TROJ_JOYDLOAD.A
Windows 2000, Windows XP, Windows Server 2003
マルウェアタイプ:
トロイの木馬型
破壊活動の有無:
なし
暗号化:
感染報告の有無 :
はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のフォルダを作成します。
- %System Root%\DOCUME~1
- %System Root%\DOCUME~1\Wilbert
- %User Profile%\LOCALS~1
- %User Temp%\nsn3.tmp
- %User Temp%\rmi
- %User Profile%\Application Data\OpenCandy
- %User Profile%\OpenCandy\BB23B09C45224A2B959897BFAD6D4DB2
- %System Root%\Documents and Settings\Wilbert
- %User Temp%\nsd2D.tmp
- %User Temp%\nsh34.tmp
- %User Temp%\ct3281675
- %User Temp%\nsl46.tmp
- %User Temp%\nsg5D.tmp
- %User Temp%\nsa6B.tmp
- %User Temp%\nsn8A.tmp
- %Program Files%\entrusted
- %Application Data%\Conduit
- %Application Data%\Conduit\CT3281675
- %User Profile%\Application Data\Conduit
- %User Profile%\Conduit\IE
- %User Profile%\IE\CT3281675
- %User Profile%\Conduit\Multi
- %User Profile%\Multi\CT3281675
- %Program Files%\Conduit
- %Program Files%\Conduit\Community Alerts
- %User Temp%\nsaCA.tmp
- %User Profile%\Application Data\SearchProtect
- %User Profile%\SearchProtect\Res
- %User Profile%\CryptnetUrlCache\MetaData
- %User Profile%\Microsoft\CryptnetUrlCache
- %User Profile%\CryptnetUrlCache\Content
- %User Temp%\nsf106.tmp
(註:%System Root%フォルダは、標準設定では "C:" です。また、オペレーティングシステムが存在する場所です。. %User Profile% フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\<ユーザ名>"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>" です。. %User Temp%フォルダはWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 2000、XP および Server 2003 の場合、"C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Local\Temp" です。. %Program Files%フォルダは、Windows 2000、Server 2003、XP (32ビット)、通常 Vista (32ビット) および 7 (32ビット) の場合、通常 "C:\Program Files"、Windows XP (64ビット)、Vista (64ビット) および 7 (64ビット) の場合、通常 "C:\Program Files (x86)" です。. %Application Data%フォルダは、Windows 2000、XP および Server 2003 の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Roaming" です。)
自動実行方法
マルウェアは、以下のレジストリキーを追加し、自身をBrowser Helper Object(BHO)として登録します。これにより、Internet Explorer(IE)が起動するとマルウェアが自動実行されます。
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{e44a1809-4d10-4ab8-b343-3326b64c7cdd}
他のシステム変更
マルウェアは、以下のファイルを削除します。
- %User Temp%\nss1.tmp
- %User Temp%\nsn3.tmp
- %Temp%\scs18.tmp
- %Temp%\scs1B.tmp
- %User Temp%\nsv28.tmp
- ConduitRBCB_e1v0.exe
- %User Temp%\nst2B.tmp
- %User Temp%\nsd2D.tmp
- RAWinstaller.exe
- %User Temp%\nsm32.tmp
- %User Temp%\nsh34.tmp
- %User Temp%\nsh34.tmp\ns41.tmp
- %User Temp%\nsv44.tmp
- %User Temp%\nsl46.tmp
- %User Temp%\nsl46.tmp\ns58.tmp
- %User Temp%\nsl46.tmp\ns66.tmp
- %User Temp%\nsl46.tmp\ns74.tmp
- %User Temp%\nsl46.tmp\ns83.tmp
- %User Temp%\nsl46.tmp\nsE9.tmp
- %User Temp%\nsl46.tmp\nsF0.tmp
- %User Temp%\nsl46.tmp\nsF7.tmp
- %User Temp%\nsl46.tmp\ns101.tmp
- %User Temp%\nsq5B.tmp
- %User Temp%\nsg5D.tmp
- %User Temp%\nsv69.tmp
- %User Temp%\nsa6B.tmp
- %User Temp%\nsv77.tmp
- %User Temp%\nss86.tmp
- %User Temp%\nsn8A.tmp
- %User Temp%\nspC8.tmp
- %User Temp%\nsaCA.tmp
- %User Temp%\nswEC.tmp
- %User Temp%\nskF3.tmp
- %User Temp%\nsmFA.tmp
- %User Temp%\nsf104.tmp
- %User Temp%\nsf106.tmp
- %User Temp%\ct3281675\conduitStatistics.csf
(註:%User Temp%フォルダはWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 2000、XP および Server 2003 の場合、"C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Local\Temp" です。. %Temp%フォルダは、標準設定では "C:\Windows\Temp" です。)
マルウェアは、以下のレジストリキーを追加します。
HKEY_LOCAL_MACHINE\Software\entrusted\
toolbar
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
HKEY_CURRENT_USER\Software\entrusted\
toolbar
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector\
HomePage
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector\
BrowserSearch
HKEY_CURRENT_USER\Software\entrusted\
toolbar\settings\MyStuff
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Monitored
HKEY_CURRENT_USER\Software\entrusted\
toolbar\settings\RadioPlayer
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\Search\
Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
InstallationGlobalKeys
HKEY_LOCAL_MACHINE\Software\entrusted\
Communicator
HKEY_LOCAL_MACHINE\Software\Conduit\
Platforms\{e44a1809-4d10-4ab8-b343-3326b64c7cdd}
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
HKEY_CURRENT_USER\Software\ConduitSearchScopes
HKEY_LOCAL_MACHINE\Software\Conduit\
HomePage
HKEY_CURRENT_USER\Software\Conduit\
RevertSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook\entrusted
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Log
