKLM\SOFTWARE\MarineAquarium3Free_57\Dependencies\MarineAquarium]
"uninstall" = "0"
"FriendlyName" = "Marine Aquarium Lite"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process {D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D C6 0B 81 4F 97 F6 03 FB EC 8C 0B 1B 03 82 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 00000294T8SETUP.EXE:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"Maximized" = "1"

[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57datact.dll"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\TypeLib]
"(Default)" = "{fdb8f0c7-adf7-4a45-b762-fe8ef4970dbd}"

[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}]
"(Default)" = "ISessionData"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}]
"(Default)" = "ITemplateBarMenu"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ecd011be-bc4c-45dd-85bc-70e5f36806d9}]
"AppName" = "57medint.exe"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"un" = "Marine Aquarium Lite"
"RegHookPath" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57reghk"

[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.ScriptButton\CLSID]
"(Default)" = "{94c67622-4e77-495a-9457-c8064c92a228}"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\ProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLPanel.1"

[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\TypeLib]
"(Default)" = "{2F868090-A282-4C80-AC30-F743C9BECADF}"

[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin\MimeTypes\application/x-marineaquarium3free_57plugin]
"Suffixes" = "57"

[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}]
"(Default)" = "HttpControl Class"

[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}]
"(Default)" = "Marine Aquarium Lite Third Party Installer"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin\CurVer]
"(Default)" = "MarineAquarium3Free_57.PseudoTransparentPlugin.1"

[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}]
"(Default)" = "ITemplateBarControl"

[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.ToolbarProtector]
"(Default)" = "ProtectorControl Class"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}]
"(Default)" = "Skin Settings"

[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"Version" = "1.1.1.1"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin\CLSID]
"(Default)" = "{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}"

[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\SkinTools]
"PlayerPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SkPlay.exe"

[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0]
"(Default)" = "BARFEEDTYPELIB_NAME"

[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\TypeLib]
"(Default)" = "{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}"

[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\MarineAquarium3Free_57.HTMLMenu\CurVer]
"(Default)" = "MarineAquarium3Free_57.HTMLMenu.1"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.FeedManager"

[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"57DlgHk.dll" = ""

[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\625"

[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\TypeLib]
"(Default)" = "{199350AF-34C3-496F-A764-F4BF91CF2835}"

[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1807"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b6e803d8-1514-4aa2-a53e-358400dfbb94}]
"Policy" = "3"

[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\TypeLib]
"(Default)" = "{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b6e803d8-1514-4aa2-a53e-358400dfbb94}]
"AppName" = "CrExtP57.exe"

[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f4d12989-af1c-4363-bfcf-b9ad96d18b0f}]
"Policy" = "3"

[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"PartnerPixelNotSet" = ""

[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0]
"(Default)" = "TEMPLATEHTMLMenuLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"UninstallString" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe 57bar.dll,O uninstalltype=IE"

[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\ProgID]
"(Default)" = "MarineAquarium3Free_57.ScriptButton.1"

[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller.1\CLSID]
"(Default)" = "{dd4285fa-3345-4b73-92e5-4de464edc3b2}"

[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\TypeLib]
"(Default)" = "{2F868090-A282-4C80-AC30-F743C9BECADF}"

[HKCR\MarineAquarium3Free_57.ToolbarProtector.1]
"(Default)" = "ProtectorControl Class"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"UninstallFFString" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe 57bar.dll,O uninstalltype=FF"

[HKCR\MarineAquarium3Free_57.FeedManager.1\CLSID]
"(Default)" = "{f153e08e-19e7-4ece-bb2b-afe06394c6ea}"

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}]
"(Default)" = "Popup Menu Plugin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"

[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}]
"(Default)" = "BARFEEDMANAGER_INTERFACE"

[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\ProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLMenu.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{dd4285fa-3345-4b73-92e5-4de464edc3b2}]
"(Default)" = ""

[HKCU\Software\Classes\CLSID\{327f75ed-061b-4339-8cc6-5dd45ad1396d}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}]
"(Default)" = "HTMLPANELEVENTS_INTERFACE"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\MiscStatus\1]
"(Default)" = "131473"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\TypeLib]
"(Default)" = "{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"lidate" = "2014-09-16T05:22:12Z"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b6e803d8-1514-4aa2-a53e-358400dfbb94}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\TypeLib]
"(Default)" = "{09e63ba3-09c7-4d20-9e4b-2ebad3be5b50}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}]
"(Default)" = "MarineAquarium3Free_57 HTML"

[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1506"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ecd011be-bc4c-45dd-85bc-70e5f36806d9}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}]
"(Default)" = "IIEInstalledToolbars"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C0FD73B4-C692-4061-B36F-BC15B111314C}]
"(Default)" = ""

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\TypeLib]
"(Default)" = "{00c5edb1-1261-41eb-8fee-9c0c2cd98058}"

[HKCR\CLSID\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll"

[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}]
"(Default)" = ""

[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.HTMLMenu.1]
"(Default)" = "MarineAquarium3Free_57 HTML Menu"

[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{074d3229-0a22-491b-b9dd-ff3171d75f25}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"Visible" = "1"

