ADW_TOOLBAR

 Analysis by: Alvin Bacani

 ALIASES:

SecurityRisk.Downldr (Symantec); Win32/Toolbar.Babylon.H (ESET-NOD32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and, in some instances, the degradation in either network connection or system performance.

Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software.

Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profiles.

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating registry keys/entries.

It displays advertisements on Internet browsers.

  TECHNICAL DETAILS

File Size:

50,688 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

02 Apr 2008

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware drops the following file(s)/component(s):

  • %Application Data%\BabSolution\Shared\BabMaint.exe
  • %Application Data%\BabSolution\Shared\BUSolution.dll
  • %Application Data%\BabSolution\Shared\GUninstaller.exe
  • %Application Data%\BabSolution\Shared\SetupParams.ini
  • %Application Data%\BabSolution\Shared\sqlite3.dll
  • %Application Data%\Babylon\log_file.txt
  • %User Temp%\nsa7.tmp\Time.dll
  • %User Temp%\nsi3.tmp\Time.dll
  • %User Temp%\nsk5.tmp\Time.dll
  • %Program Files%\Delta\delta\1.8.24.6\bh\delta.dll
  • %Program Files%\Delta\delta\1.8.24.6\deltaApp.dll
  • %Program Files%\Delta\delta\1.8.24.6\deltaEng.dll
  • %Program Files%\Delta\delta\1.8.24.6\deltasrv.exe
  • %Program Files%\Delta\delta\1.8.24.6\deltaTlbr.dll
  • %Program Files%\Delta\delta\1.8.24.6\GUninstaller.exe
  • %Program Files%\Delta\delta\1.8.24.6\uninstall.exe
  • %WINDOWS%\Tasks\EPUpdater.job

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It drops the following copies of itself into the affected system:

  • %Program Files%\3721\assist\assist.dll

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It creates the following folders:

  • %Program Files%\3721
  • %Application Data%\BabSolution
  • %Application Data%\BabSolution\Shared
  • %Application Data%\Babylon
  • %User Temp%\mt_ffx
  • %User Temp%\mt_ffx\Delta
  • %User Temp%\mt_ffx\Delta\delta
  • %User Temp%\mt_ffx\Delta\delta\1.8.24.6
  • %All Users Profile%\Application Data\Babylon
  • %Program Files%\Delta
  • %Program Files%\Delta\delta
  • %Program Files%\Delta\delta\1.8.24.6
  • %Program Files%\Delta\delta\1.8.24.6\bh

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

Autostart Technique

This adware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{1B0E7716-898E- 48CC-9690-4E338E8DE1D3}\InprocServer32
Default = "%Program Files%\3721\assist\assist.dll"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
(Default) = "delta Helper Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
NoExplorer = "1"

Other System Modifications

This adware adds the following registry keys:

HKEY_CLASSES_ROOT\d

HKEY_CLASSES_ROOT\delta.deltaappCore

HKEY_CLASSES_ROOT\delta.deltaappCore.1

HKEY_CLASSES_ROOT\delta.deltadskBnd

HKEY_CLASSES_ROOT\delta.deltadskBnd.1

HKEY_CLASSES_ROOT\delta.deltaHlpr

HKEY_CLASSES_ROOT\delta.deltaHlpr.1

HKEY_CLASSES_ROOT\escort.escortIEPane

HKEY_CLASSES_ROOT\escort.escortIEPane.1

HKEY_CLASSES_ROOT\esrv.deltaESrvc

HKEY_CLASSES_ROOT\esrv.deltaESrvc.1

HKEY_CLASSES_ROOT\Prod.cap

HKEY_CLASSES_ROOT\AppID\escort.DLL

HKEY_CLASSES_ROOT\AppID\escortApp.DLL

HKEY_CLASSES_ROOT\AppID\escortEng.DLL

HKEY_CLASSES_ROOT\AppID\escorTlbr.DLL

HKEY_CLASSES_ROOT\AppID\esrv.EXE

HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

HKEY_CLASSES_ROOT\AppID\{39CB8175-E224-4446-8746-00566302DF8D}

HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}

HKEY_CLASSES_ROOT\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}

HKEY_CLASSES_ROOT\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}

HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Prod.cap

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escort.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortApp.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortEng.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escorTlbr.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\esrv.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{39CB8175-E224-4446-8746-00566302DF8D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