HKEY_CLASSES_ROOT\CLSID\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}
HKEY_CLASSES_ROOT\CLSID\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}\
InprocServer32
HKEY_CURRENT_USER\Software\Smartbar
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Toolbars
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Repository\conduit_CT3281675\
Coordinator
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
HKEY_CLASSES_ROOT\CLSID\{01335480-2AED-4070-AFF3-B4C8BC22FF35}
HKEY_CLASSES_ROOT\CLSID\{01335480-2AED-4070-AFF3-B4C8BC22FF35}\
InprocServer32
HKEY_CLASSES_ROOT\CLSID\{01335480-2aed-4070-aff3-b4c8bc22ff35}\
ProgID
HKEY_CLASSES_ROOT\CLSID\{01335480-2aed-4070-aff3-b4c8bc22ff35}\
VersionIndependentProgID
HKEY_CLASSES_ROOT\Toolbar.CT3281675
HKEY_CLASSES_ROOT\Toolbar.CT3281675\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Ext\
PreApproved\{01335480-2aed-4070-aff3-b4c8bc22ff35}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Platforms\{01335480-2aed-4070-aff3-b4c8bc22ff35}
HKEY_CURRENT_USER\Toolbar\RegisteredSources
HKEY_CLASSES_ROOT\CLSID\{F45AB5EB-4700-4745-AD30-7592EAB1C986}
HKEY_CLASSES_ROOT\CLSID\{F45AB5EB-4700-4745-AD30-7592EAB1C986}\
InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Platforms\{f45ab5eb-4700-4745-ad30-7592eab1c986}
HKEY_CURRENT_USER\Software\entrusted\
toolbar\settings\BackHandStorage\
GlobalKeys
HKEY_LOCAL_MACHINE\Software\entrusted\
toolbar\InstalledApps
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
HKEY_LOCAL_MACHINE\Software\Conduit\
Community Alerts
HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}
HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\
InprocServer32
HKEY_CURRENT_USER\Software\entrusted\
toolbar\settings\Tips
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
MarkOldApps = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ALIGNMODE_ = "0"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ALLOW_SILENT_INSTALLATION_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_AUTOUPDATE_URL_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BHO_COMID_ = "{41578b15-ffa2-47f6-8fe1-1f0bf8a3317e}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BRANDDLLNAME_ = "tbentr.dll"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BRANDTOOLBARNAME_ = "entrusted"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BRANDTOOLBARSETUPFILENAME_ = "entrusted.exe"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BRANDTOOLBARSPONSORID_ = "CT3281675"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BRANDTOOLBARTITLE_ = "entrusted Toolbar"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_BUILDER_SERVER_ = "VM2254"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_CFGFILEPATH_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_CHROME25_FIX_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_COMID_ = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_COUNTRY_CODE_ = "US"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_CRE_MODE_ = "1"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_DEFAULT_BROWSER_INSTALLATION_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_DISPLAY_TRUSTE_SEAL_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_EMAIL_NOTIFY_SHOW_STATE_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENABLE_ALERTS_ = "True"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENABLE_GROUPING_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENABLE_SEARCH_FROM_ADDRESS_ = "True"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENABLE_SEARCH_SUGGEST_FROM_ADDRESS_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENABLE_SEARCH_SUGGEST_FROM_ADDRESS_IE_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENABLE_SEARCH_SUGGEST_FROM_SEARCH_BOX_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_ENVIRONMENT_ = "conduit"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_FF_AUTOUPDATE_URL_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_FINDBAR_COMID_ = "{f45ab5eb-4700-4745-ad30-7592eab1c986}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_IE_EXE_MODE_ = "1"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_INSTALATIONDIRECTORY_ = "entrusted"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_INSTALL_SP_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_INSTALL_TOOLBAR_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_IS_MOZILLA_RETENTION_DIALOG_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_LINKWRITEUS_ = "anders@opencandy.com"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_MAM_ENABLED_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_MULTI_COMMUNITY_ENABLED_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_MULTI_UNINSTALLER_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_MY_STUFF_ENABLED_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_MYWEBSERVERURL_ = "http://entrusted.OurToolbar.com"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_POPUP_SHOW_STATE_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_PRODUCT_ID_ = "10"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_RADIO_SHOW_STATE_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_REALTOOLBARNAME_ = "entrusted"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_REGMAINKEY_ = "entrusted"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_REGSUBKEY_ = "toolbar"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SEARCH_FROM_ADDRESS_URL_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SEARCH_PROVIDER_ = "CUSTOMIZED"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SEARCH_PROVIDER_ID_ = "2"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SEARCH_PROVIDER_NAME_ = "Bing"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SEARCH_REVERT_ = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SERVER_ = "users.conduit.com"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SET_DEFAULT_SEARCH_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SETUP_FIX_404_CHK_BOX_VAL_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SETUP_PUBLISHER_LOGO_IMG_PATH_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SETUP_SHOW_FIX_404_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SETUPICONPATH_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SETUPPATH_ = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SETUPSOURCESPATH_ = "\\{BLOCKED}8.17.111\clients\SetupSource\ChromeWebToolbar\10.23.0.822"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SHOWUNINSTALLPAGE_ = "True"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SP_CHP_URL_ = "http://www.{BLOCKED}t.com/privacy/search-protect-description.aspx"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_SSO_ID_ = "CB48B495-F878-40EA-AA03-196C985E13C3"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_START_PAGE_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_TOOLBAR_API_COMID_ = "{01335480-2aed-4070-aff3-b4c8bc22ff35}"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_TOOLBAR_LANGUAGE_ = "EN"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_TRUSTE_SEAL_URL_ = "http://trust.{BLOCKED}t.com/CT3281675"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_TWITTER_SHOW_STATE_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_UM_ = "2"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_UNINSTALL_FROM_ADD_REMOVE_ENABLED_ = "False"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_WEATHER_SHOW_STATE_ = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_WEBSERVERURL_ = "http://entrusted.OurToolbar.com"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
_XPE_MODE_ = "1"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
TOOLBARNAME = "entrusted"
HKEY_CURRENT_USER\Software\Conduit\
ISM\IE
TimeStamp = "2235d"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
GroupingServerURL = "http://grouping.{BLOCKED}es.conduit.com"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
SearchServerUrl = "http://search.{BLOCKED}t.com"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
Server = "users.conduit.com"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
ShouldPerformGroupByOS = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
UsageURL = "http://usage.{BLOCKED}s.conduit.com/UsersWebService.asmx/UsersRequests"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
WebServerUrl = "http://entrusted.OurToolbar.com"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
Write us link = "anders@opencandy.com"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
ShouldCheckEnableAlerts = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
CabinetVisible = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
ExplorerVisible = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
FirstTime = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
Visible = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
EnableSearchFromAddress = "true"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
SearchFromAddressUrl = "{random characters}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