[HKCR\MarineAquarium3Free_57.SettingsPlugin.1\CLSID]
"(Default)" = "{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}"

[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f4d12989-af1c-4363-bfcf-b9ad96d18b0f}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\TypeLib]
"(Default)" = "{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}"

[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\TypeLib]
"(Default)" = "{199350AF-34C3-496F-A764-F4BF91CF2835}"

[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"au" = "1"

[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"Description" = "Marine Aquarium Lite Plugin"

[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0]
"(Default)" = "DataCtrl 1.0 Type Library"

[HKCR\MarineAquarium3Free_57.ScriptButton\CurVer]
"(Default)" = "MarineAquarium3Free_57.ScriptButton.1"

[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}\TypeLib]
"(Default)" = "{a29ba259-04a2-426b-949f-d486e674df9b}"

[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57script.dll"

[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\TypeLib]
"(Default)" = "{d458d0d1-08f3-4dc9-9c67-ade048ae0ef9}"

[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\TypeLib]
"Version" = "1.0"

[HKCR\MarineAquarium3Free_57.MultipleButton\CLSID]
"(Default)" = "{ad750e83-1c56-4196-90e3-e5a0f3c5421c}"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\ProgID]
"(Default)" = "MarineAquarium3Free_57.PseudoTransparentPlugin.1"

[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.ScriptButton"

[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\TypeLib]
"(Default)" = "{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}"

[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}]
"(Default)" = "HTMLPANEL_INTERFACE"

[HKCR\MarineAquarium3Free_57.HTMLPanel\CLSID]
"(Default)" = "{eda1dca1-c71d-46e7-b504-6cefd21ee60d}"

[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller\CurVer]
"(Default)" = "MarineAquarium3Free_57.ThirdPartyInstaller.1"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"ToolbarGuard.dll" = ""

[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MarineAquarium3Free_57.SettingsPlugin.1]
"(Default)" = ""

[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0]
"(Default)" = "TYPELIB_NAME"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"dir" = "%Program Files%\MarineAquarium3Free_57\bar\"

[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"

[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\ProgID]
"(Default)" = "MarineAquarium3Free_57.ThirdPartyInstaller.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c1c3d4a-dcff-443d-a49f-4abb6af151af}]
"AppName" = "57SrchMn.exe"

[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller\CLSID]
"(Default)" = "{dd4285fa-3345-4b73-92e5-4de464edc3b2}"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin.1\CLSID]
"(Default)" = "{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"HomePage" = "http://home.tb.ask.com/index.jhtml?n=780C9958&p2=^0D&ptb=D384F68F-2C0B-4FC8-9083-333ABE20BF2C"

[HKCR\CLSID\{07189b84-b33b-4a1e-9b32-ad203c983c20}]
"(Default)" = "Marine Aquarium Lite"

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\TypeLib]
"(Default)" = "{00c5edb1-1261-41eb-8fee-9c0c2cd98058}"

[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}]
"(Default)" = "IDataCtrl"

[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\MiscStatus]
"(Default)" = "0"

[HKCR\MarineAquarium3Free_57.HTMLPanel\CurVer]
"(Default)" = "MarineAquarium3Free_57.HTMLPanel.1"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\MarineAquarium3Free_57.ScriptButton.1]
"(Default)" = ""

[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}\TypeLib]
"(Default)" = "{83783d62-ec4a-4cdd-acb3-b2a4bf184959}"

[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0]
"(Default)" = "Skin 1.0 Type Library"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"ua" = "0"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.PseudoTransparentPlugin"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}]
"(Default)" = "BARFEED_INTERFACE"

[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\ProgID]
"(Default)" = "MarineAquarium3Free_57.MultipleButton.1"

[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLPanel"

[HKCR\MarineAquarium3Free_57.MultipleButton\CurVer]
"(Default)" = "MarineAquarium3Free_57.MultipleButton.1"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Firefox]
"UninstallString" = "rundll32 %Program Files%\MarineAquarium3Free_57\bar\1.bin\57Bar.dll,O mindsparktoolbarkey=MarineAquarium3Free_57 uninstalltype=FF"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e9e780cc-8821-4b00-b4f9-f4c4f82be2c7}]
"Policy" = "3"

[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}]
"(Default)" = "IHttpControlEvents"

[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.HTMLMenu"

[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}]
"(Default)" = "SKINWINDOW_INTERFACE"

[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}\TypeLib]
"(Default)" = "{2F868090-A282-4C80-AC30-F743C9BECADF}"

[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.SettingsPlugin]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e9e780cc-8821-4b00-b4f9-f4c4f82be2c7}]
"AppName" = "57SlSrch.exe"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c1c3d4a-dcff-443d-a49f-4abb6af151af}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f4d12989-af1c-4363-bfcf-b9ad96d18b0f}]
"AppName" = "AppIntegrator.exe"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"od" = "1"

[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"ok" = "1"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll"

[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}]
"(Default)" = "ProtectorControl Class"

[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}]
"(Default)" = "IDisableAddonRebuttal"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\CLSID\{07189b84-b33b-4a1e-9b32-ad203c983c20}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f90c885b-332c-4379-965c-3ef665f369dc}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"