HKEY_CLASSES_ROOT\Assist.EasyAssist

HKEY_CLASSES_ROOT\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}

HKEY_CLASSES_ROOT\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}

HKEY_CLASSES_ROOT\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}

HKEY_LOCAL_MACHINE\SOFTWARE\3721

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Assist.EasyAssist

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924F5B3A-7A27-484A-B873-E855C9708667}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}\1.0
(Default) = "esrv 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}\1.0\
0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltasrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}\1.0\
HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}\1.0
(Default) = "deltaCmn 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}\1.0\
0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaEng.dll\2"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}\1.0\
HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0
(Default) = "escorTlbr 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\
0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaTlbr.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\
HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0
(Default) = "escortApp 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\
0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaApp.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\
HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_CURRENT_USER\Software\BabSolution\
Updater
cr_ver = "0"

HKEY_CURRENT_USER\Software\BabSolution\
Updater
Task_st = "3"

HKEY_CURRENT_USER\Software\BabSolution\
Updater\Instances\delta toolbar
Report = "mntbdlt"

HKEY_CURRENT_USER\Software\Delta\
delta
cmndLn = "/s /lng=en /stdFFXInstl /babTrack="tsp=5036" /instlRef=sst /aflt=babsst /srcExt=ss"

HKEY_CURRENT_USER\Software\Delta\
delta
tlbrSrchUrl = ""

HKEY_CURRENT_USER\Software\Delta\
delta
lastB = "about:blank"

HKEY_CURRENT_USER\Software\Delta\
delta\user
dfltLng = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\Delta\
delta\Instl
babTrack = "tsp=5036"

HKEY_LOCAL_MACHINE\SOFTWARE\Delta\
delta\Instl
babExt = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Delta\
delta\Instl
srcExt = "ss"

HKEY_LOCAL_MACHINE\SOFTWARE\Delta\
delta\Instl
InstallDir = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
Policy = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
AppName = "deltasrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
AppPath = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Toolbar
{82E1477C-B154-48D3-9891-33D83C26BCD3} = "Delta Toolbar"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
DisplayName = "Delta toolbar"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
UninstallString = ""%Program Files%\Delta\delta\1.8.24.6\GUninstaller.exe" -uprtc -ask -rmbus "Delta toolbar" -nontfy -bname=dlt -key "delta""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
DisplayIcon = ""%Program Files%\Delta\delta\1.8.24.6\deltasrv.exe"" DisplayVersion = "1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
Comments = "Delta toolbar"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
Publisher = "Delta"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
delta
OrigUninstString = ""%Program Files%\Delta\delta\1.8.24.6\uninstall.exe""

HKEY_CLASSES_ROOT\d
(Default) = "escrtAx Object"

HKEY_CLASSES_ROOT\d\CLSID
(Default) = "{86838207-681D-469D-9511-D0DCC6F19F9B}"

HKEY_CLASSES_ROOT\delta.deltaappCore
(Default) = "appCore Object"

HKEY_CLASSES_ROOT\delta.deltaappCore\CLSID
(Default) = "{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}"

HKEY_CLASSES_ROOT\delta.deltaappCore.1
(Default) = "appCore Object"

HKEY_CLASSES_ROOT\delta.deltaappCore.1\CLSID
(Default) = "{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}"

HKEY_CLASSES_ROOT\delta.deltadskBnd
(Default) = "CDskBnd Object"

HKEY_CLASSES_ROOT\delta.deltadskBnd\CLSID
(Default) = "{82E1477C-B154-48D3-9891-33D83C26BCD3}"

HKEY_CLASSES_ROOT\delta.deltadskBnd.1
(Default) = "CDskBnd Object"

HKEY_CLASSES_ROOT\delta.deltadskBnd.1\CLSID
(Default) = "{82E1477C-B154-48D3-9891-33D83C26BCD3}"