OpenSetupFinishPage = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
ShouldSendReferalCookie = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
SaveRevertSettingsData = "false"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector
NotifyOfSettingsChange = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector\
HomePage
HPProtectCount = "0"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector\
BrowserSearch
DSProtectCount = "0"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector
SendProtectorDataViaLogin = "TRUE"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Enable Browser Extensions = "yes"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use Search Asst = "no"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
LoginRequestsNum = "0"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
AUTOUPDATE = "1"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\MyStuff
StagingEnable = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Monitored
SHRINK_TOOLBAR = "0"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\RadioPlayer
ShrinkState = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
UserMode = "2"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
ContextMenuUserMode = "2"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
SessionID = "{22809240-35D6-4815-BCE1-7EB1256D2C59}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
UninstallType = "IE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\Search\
Settings
ShowSearchSuggestions = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ComId = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ToolbarAPIComId = "{01335480-2aed-4070-aff3-b4c8bc22ff35}"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
FindBarComId = "{f45ab5eb-4700-4745-ad30-7592eab1c986}"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
DisplayName = "entrusted"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
DisplayTitle = "entrusted Toolbar"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
GroupingEnabled = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
InstallationType = "ConduitNSISIntegration"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
MultiCommunityEnabled = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
Path = "%Program Files%\entrusted"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
Server = "users.conduit.com"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ShouldPerformGroupByOS = "TRUE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ShouldShowPersonalComponentDlg = "false"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
SponsorId = "CT3281675"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ToolbarHelperFileName = "%Program Files%\entrusted\entrustedToolbarHelper.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
PlatformType = "ConduitToolbarMyStuff"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
IsEngineHost = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
AllowToUninstallFromEngine = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ToolbarDllName = "tbentr.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
LoaderDllName = "ldrtbentr.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
HookDllName = "hktbentr.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
Hook64DllName = "hk64tbentr.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
AutoUpdateHelperPath = "%Application Data%\Conduit\CT3281675\entrustedAutoUpdateHelper.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
AllowUntrustedApps = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ProtectHomePage = "true"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ProtectBrowserSearch = "true"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
PublisherProtectHomePage = "true"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
PublisherProtectBrowserSearch = "true"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
IsConduitAppsToolbar = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ImportMyStuffApps = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
EnableAlertsFromInstallation = "true"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
NavigateToUrlOnSearch = "FALSE"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
InstallationGlobalKeys
CT3281675 = "{mam_gk_installer_preapproved:0}"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ShouldSendToolbarAge = "TRUE"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