[HKCR\MarineAquarium3Free_57.HTMLMenu]
"(Default)" = "MarineAquarium3Free_57 HTML Menu"

[HKCR\CLSID\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"

[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}]
"(Default)" = "ITemplateBarButtonRect"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\TypeLib]
"(Default)" = "{00c5edb1-1261-41eb-8fee-9c0c2cd98058}"

[HKCR\MarineAquarium3Free_57.ScriptButton.1\CLSID]
"(Default)" = "{94c67622-4e77-495a-9457-c8064c92a228}"

[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\405"

[HKCR\MarineAquarium3Free_57.ToolbarProtector\CurVer]
"(Default)" = "MarineAquarium3Free_57.ToolbarProtector.1"

[HKCR\MarineAquarium3Free_57.FeedManager\CurVer]
"(Default)" = "MarineAquarium3Free_57.FeedManager.1"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\ProgID]
"(Default)" = "MarineAquarium3Free_57.SettingsPlugin.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin.1]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\TypeLib]
"(Default)" = "{fb84548c-47c9-4323-820b-9e46b50e9947}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"CrExtP57.exe" = "0"

[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{107C2EDD-3388-452B-A6B8-2AAD8EF816B6}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0]
"(Default)" = "DialogHook 1.0 Type Library"

[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"Publisher" = "Mindspark Interactive Network"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\PROGRA~1\MARINE~1\bar\1.bin]
"AppIntegrator.exe" = "Mindspark Toolbar Platform"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}]
"(Default)" = ""

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"pl" = "9"

[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"DisplayName" = "Marine Aquarium Lite Internet Explorer Toolbar"

[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"vendor" = "MarineAquarium3Free_57"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c1c3d4a-dcff-443d-a49f-4abb6af151af}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"PID" = "^0D"

[HKCR\MarineAquarium3Free_57.MultipleButton.1\CLSID]
"(Default)" = "{ad750e83-1c56-4196-90e3-e5a0f3c5421c}"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\TypeLib]
"(Default)" = "{199350af-34c3-496f-a764-f4bf91cf2835}"

[HKCR\MarineAquarium3Free_57.MultipleButton.1]
"(Default)" = ""

[HKCR\TypeLib\{DBC4BE0B-800C-4075-9521-A9F6B00D6982}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1604"

[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.ToolbarProtector"

[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.SettingsPlugin\CurVer]
"(Default)" = "MarineAquarium3Free_57.SettingsPlugin.1"

[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.SettingsPlugin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"URLInfoAbout" = "http://support.mindspark.com/"

[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"

[HKCR\MarineAquarium3Free_57.FeedManager\CLSID]
"(Default)" = "{f153e08e-19e7-4ece-bb2b-afe06394c6ea}"

[HKCR\Interface\{6F776034-C1E7-41CB-B099-839FCA62E732}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"tiec" = "208976"

[HKCR\CLSID\{3ca77147-e5a4-43ba-80b2-efa3245f8d88}\ProgID]
"(Default)" = "MarineAquarium3Free_57.ToolbarProtector.1"

[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}]
"(Default)" = "SKINSETTINGS_INTERFACE"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ecd011be-bc4c-45dd-85bc-70e5f36806d9}]
"Policy" = "3"

[HKCR\TypeLib\{FB84548C-47C9-4323-820B-9E46B50E9947}\1.0]
"(Default)" = "HTML 1.0 Type Library"

[HKCR\TypeLib\{A29BA259-04A2-426B-949F-D486E674DF9B}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"UninstallString" = "rundll32 %Program Files%\MarineAquarium3Free_57\bar\1.bin\57Bar.dll,O mindsparktoolbarkey=MarineAquarium3Free_57 uninstalltype=IE"

[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\TypeLib]
"(Default)" = "{DBC4BE0B-800C-4075-9521-A9F6B00D6982}"

[HKCR\MarineAquarium3Free_57.HTMLPanel.1]
"(Default)" = "MarineAquarium3Free_57 HTML Panel"

[HKCR\CLSID\{074d3229-0a22-491b-b9dd-ff3171d75f25}]
"(Default)" = "Toolbar BHO"

[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}]
"(Default)" = "IProtectorControl"

[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"sr" = "0"

[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}]
"(Default)" = "_IThirdPartyInstallerEvents"

[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}]
"(Default)" = "DataCtrl Class"

[HKCR\CLSID\{7706dcce-fed8-4ed7-80b2-5f88c33ee317}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57httpct.dll"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\MiscStatus]
"(Default)" = "0"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{327f75ed-061b-4339-8cc6-5dd45ad1396d}" = ""

[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1104"

[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}]
"(Default)" = "IThirdPartyInstaller"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.ThirdPartyInstaller"

[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\TypeLib]
"(Default)" = "{FB84548C-47C9-4323-820B-9E46B50E9947}"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\TypeLib]
"(Default)" = "{A29BA259-04A2-426B-949F-D486E674DF9B}"

[HKCR\MarineAquarium3Free_57.FeedManager.1]
"(Default)" = ""

[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"

[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}]
"(Default)" = "ITemplateHTMLMenu"