HKEY_CLASSES_ROOT\delta.deltaHlpr
(Default) = "CescrtHlpr Object"

HKEY_CLASSES_ROOT\delta.deltaHlpr\CLSID
(Default) = "{C1AF5FA5-852C-4C90-812E-A7F75E011D87}"

HKEY_CLASSES_ROOT\delta.deltaHlpr.1
(Default) = "CescrtHlpr Object"

HKEY_CLASSES_ROOT\delta.deltaHlpr.1\CLSID
(Default) = "{C1AF5FA5-852C-4C90-812E-A7F75E011D87}"

HKEY_CLASSES_ROOT\escort.escortIEPane
(Default) = "escortIEPane Object"

HKEY_CLASSES_ROOT\escort.escortIEPane\CLSID
(Default) = "{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}"

HKEY_CLASSES_ROOT\escort.escortIEPane.1
(Default) = "escortIEPane Object"

HKEY_CLASSES_ROOT\escort.escortIEPane.1\CLSID
(Default) = "{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}"

HKEY_CLASSES_ROOT\esrv.deltaESrvc
(Default) = "escrtSrvc Object"

HKEY_CLASSES_ROOT\esrv.deltaESrvc\CLSID
(Default) = "{261DD098-8A3E-43D4-87AA-63324FA897D8}"

HKEY_CLASSES_ROOT\esrv.deltaESrvc\CLSID
(Default) = "{261DD098-8A3E-43D4-87AA-63324FA897D8}"

HKEY_CLASSES_ROOT\esrv.deltaESrvc.1
(Default) = "escrtSrvc Object"

HKEY_CLASSES_ROOT\esrv.deltaESrvc.1\CLSID
(Default) = "{261DD098-8A3E-43D4-87AA-63324FA897D8}"

HKEY_CLASSES_ROOT\Prod.cap
Info = {Binary Data}

HKEY_CLASSES_ROOT\AppID\escort.DLL
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_CLASSES_ROOT\AppID\escortApp.DLL
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_CLASSES_ROOT\AppID\escortEng.DLL
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_CLASSES_ROOT\AppID\escorTlbr.DLL
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_CLASSES_ROOT\AppID\esrv.EXE
AppID = "{39CB8175-E224-4446-8746-00566302DF8D}"

HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
(Default) = "escort"

HKEY_CLASSES_ROOT\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
(Default) = "esrv"

HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
(Default) = "escorTlbr"

HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
(Default) = "escortEng"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
hp_url = "http://www.delta-search.com/? babsrc=HP_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
sp_name = "Delta Search"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
sp_url = "http://www.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
tb_url = "http://www.delta-search.com/?q={searchTerms}&babsrc=TB_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
nt_url = "http://www.delta-search.com/?babsrc=NT_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
kw_url = "http://www.delta-search.com/?babsrc=SP_ss&mntrId=7471000C292B36DD&tsp=5036&q="

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
run4ie = "end"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
run4ie = "end"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
vrsni = "1.8.24.6"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
afltId = "babsst"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
aflt = "babsst"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
smplGrp = "none"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
tlbrId = "base"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
instlRef = "sst"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
dfltLng = "en"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
tlbrSrchUrl = ""

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
uninstallAll = "true"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
autoRvrt = "false"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
rvrt = "false"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
admin = "false"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
postUninstall = ""

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
newTab = "false"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
dpblck = ""

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
ds_url = ""

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
excTlbr = "false"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
ffxUnstlRst = "true"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
chrInstl = "all"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
ffxInstl = "all"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
ieInstl = "all"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
uninstExt = "false"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
dsIE = ""

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
dsFFX = "Delta Search"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\Data
uninstaller = "%Program Files%\Delta\delta\1.8.24.6\uninstall.exe"

HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\
Instl\dfltLng
dfltLng = "en"

HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
(Default) = "escortApp"

HKEY_CLASSES_ROOT\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
(Default) = "escrtSrvc Object"

HKEY_CLASSES_ROOT\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
AppID = "{39CB8175-E224-4446-8746-00566302DF8D}"