Communicator
Url = "http://servicemap.{BLOCKED}t-services.com/Toolbar/?ownerId=EB_ORIGINAL_CTID"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
Communicator
UsageUrl = "http://usage.{BLOCKED}r.conduit-services.com/ToolbarUsage.ashx"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Platforms\{e44a1809-4d10-4ab8-b343-3326b64c7cdd}
Name = "entrusted"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ForceEngineUninstall = "TRUE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Toolbar
{e44a1809-4d10-4ab8-b343-3326b64c7cdd} = "entrusted Toolbar"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
SocialDomains = "http://apps.conduit.com; http://social.conduit.com"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
BrowserSearchURL = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
BrowserSearchDisplayName = "entrusted Customized Web Search"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
BrowserSuggestionsURL = "{random characters}"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
DisplayName = "entrusted Customized Web Search"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
URL = "{random characters}"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes
DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector\
BrowserSearch
DSInstall = "TRUE"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
HomePage
{e44a1809-4d10-4ab8-b343-3326b64c7cdd} = "{random characters}"
HKEY_CURRENT_USER\Software\Conduit\
RevertSettings
ConduitLatestHomePage = "{random characters}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\FeatureProtector\
HomePage
HPInstall = "TRUE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
DisplayName = "entrusted Toolbar for IE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
DisplayVersion = "6.17.2.8"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
HelpLink = "http://entrusted.OurToolbar.com/help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
Publisher = "entrusted"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
URLInfoAbout = "http://entrusted.OurToolbar.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
DisplayIcon = "%User Profile%\CT3281675\SetupIcon.ico"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
EstimatedSize = "294"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
IECT3281675
UninstallString = "{random characters}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
LoaderDllName = "ldrtbentr.dll"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
ToolbarDllName = "tbentr.dll"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
HookDllName = "hktbentr.dll"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
Hook64DllName = "hk64tbentr.dll"
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook
ActiveHookToolbarName = "entrusted"
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook\entrusted
HookDllPath = "%Application Data%\entrusted"
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook\entrusted
HookDllVersion = "6.17.2.8"
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook\entrusted
HookDllName = "hktbentr.dll"
HKEY_CURRENT_USER\Software\Conduit\
IE\Hook\entrusted
Hook64DllName = "hk64tbentr.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
ProxyDllPath = "%Program Files%\entrusted\prxtbentr.dll"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
DisplayName = "entrusted"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
ToolbarInstallTime = "52ab3f61"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
version = "6.17.2.8"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Toolbar
{E44A1809-4D10-4AB8-B343-3326B64C7CDD} = "entrusted Toolbar"
HKEY_CURRENT_USER\Software\Smartbar
GlobalUserId = "9F7CC2C6-93F9-4DBE-8E4E-7D095A3E7E24"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Toolbars
entrusted Toolbar = "{E44A1809-4D10-4AB8-B343-3326B64C7CDD}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
ToolbarRunFirstTimeAfterInstall = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Repository\conduit_CT3281675\
Coordinator
ResetServiceMap = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
VistaElevationComId = "{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
AppPath = "%Program Files%\entrusted"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
AppName = "entrustedToolbarHelper.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
Policy = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