[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\VersionIndependentProgID]
"(Default)" = "MarineAquarium3Free_57.MultipleButton"

[HKCR\Interface\{71AC0D70-4274-4B53-8101-26F7249EAFE4}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\MarineAquarium3Free_57.ScriptButton]
"(Default)" = ""

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"PluginPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"HPG.dll" = ""

[HKCR\Interface\{F62FBB9B-25D9-41C5-97C0-7ED7AFBF2410}]
"(Default)" = "IIEInstalledToolbar"

[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}]
"(Default)" = "_ITemplateBarSettingsEvents"

[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{07189b84-b33b-4a1e-9b32-ad203c983c20}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll"

[HKCR\MarineAquarium3Free_57.HTMLMenu\CLSID]
"(Default)" = "{C0FD73B4-C692-4061-B36F-BC15B111314C}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"hpwl" = ".mywebsearch.com,.google.com,.yahoo.com,.bing.com,.msn.com"

[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\626"

[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\TypeLib]
"(Default)" = "{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}]
"(Default)" = ""

[HKCU\Software\Classes\CLSID\{327f75ed-061b-4339-8cc6-5dd45ad1396d}]
"(Default)" = ""

[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}]
"(Default)" = "PSEUDOTRANSPARENT_INTERFACE"

[HKCR\MarineAquarium3Free_57.ToolbarProtector.1\CLSID]
"(Default)" = "{3ca77147-e5a4-43ba-80b2-efa3245f8d88}"

[HKCR\Interface\{DA60568C-C30E-4680-ADEA-89BF1DD050EA}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{C71EA797-7B15-438B-894A-9AB54D752430}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{A91067AB-9AC6-4607-B9F2-FB62228195EF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"nd" = "0"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"AssistMonitor.dll" = ""

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3E3BEAE8-5B73-4AA4-8191-6AAD3E17D7CC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MarineAquarium3Free_57bar Uninstall Internet Explorer]
"HelpLink" = "http://support.mindspark.com/"

[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}]
"(Default)" = "SEARCHSCOPE_INTERFACE"

[HKCR\TypeLib\{199350AF-34C3-496F-A764-F4BF91CF2835}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\MarineAquarium3Free_57.ToolbarProtector\CLSID]
"(Default)" = "{3ca77147-e5a4-43ba-80b2-efa3245f8d88}"

[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"DeletedCustomizations" = "1"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"nk" = "0"

[HKCR\MarineAquarium3Free_57.HTMLPanel]
"(Default)" = "MarineAquarium3Free_57 HTML Panel"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"InstallingUser" = "S-1-5-21-1844237615-1960408961-1801674531-1003"

[HKCR\MarineAquarium3Free_57.PseudoTransparentPlugin]
"(Default)" = "Pseudo Transparent Plugin"

[HKCR\MarineAquarium3Free_57.FeedManager]
"(Default)" = ""

[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\TypeLib]
"(Default)" = "{DBC4BE0B-800C-4075-9521-A9F6B00D6982}"

[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\TypeLib]
"(Default)" = "{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}"

[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0]
"(Default)" = "HttpControl 1.0 Type Library"

[HKCR\CLSID\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}]
"(Default)" = "Search Assistant BHO"

[HKCR\Interface\{E9E780CC-8821-4B00-B4F9-F4C4F82BE2C7}]
"(Default)" = "ITemplateBarSettings"

[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{ad750e83-1c56-4196-90e3-e5a0f3c5421c}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f90c885b-332c-4379-965c-3ef665f369dc}]
"AppName" = "57SkPlay.exe"

[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\905"

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\MarineAquarium3Free_57.MultipleButton]
"(Default)" = ""

[HKCR\Interface\{C9FA2928-5ED3-47AD-996C-997F6A9003EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{327f75ed-061b-4339-8cc6-5dd45ad1396d}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll"

[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\TypeLib]
"(Default)" = "{FB84548C-47C9-4323-820B-9E46B50E9947}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"Build" = "102.46985"

[HKCR\Interface\{1E66D651-C63F-4B5A-8DBB-4C093647BF9B}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{E1700B22-E107-4EC6-943E-5FBBADF213B3}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}]
"(Default)" = "MarineAquarium3Free_57 HTML Menu"

[HKCR\MarineAquarium3Free_57.HTMLMenu.1\CLSID]
"(Default)" = "{C0FD73B4-C692-4061-B36F-BC15B111314C}"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll"

[HKCR\CLSID\{94c67622-4e77-495a-9457-c8064c92a228}]
"(Default)" = ""

[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}]
"(Default)" = "POPUPMENU_INTERFACE"

[HKCR\MarineAquarium3Free_57.HTMLPanel.1\CLSID]
"(Default)" = "{eda1dca1-c71d-46e7-b504-6cefd21ee60d}"

[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"oldhpp" = "0"

[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0]
"(Default)" = "ToolbarProtector 1.0 Type Library"

[HKCR\CLSID\{074d3229-0a22-491b-b9dd-ff3171d75f25}\InprocServer32]
"(Default)" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57bar.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 62 C1 80 44 8E 7F 81 D9 AB BC DC 81 2C 55 EC"