HKEY_CLASSES_ROOT\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}\
LocalServer32
(Default) = ""%Program Files%\Delta\delta\1.8.24.6\deltasrv.exe""

HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
(Default) = "escortIEPane Object"

HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}\
InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\bh\delta.dll"

HKEY_CLASSES_ROOT\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}
(Default) = "Delta Toolbar"

HKEY_CLASSES_ROOT\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_CLASSES_ROOT\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}\
InprocServer32
(Default) = "%\Program Files%\Delta\delta\1.8.24.6\deltaTlbr.dll"

HKEY_CLASSES_ROOT\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
(Default) = "escrtAx Object"

HKEY_CLASSES_ROOT\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_CLASSES_ROOT\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}\
InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaEng.dll"

HKEY_CLASSES_ROOT\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
(Default) = "delta Helper Object"

HKEY_CLASSES_ROOT\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_CLASSES_ROOT\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}\
InprocServer32
(Default) = "%\Program Files%\Delta\delta\1.8.24.6\bh\delta.dll"

HKEY_CLASSES_ROOT\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
(Default) = "appCore Object"

HKEY_CLASSES_ROOT\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_CLASSES_ROOT\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}\
InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaApp.dll"

HKEY_CLASSES_ROOT\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}\
1.0
(Default) = "esrv 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}\
1.0\0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltasrv.exe"

HKEY_CLASSES_ROOT\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}\
1.0\HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_CLASSES_ROOT\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}\
1.0
(Default) = "deltaCmn 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}\
1.0\0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaEng.dll\2"

HKEY_CLASSES_ROOT\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}\
1.0\HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\
1.0
(Default) = "escorTlbr 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\
1.0\0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaTlbr.dll"

HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\
1.0\HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\
1.0
(Default) = "escortApp 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\
1.0\0\win32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaApp.dll"

HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\
1.0\HELPDIR
(Default) = "%Program Files%\Delta\delta\1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
d
(Default) = "escrtAx Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
d\CLSID
(Default) = "{86838207-681D-469D-9511-D0DCC6F19F9B}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore
(Default) = "appCore Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore\CLSID
(Default) = "{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore.1
(Default) = "appCore Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaappCore.1\CLSID
(Default) = "{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd
(Default) = "CDskBnd Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd\CLSID
(Default) = "{82E1477C-B154-48D3-9891-33D83C26BCD3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd.1
(Default) = "CDskBnd Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltadskBnd.1\CLSID
(Default) = "{82E1477C-B154-48D3-9891-33D83C26BCD3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr
(Default) = "CescrtHlpr Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr\CLSID
(Default) = "{C1AF5FA5-852C-4C90-812E-A7F75E011D87}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr.1
(Default) = "CescrtHlpr Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
delta.deltaHlpr.1\CLSID
(Default) = "{C1AF5FA5-852C-4C90-812E-A7F75E011D87}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane
(Default) = "escortIEPane Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane\CLSID
(Default) = "{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane.1
(Default) = "escortIEPane Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane.1\CLSID
(Default) = "{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc
(Default) = "escrtSrvc Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc\CLSID
(Default) = "{261DD098-8A3E-43D4-87AA-63324FA897D8}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc.1
(Default) = "escrtSrvc Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.deltaESrvc.1\CLSID
(Default) = "{261DD098-8A3E-43D4-87AA-63324FA897D8}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Prod.cap
Info = {Binary Data}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escort.DLL
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortApp.DLL
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortEng.DLL
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escorTlbr.DLL
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\esrv.EXE
AppID = "{39CB8175-E224-4446-8746-00566302DF8D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
(Default) = "escort"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{39CB8175-E224-4446-8746-00566302DF8D}
(Default) = "esrv"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
(Default) = "escorTlbr"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
(Default) = "escortEng"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
hp_url = "http://www.{BLOCKED}search.com/?babsrc=HP_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
sp_name = "Delta Search"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
sp_url = "http://www.{BLOCKED}search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
tb_url = "http://www.{BLOCKED}search.com/?q={searchTerms}&babsrc=TB_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
nt_url = "http://www.delta-search.com/?babsrc=NT_ss&mntrId=7471000C292B36DD&tsp=5036"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
kw_url = "http://www.delta-search.com/?babsrc=SP_ss&mntrId=7471000C292B36DD&tsp=5036&q="