AutoupdateElevationComId = "{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
AppPath = "%Application Data%\Conduit\CT3281675"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
AppName = "entrustedAutoUpdateHelper.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
Policy = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{01335480-2AED-4070-AFF3-B4C8BC22FF35}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Platforms\{01335480-2aed-4070-aff3-b4c8bc22ff35}
HostID = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{e44a1809-4d10-4ab8-b343-3326b64c7cdd}
NoExplorer = "1"
HKEY_CURRENT_USER\Toolbar\RegisteredSources
CT3281675 = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager
PendingFileRenameOperations = "\??\%User Temp%\nsn3.tmp\nsisdl.dll"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\IE5
ToolbarHeight = "1c"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F45AB5EB-4700-4745-AD30-7592EAB1C986}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Platforms\{f45ab5eb-4700-4745-ad30-7592eab1c986}
HostID = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\BackHandStorage\
GlobalKeys
mam_gk_installer_preapproved = "{random values}"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
AutoUpdateEnabled = "TRUE"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
ALPClientsServerName = "http://alert.{BLOCKED}t.conduit.com"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
ALPServicesServerName = "http://alert.{BLOCKED}es.conduit.com"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
ShowAlerts = "true"
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\
Community Alerts
Path = "%Program Files%\Conduit\Community Alerts\Alert.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32
ThreadingModel = "Apartment"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
UserID = "238740DB-7F8F-4E32-8BB4-F75DBF2A7004"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
FirstTimeMessageDisplayed = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
SampleAlertWasShown = "FALSE"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
LoginMessageLastCheckTime = "0"
HKEY_CURRENT_USER\Software\Conduit\
Community Alerts\Settings
LoginMessageLastUpdateTime = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
OpenUninstallPage = "true"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
MultiCommunityEnabled = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Monitored
MultiCommunityEnabled = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
GroupingEnabled = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Monitored
GroupingEnabled = "FALSE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Monitored
MultiCommunityID = "CT3281675"
HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\
toolbar
UserID = "UN40667011881295725"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
UserID = "UN40667011881295725"
HKEY_CURRENT_USER\Software\entrusted\
toolbar
MachineID = "SB_E0VDZWGTSPEIPGHO6ECYLKWRJ2E"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings
SendUsageReport = "TRUE"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Repository\conduit_CT3281675\
Coordinator
LastRequestTime = "52ab3f6b"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
2796BAE63F1801E277261BA0D77770028F20EEE4
Blob = "{random values}"
HKEY_CURRENT_USER\Software\entrusted\
toolbar\Settings\Tips
UsageIndication = "1"
マルウェアは、以下のレジストリ値を変更します。
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "{random characters}"
(註:変更前の上記レジストリ値は、「http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4C95A9902ABE0777CED18D6ACCC3372D2748381E
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4BA7B9DDD68788E12FF852E1A024204BF286A8F6
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
47AFB915CDA26D82467B97FA42914468726138DD
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4463C531D7CCC1006794612BB656D3BF8257846F
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43F9B110D5BAFD48225231B0D0082B372FEF9A54
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43DDB1FFF3B49B73831407F6BC8B975023D07C50
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4072BA31FEC351438480F62E6CB95508461EAB2F
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
394FF6850B06BE52E51856CC10E180E882B385CC
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
36863563FD5128C7BEA6F005CFE9B43668086CCE
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
2F173F7DE99667AFA57AF80AA2D1B12FAC830338