[HKCR\Interface\{6A1F6969-2069-4036-A0AB-07D4628DF5A1}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"CurInstall" = "1"

[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller.1]
"(Default)" = "Marine Aquarium Lite Third Party Installer"

[HKCR\CLSID\{3f9c1414-58f0-4fbb-9ee6-ab948b604ebd}\TypeLib]
"(Default)" = "{2f868090-a282-4c80-ac30-f743c9becadf}"

[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin]
"Path" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\NP57Stub.dll"

[HKCR\Interface\{D5CEC7EB-7D25-47BF-AA42-5DB03938509F}]
"(Default)" = "IHttpControl"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"hpp" = "0"

[HKCR\Interface\{3C4E958B-177E-4B3A-A998-4B0263A9564D}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"

[HKLM\SOFTWARE\MozillaPlugins\@MarineAquarium3Free_57.com/Plugin\MimeTypes\application/x-marineaquarium3free_57plugin]
"Description" = "Marine Aquarium Lite Plugin"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"RegisteredWithFirefox" = "1"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Integrators]
"57SrcAs.dll" = ""

[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AD6CED5C-457E-43DC-BD4B-D5ED0B87FAB4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{C17F2CA9-F618-4D8C-9C7E-78F9779D3FAA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{07189b84-b33b-4a1e-9b32-ad203c983c20}" = ""

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}\ProgID]
"(Default)" = "MarineAquarium3Free_57.FeedManager.1"

[HKCR\TypeLib\{83783D62-EC4A-4CDD-ACB3-B2A4BF184959}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\MarineAquarium3Free_57.ThirdPartyInstaller]
"(Default)" = "Marine Aquarium Lite Third Party Installer"

[HKCR\CLSID\{e55ebb8c-fb31-4a98-a514-4ecc5fd9c634}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll"

[HKCR\Interface\{D521D7CC-1EDA-4F50-905D-7C5B084230F7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"57SrcAs.dll" = "0"

[HKCR\Interface\{0A4376DD-C64A-4499-86BA-54578FD3BE3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{eda1dca1-c71d-46e7-b504-6cefd21ee60d}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL"

[HKCR\TypeLib\{00C5EDB1-1261-41EB-8FEE-9C0C2CD98058}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}]
"(Default)" = "ITemplatePopupMenu"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{2F868090-A282-4C80-AC30-F743C9BECADF}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\1406"

[HKCR\CLSID\{cc721fc9-8900-4e3d-a4be-359e6af8e9bb}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll"

[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e9e780cc-8821-4b00-b4f9-f4c4f82be2c7}]
"AppPath" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin"

[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\TypeLib]
"(Default)" = "{FDB8F0C7-ADF7-4A45-B762-FE8EF4970DBD}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"ID" = "D384F68F-2C0B-4FC8-9083-333ABE20BF2C"

[HKCR\CLSID\{536e7ae2-c94c-4256-b035-8ec24e6245dd}]
"(Default)" = "Disable Addon Rebuttal Control"

[HKCR\CLSID\{C0FD73B4-C692-4061-B36F-BC15B111314C}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}]
"(Default)" = ""

[HKCR\Interface\{D4517E61-49A5-4712-B487-950FEC8DB4B9}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MarineAquarium3Free_57\Settings\SmileyCentralBtn]
"HTMLMenuPosDeleted" = "1"

[HKCR\CLSID\{f153e08e-19e7-4ece-bb2b-afe06394c6ea}]
"(Default)" = ""

[HKCR\CLSID\{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"SettingsDir" = "%Program Files%\MarineAquarium3Free_57\bar\Settings\"

[HKCR\MarineAquarium3Free_57.SettingsPlugin\CLSID]
"(Default)" = "{d35349a7-84d1-4a70-8536-e9c1f77dcf5b}"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\InprocServer32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f90c885b-332c-4379-965c-3ef665f369dc}]
"Policy" = "3"

[HKCR\TypeLib\{D458D0D1-08F3-4DC9-9C67-ADE048AE0EF9}\1.0\0\win32]
"(Default)" = "%Program Files%\MarineAquarium3Free_57\bar\1.bin\t8res.dll\100"

[HKCR\Interface\{F1FD4F87-D0FD-4A5C-90A7-9A7696FFAEC0}\TypeLib]
"(Default)" = "{09E63BA3-09C7-4D20-9E4B-2EBAD3BE5B50}"

[HKCR\Interface\{2BEA8EF6-4B9D-43DF-9C32-5B91B65E3E58}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{f90c885b-332c-4379-965c-3ef665f369dc}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{F4D12989-AF1C-4363-BFCF-B9AD96D18B0F}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{638B87E0-5EF3-45FA-ACB8-2C7C67958665}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C8D39FE3-DCB1-4E94-9192-A176FC1F19BB}]
"(Default)" = "_IDataCtrlEvents"

[HKCR\CLSID\{dd4285fa-3345-4b73-92e5-4de464edc3b2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{5777FB26-1203-4D16-A47F-24B3FF5E0476}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1FB1AF91-D5A5-46AC-990D-D57E53C85E70}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}]
"(Default)" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite Search Scope Monitor" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57srchmn.exe /m=2 /w /h"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074d3229-0a22-491b-b9dd-ff3171d75f25}]
"(Default)" = ""