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
run4ie = "end"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
vrsni = "1.8.24.6"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
afltId = "babsst"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
aflt = "babsst"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
smplGrp = "none"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
tlbrId = "base"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
instlRef = "sst"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
dfltLng = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
tlbrSrchUrl = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
uninstallAll = "true"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
autoRvrt = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
rvrt = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
admin = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
postUninstall = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
newTab = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
dpblck = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
ds_url = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
excTlbr = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
ffxUnstlRst = "true"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
chrInstl = "all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
ffxInstl = "all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
ieInstl = "all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
uninstExt = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
dsIE = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
dsFFX = "Delta Search"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
Data
uninstaller = "%Program Files%\Delta\delta\1.8.24.6\uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\Instl\
dfltLng
dfltLng = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
(Default) = "escortApp"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
(Default) = "escrtSrvc Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}
AppID = "{39CB8175-E224-4446-8746-00566302DF8D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}\LocalServer32
(Default) = ""%Program Files%\Delta\delta\1.8.24.6\deltasrv.exe""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
(Default) = "escortIEPane Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}\InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\bh\delta.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}
(Default) = "Delta Toolbar"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}\InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaTlbr.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
(Default) = "escrtAx Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}\InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaEng.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
(Default) = "delta Helper Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}\InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\bh\delta.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
(Default) = "appCore Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}\InprocServer32
(Default) = "%Program Files%\Delta\delta\1.8.24.6\deltaApp.dll"

Download Routine

This adware connects to the following website(s) to download and execute a malicious file:

  • {BLOCKED}t.{BLOCKED}tream.net.php
  • {BLOCKED}p.{BLOCKED}n.com/downloader.php

Adware Routine

This adware displays advertisements on Internet browsers.

NOTES:
This adware is capable of adding toolbar on internet browsers.

  SOLUTION

Minimum Scan Engine:

9.300

SSAPI PATTERN File:

1.444.37

SSAPI PATTERN Date:

15 Oct 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as ADW_TOOLBAR

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CLASSES_ROOT
    • d
  • In HKEY_CLASSES_ROOT
    • delta.deltaappCore
  • In HKEY_CLASSES_ROOT
    • delta.deltaappCore.1
  • In HKEY_CLASSES_ROOT
    • delta.deltadskBnd
  • In HKEY_CLASSES_ROOT
    • delta.deltadskBnd.1
  • In HKEY_CLASSES_ROOT
    • delta.deltaHlpr
  • In HKEY_CLASSES_ROOT
    • delta.deltaHlpr.1
  • In HKEY_CLASSES_ROOT
    • escort.escortIEPane
  • In HKEY_CLASSES_ROOT
    • escort.escortIEPane.1
  • In HKEY_CLASSES_ROOT
    • esrv.deltaESrvc
  • In HKEY_CLASSES_ROOT
    • esrv.deltaESrvc.1
  • In HKEY_CLASSES_ROOT
    • Prod.cap
  • In HKEY_CLASSES_ROOT\AppID
    • escort.DLL
  • In HKEY_CLASSES_ROOT\AppID
    • escortApp.DLL
  • In HKEY_CLASSES_ROOT\AppID
    • escortEng.DLL
  • In HKEY_CLASSES_ROOT\AppID
    • escorTlbr.DLL
  • In HKEY_CLASSES_ROOT\AppID
    • esrv.EXE
  • In HKEY_CLASSES_ROOT\AppID
    • {09C554C3-109B-483C-A06B-F14172F1A947}
  • In HKEY_CLASSES_ROOT\AppID
    • {39CB8175-E224-4446-8746-00566302DF8D}
  • In HKEY_CLASSES_ROOT\AppID
    • {4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
  • In HKEY_CLASSES_ROOT\AppID
    • {B12E99ED-69BD-437C-86BE-C862B9E5444D}
  • In HKEY_CLASSES_ROOT\AppID
    • {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {39CB8175-E224-4446-8746-00566302DF8D}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {4599D05A-D545-4069-BB42-5895B4EAE05B}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {D7EE8177-D51E-4F89-92B6-83EA2EC40800}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • d
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • delta.deltaappCore
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • delta.deltaappCore.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • delta.deltadskBnd
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • delta.deltadskBnd.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • delta.deltaHlpr
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • delta.deltaHlpr.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • escort.escortIEPane
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • escort.escortIEPane.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • esrv.deltaESrvc
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • esrv.deltaESrvc.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • Prod.cap
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • AppID\escort.DLL
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • AppID\escortApp.DLL
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • AppID\escortEng.DLL
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • AppID\escorTlbr.DLL
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • AppID\esrv.EXE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • {09C554C3-109B-483C-A06B-F14172F1A947}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • {39CB8175-E224-4446-8746-00566302DF8D}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • {4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • {B12E99ED-69BD-437C-86BE-C862B9E5444D}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {39CB8175-E224-4446-8746-00566302DF8D}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {4599D05A-D545-4069-BB42-5895B4EAE05B}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {D7EE8177-D51E-4F89-92B6-83EA2EC40800}
  • In HKEY_CLASSES_ROOT
    • Assist.EasyAssist
  • In HKEY_CLASSES_ROOT\CLSID
    • {1B0E7716-898E-48CC-9690-4E338E8DE1D3}
  • In HKEY_CLASSES_ROOT\Interface
    • {924F5B3A-7A27-484A-B873-E855C9708667}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {19069804-2CF0-4357-B696-BA6E9AAD99EF}
  • In HKEY_LOCAL_MACHINE\SOFTWARE
    • 3721
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • Assist.EasyAssist
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {924F5B3A-7A27-484A-B873-E855C9708667}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {19069804-2CF0-4357-B696-BA6E9AAD99EF}
  • In HKEY_CURRENT_USER\Software
    • BabSolution
  • In HKEY_CURRENT_USER\Software
    • Delta
  • In HKEY_LOCAL_MACHINE\SOFTWARE
    • Delta
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • delta

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
    • (Default) = "delta Helper Object"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}
    • NoExplorer = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
    • Policy = dword:00000003
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
    • AppName = "deltasrv.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}
    • AppPath = "%Program Files%\Delta\delta\1.8.24.6"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    • {82E1477C-B154-48D3-9891-33D83C26BCD3} = "Delta Toolbar"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B0E7716-898E- 48CC-9690-4E338E8DE1D3}\InprocServer32
    • Default = "%Program Files%\3721\assist\assist.dll"

Step 6

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Program Files%\3721
  • %Application Data%\BabSolution
  • %Application Data%\BabSolution\Shared
  • %Application Data%\Babylon
  • %User Temp%\mt_ffx
  • %User Temp%\mt_ffx\Delta
  • %User Temp%\mt_ffx\Delta\delta
  • %User Temp%\mt_ffx\Delta\delta\1.8.24.6
  • %All Users Profile%\Application Data\Babylon
  • %Program Files%\Delta
  • %Program Files%\Delta\delta
  • %Program Files%\Delta\delta\1.8.24.6
  • %Program Files%\Delta\delta\1.8.24.6\bh

Step 7

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %WINDOWS%\Tasks\EPUpdater.job

Step 8

Search and delete the files detected as ADW_TOOLBAR

*Note: Some component files may be hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.

To stop the malware/grayware from running when certain files are opened:

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Right-click Start then click Search....
  2. In the Named input box, type the name of the file that was detected earlier.
  3. In the Look In drop-down list, select My Computer then press Enter.
  4. Once located, select the file then press SHIFT+DELETE to delete it.

For Windows Vista and Windows 7:

  1. Click Start>Computer.
  2. In the Search Computer input box, type the name of the file detected earlier, and press Enter.
  3. Once located, select the file then press SHIFT+DELETE to delete it.
    *Note: Read the following Microsoft page if these steps do not work on Windows 7.

Step 9

Scan your computer with your Trend Micro product to delete files detected as ADW_TOOLBAR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.