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite AppIntegrator 32-bit" = "C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe"

"Marine Aquarium Lite" = "rundll32 C:\PROGRA~1\MARINE~1\bar\1.bin\57bar.dll,S"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0eeaa2c3-0cd7-4364-b82e-f9257081c860}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"pid2"
"ConfigDateStamp"
"un"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Marine Aquarium Lite Search Scope Monitor"

The process 57HighIn.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 93 34 0F B0 AB 01 CD E6 E0 19 3E 97 49 DA 54"

The process MALiteSetup.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 64 EB 55 A0 A8 DE FF E9 88 86 10 16 AA CD 5E"

The process 57barsvc.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 C5 64 58 82 98 28 DA 94 8F 0F D1 68 4A 24 DD"

The process 57barsvc.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 11 B9 06 01 A6 8C 11 FB 70 B7 1A 38 29 D2 E3"

The process 57barsvc.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 57 8C 9F 0B 4C 5A B6 E1 2A C3 0A FC 7C 82 E5"

The process %original file name%.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 A6 F6 2C 01 C5 80 8C 59 E3 D2 83 A6 1D 42 61"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar\Switches]
"nodns" = "0"
"ffTabs" = "0"

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"OToIData" = "001"

[HKCU\Software\MarineAquarium3Free_57\Events\EventData]
"00000000_5" = "01 00 00 00 08 C9 17 54 00 00 00 00 00 00 00 00"
"00000000_7" = "01 00 00 00 08 C9 17 54 00 00 00 00 00 00 00 00"
"00000000_6" = "01 00 00 00 08 C9 17 54 00 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\MarineAquarium3Free_57\bar]
"OToIData"

The process AppIntegrator.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 4E 18 C9 62 23 BB 85 FC 85 97 BF 70 52 08 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process irsetup.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"DisplayName" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SereneScreen Marine Aquarium Lite_is1]
"UninstallString" = "%Program Files%\SereneScreen\Marine Aquarium Lite\unins000.exe /SILENT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 6B 76 FD AF F4 4E 9C 70 4C 7C 12 B4 AC E8 09"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Marine Aquarium Lite
Product Name: Marine Aquarium Lite
Product Version: 2, 0, 5, 6
Legal Copyright: Copyright (c) 2009 - 2014
Legal Trademarks:
Original Filename: 57Setup.exe
Internal Name: 57Setup
File Version: 2, 0, 5, 6
File Description: Marine Aquarium Lite
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1255.g.akamai.net/images/nocache/vicinio/executable-packages/MarineAquariumLite/1389714302414/MarineAquariumWrapper.exe
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl
hxxp://ak.imgfarm.com/images/nocache/vicinio/executable-packages/MarineAquariumLite/1389714302414/MarineAquariumWrapper.exe	205.237.69.73
hxxp://crl.thawte.com/ThawteTimestampingCA.crl	23.9.117.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl	23.9.117.163
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl	23.9.117.163
hxxp://crl.verisign.com/pca3-g5.crl	23.9.117.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "dad74562eea63e24f12699a6f02c517d:1403752510"

Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT

Accept-Ranges: bytes

Content-Length: 533

Date: Tue, 16 Sep 2014 05:22:54 GMT

Connection: keep-alive

Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..140617000000Z..140930235959Z0...*.H.............
Z.....{.......iV}.pm@..]...q....MT.....c.......[....?....zZ.....,. P.~
........*.'.....,......Y..!..s$..;.v..y<.................gf.? ...9#
...........O"5u....q1`.H....3...>.....l9g.X..i7.b.N]..<....@....
j.IO..V.oU_v2X....kf.q.......oq.j.e?v..o.l..Y.......!..HTTP/1.1 200 OK
..Server: Apache..ETag: "dad74562eea63e24f12699a6f02c517d:1403752510".
.Last-Modified: Thu, 26 Jun 2014 03:15:10 GMT..Accept-Ranges: bytes..C
ontent-Length: 533..Date: Tue, 16 Sep 2014 05:22:54 GMT..Connection: k
eep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0
..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Netw
ork1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U
...<VeriSign Class 3 Public Primary Certification Authority - G5..1
40617000000Z..140930235959Z0...*.H.............Z.....{.......iV}.pm@..
]...q....MT.....c.......[....?....zZ.....,. P.~........*.'.....,......
Y..!..s$..;.v..y<.................gf.? ...9#...........O"5u....q1`.
H....3...>.....l9g.X..i7.b.N]..<[email protected]_v2X....kf.q.
......oq.j.e?v..o.l..Y.......!....
<<< skipped >>>

GET /images/nocache/vicinio/executable-packages/MarineAquariumLite/1389714302414/MarineAquariumWrapper.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ak.imgfarm.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 14 Jan 2014 15:45:22 GMT

ETag: "1254474-542f68-4eff0148856a8"

Accept-Ranges: bytes

Content-Length: 5517160

Cache-Control: max-age=296421497

Expires: Sat 02 Apr 1977 17:15:00 GMT

Pragma: no-cache

Content-Type: application/x-msdownload

Date: Tue, 16 Sep 2014 05:22:42 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2...\...\.
..\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\...
......PE..L......R.................X...........).......p....@.........
.................P......ggT...@.................................<..
.d........n............T.`....0.......................................
...@............p..x............................text....W.......X.....
............. ..`.rdata.......p...0...\..............@[email protected]....
[email protected]..................@[email protected]
[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U...X......... [email protected].
SVW.}[email protected]@.P..hq@........`........V......SP.......Pp@..
..W..;.}[email protected][email protected]...
@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P..
...u>.......6......P.....~(......:u....~....P......P......P........
[email protected]@[email protected];[email protected].
[email protected]@........u....M._..^3.[.........V..W3.h..
[email protected].....<[email protected]
<<< skipped >>>

GET /CSC3-2010.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2010-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "aec0b5c56b604d702a55dde13a8fa0c1:1410815112"

Last-Modified: Mon, 15 Sep 2014 21:05:12 GMT

Date: Tue, 16 Sep 2014 05:22:54 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl
00006000..0....0.......0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T...
....130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u..
....130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v.........
.n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.
....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>

GET /tss-ca-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: ts-crl.ws.symantec.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "93e608fe017e91051dfab6a332933d77:1410815792"

Last-Modified: Mon, 15 Sep 2014 21:16:32 GMT

Date: Tue, 16 Sep 2014 05:22:56 GMT

Content-Length: 477

Connection: keep-alive

Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporatio
n100...U...'Symantec Time Stamping Services CA - G2..140915210111Z..14
0925210111Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......E0...*.H..
...........=...=&..l........#.Q...... ...S..............b.........o'.h
/.C..O.......(M.....*.2..3...bf..A.)i...Y.j.g{..(.J...u.8.,.6.`..@. ..
.P..3..[....Z... .... .k.gw.I&b..}R./!#]...y......!A...^.......v..*...
.

GET /ThawteTimestampingCA.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.thawte.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"

Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT

Accept-Ranges: bytes

Content-Length: 341

Date: Tue, 16 Sep 2014 05:22:56 GMT

Connection: keep-alive

Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U..
..Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U..
..Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H.........
......pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.
j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..kHTTP/1
.1 200 OK..Server: Apache..ETag: "67d0ac3389aba998bf71f5ac72d60648:140
3244909"..Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT..Accept-Ranges:
 bytes..Content-Length: 341..Date: Tue, 16 Sep 2014 05:22:56 GMT..Conn
ection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H
........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1
.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Times
tamping CA..140617000000Z..140930235959Z0...*.H...............pe..y...
..$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V
.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..k..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SHLWAPI.dll

KERNEL32.dll

E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\t8HighIn.pdb

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

1.0.7.205

t8HighIn.exe

2.5.15.0

AppIntegrator.exe_1088:

.text

`.rdata

@.data

.rsrc

@.reloc

operator

GetProcessWindowStation

SHELL32.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

MaxPolicyElementKey

AppIntegrator.cpp

IAC::AppIntegrator::Application::SetupWindowsHook

C   Exception thrown in %s: %s

ATL Exception thrown in %s: 0xX

Unknown exception thrown in %s

RegOpenKeyTransactedW

E:\TeamCity\BuildAgent1\work\87ecef1f770f3834\Projects\ChromeExtAPI_Dev1\Build.TT\Release.x86\AppIntegrator.pdb

KERNEL32.dll

MsgWaitForMultipleObjects

SetWindowsHookExW

UnhookWindowsHookEx

USER32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

SHRegOpenUSKeyW

SHRegCloseUSKey

SHRegCreateUSKeyW

SHLWAPI.dll

USERENV.dll

VERSION.dll

GetProcessHeap

GetCPInfo

AppIntegrator.exe

zcÁ

.?AV?$_Impl_no_alloc2@U?$_Callable_obj@V<lambda14>@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@_NABVCRegKey@ATL@@PB_W@tr1@std@@

.?AV?$_Impl_no_alloc1@U?$_Callable_obj@V<lambda5>@?A0x0f892900@AppIntegrator@IAC@@$0A@@tr1@std@@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@3@@tr1@std@@

.?AV?$_Impl_base2@_NABVCRegKey@ATL@@PB_W@tr1@std@@

.?AV?$_Impl_base1@KAAV?$_Vector_const_iterator@V?$_Vector_val@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@V?$allocator@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@std@@@std@@@std@@@tr1@std@@

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

3 3$3(34383<3

< <$<(<,<0<

2$2<2@2`2

6,686@6`6

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

ieframe.dll

Already running! %s

The %s event cannot be created (%u)

\AppIntegratorStub.dll

Error calling GetProcAddress %u

Error calling SetWindowsHookEx %u

Failed to enable heap terminate-on-corruption with LastError %u

Error: %S

Error: 0x%0x

TraceLogUnitTest.exe

TraceLog.cfg

).csv

\StringFileInfo\XX\OriginalFilename

@t8res.dll

Advapi32.dll

C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe

C:\PROGRA~1\MARINE~1\bar\1.bin

@C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe

1.0.7.205

2.5.15.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   57srchmn.exe:1556
   MALiteSetup.tmp:252
   TPIManagerConsole.exe:364
   {D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe:500
   00000294T8SETUP.EXE:1276
   57HighIn.exe:1900
   MALiteSetup.exe:160
   57barsvc.exe:1284
   57barsvc.exe:1016
   57barsvc.exe:1564
   %original file name%.exe:660
   irsetup.exe:1968

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\SereneScreen\Marine Aquarium Lite\unins000.dat (2064 bytes)
   %Program Files%\SereneScreen\Marine Aquarium Lite\is-AN6HM.tmp (7150 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium on the Web.lnk (981 bytes)
   %Program Files%\SereneScreen\Marine Aquarium Lite\www.SereneScreen.com.url (310 bytes)
   %System%\is-0I46C.tmp (53142 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_shfoldr.dll (23 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\SereneScreen Marine Aquarium Lite.lnk (706 bytes)
   %Program Files%\SereneScreen\Marine Aquarium Lite\is-IABLG.tmp (195 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Marine Aquarium Lite.lnk (706 bytes)
   %Program Files%\SereneScreen\Marine Aquarium Lite\is-BO418.tmp (180 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-LGVNQ.tmp\_isetup\_RegDLL.tmp (4 bytes)
   %Documents and Settings%\%current user%\Desktop\SereneScreen Marine Aquarium Lite.lnk (688 bytes)
   %Program Files%\SereneScreen\Marine Aquarium Lite\is-BVAE0.tmp (35 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\SereneScreen\Marine Aquarium Lite\Prolific Publishing on the Web.lnk (1 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L4Z4NAVX\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (136 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\{D606BB1A-707E-4B8F-9C02-2573D84FAB95}.exe (1495258 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9AB3MJ6C\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VO9Z1ANT\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDL92Q1D\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (325 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57feedmg.dll (145 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrcAs.dll (144 bytes)
   %System%\config (200 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\INSTALL.RDF (2 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\assists\COMMON.T8S (138 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\BOOTSTRAP.JS (20 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57SrchMn.exe (55 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\CrExtP57.exe (5442 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57medint.exe (12 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\CHROME.MANIFEST (1 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\HPG.DLL (237 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR.DLL (225 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR.DLL (1629 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\FF-NativeMessagingDispatcher.dll (1724 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegrator64.exe (258 bytes)
   %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57hkstub.dll (59 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1896 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk.dll (121 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD64.DLL (251 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57dlghk64.dll (147 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57srchmr.dll (87 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57tpinst.dll (179 bytes)
   %System%\config\SOFTWARE.LOG (42313 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57regfft.dll (85 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57barsvc.exe (90 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\TPIMANAGERCONSOLE.EXE (78 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57htmlmu.dll (214 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57idle.dll (62 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTPEX.DLL (108 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\T8HTML.DLL (202 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\T8TICKER.DLL (171 bytes)
   %System%\config\system (2812 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\Hpg64.dll (220 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57Plugin.dll (83 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (6408 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER.DLL (12 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATORSTUB.DLL (197 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\ASSISTMONITOR64.DLL (246 bytes)
   %System%\config\SYSTEM.LOG (4793 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\APPINTEGRATOR.EXE (225 bytes)
   %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat (20 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57mlbtn.dll (98 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\Settings\s_pid.dat (6 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\gen1\COMMON.T8S (1 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL (15 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57bprtct.dll (121 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\DPNMNGR.DLL (218 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57datact.dll (171 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\ARBITER64.DLL (12 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57regiet.dll (87 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EPMSUP.DLL (79 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57script.dll (104 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\HKFXMGR64.DLL (1730 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\AppIntegratorStub64.dll (213 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57skplay.exe (55 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57httpct.dll (151 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57bar.dll (5442 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\LOGO.BMP (10 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_enable\CONFIG.XML (6 bytes)
   %System%\config\software (34218 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE (207 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\chrome\57ffxtbr.jar (1829 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57skin.dll (212 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\TOOLBARGUARD.DLL (240 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57highin.exe (13 bytes)
   %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\VERIFY.DLL (70 bytes)
   %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG (1560 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\Message\COMMON.T8S (100 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\T8RES.DLL (196 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL (17 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\CREXT.DLL (6422 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\57reghk.dll (80 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\installKeys.js (206 bytes)
   %Program Files%\MarineAquarium3Free_57\bar\1.bin\T8EXTEX.DLL (102 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-9LVCQ.tmp\MALiteSetup.tmp (3790 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EXE (188805 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00000294T8SETUP.EX_ (39950 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.PNG (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\Wow64.lmd (665 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MarineAquarium Setup Log.txt (260 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MALiteSetup.exe (33812 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Marine Aquarium Lite Search Scope Monitor" = "C:\PROGRA~1\MARINE~1\bar\1.bin\57srchmn.exe /m=2 /w /h"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Marine Aquarium Lite AppIntegrator 32-bit" = "C:\PROGRA~1\MARINE~1\bar\1.bin\AppIntegrator.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Marine Aquarium Lite" = "rundll32 C:\PROGRA~1\MARINE~1\bar\1.bin\57bar.dll,S"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.