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
284F55C41A1A7A3F8328D4C262FB376ED6096F24
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
273EE12457FDC4F90C55E82B56167F62F532E547
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
23E594945195F2414803B4D564D2A3A3F5D88B8C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
216B2A29E62A00CE820146D8244141B92511B279
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
209900B63D955728140CD13622D8C687A4EB0085
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
1F55E8839BAC30728BE7108EDE7B0BB0D3298224
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
049811056AFE9FD0F5BE01685AACE6A5D1C4454C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0483ED3399AC3608058722EDBC5E4600E3BEF9D7
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0048F8D37B153F6EA2798C323EF4F318A5624A9E
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
マルウェアは、以下のレジストリキーを削除します。
HKEY_CURRENT_USER\Software\Conduit\
ISM
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Stats\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Discardable\PostSetup\Component Categories\
{00021493-0000-0000-C000-000000000046}\Enum
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Discardable\PostSetup\Component Categories\
{00021494-0000-0000-C000-000000000046}\Enum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
作成活動
マルウェアは、以下のファイルを作成します。
- %User Temp%\nsn3.tmp\button.bmp
- %User Temp%\nsn3.tmp\System.dll
- %User Temp%\nsn3.tmp\OCSetupHlp.dll
- %User Temp%\nsn3.tmp\skinnedbutton.dll
- %User Temp%\nsn3.tmp\nsDialogs.dll
- %User Temp%\nsn3.tmp\nsisdl.dll
- %User Temp%\rmi/download-install_flash_player.exe
- %User Temp%\nsn3.tmp\statistic.dll
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\B8DCC36F-4F05-445F-B1EE-FD8FC38CBBDA
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\47A647BD-4905-48C7-9539-A95F199019A4
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\5254.ico
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\RAWinstaller.exe
- %User Temp%\nsd2D.tmp\System.dll
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\mconduitinstaller.exe
- %User Temp%\nsd2D.tmp\inetc.dll
- %User Temp%\nss110.tmp
- %User Temp%\nsh34.tmp\InetC.dll
- /END
- %User Temp%\ct3281675\stub.exe
- %User Temp%\nsh34.tmp\nsExec.dll
- %User Temp%\nsl46.tmp\System.dll
- %User Temp%\nsl46.tmp\inetc.dll
- %User Temp%\nsl46.tmp\t.txt
- %User Temp%\nsf50.tmp
- %User Temp%\ct3281675\ctbe.exe
- %User Temp%\nsl46.tmp\nsExec.dll
- %User Temp%\ct3281675\ieLogic.exe
- %User Temp%\ct3281675\statisticsStub.exe
- %User Temp%\nsg5D.tmp\inetc.dll
- %User Temp%\ct3281675\setup.ini.txt
- %User Temp%\nsa6B.tmp\inetc.dll
- %User Temp%\ct3281675\chromeid.txt
- %User Temp%\nsi88.tmp
- %User Temp%\nsn8A.tmp\PublisherLogoDefault.bmp
- %User Temp%\nsn8A.tmp\setup_top.bmp
- %User Temp%\nsn8A.tmp\alerts_icon.bmp
- %User Temp%\nsn8A.tmp\truste_setup.bmp
- %User Temp%\nsn8A.tmp\search_icon.bmp
- %User Temp%\nsn8A.tmp\home_icon.bmp
- %User Temp%\nsn8A.tmp\revert_icon.bmp
- %User Temp%\nsn8A.tmp\nsUtils.dll
- %User Temp%\nsl95.tmp.tbentr.dll
- %User Temp%\toolbar.cfg
- %User Temp%\nsn8A.tmp\System.dll
- %User Temp%\nsn8A.tmp\license.txt
- %Program Files%\entrusted\toolbar.cfg
- %Program Files%\entrusted\entrustedToolbarHelper.exe
- %Application Data%\Conduit\CT3281675\entrustedAutoUpdateHelper.exe
- %Program Files%\entrusted\tbentr.dll
- %Program Files%\entrusted\prxtbentr.dll
- %Program Files%\entrusted\ldrtbentr.dll
- %Program Files%\entrusted\hktbentr.dll
- %Program Files%\entrusted\hk64tbentr.dll
- %Program Files%\entrusted\GottenAppsContextMenu.xml
- %Program Files%\entrusted\OtherAppsContextMenu.xml
- %Program Files%\entrusted\SharedAppsContextMenu.xml
- %Program Files%\entrusted\ToolbarContextMenu.xml
- %User Profile%\CT3281675\UninstallerUI.exe
- %User Profile%\CT3281675\SetupIcon.ico
- %Program Files%\Conduit\Community Alerts\Alert.dll
- %User Profile%\CT3281675\configutaion.json
- %User Temp%\nsn8A.tmp\nsJSON_2_0_1_1.dll
- %User Temp%\SPStub.exe
- %User Temp%\nsaCA.tmp\inetc.dll
- %User Profile%\Res\SPSetup.exe
- %User Profile%\MetaData\2BF68F4714092295550497DD56F57004
- %User Profile%\Content\2BF68F4714092295550497DD56F57004
- %User Profile%\MetaData\94308059B57B3142E455B38A6EB92015
- %User Profile%\Content\94308059B57B3142E455B38A6EB92015
- %User Temp%\CabDD.tmp
- %User Temp%\TarDF.tmp
- %User Temp%\nsf106.tmp\InetC.dll
- 1
- %User Temp%\nsh34.tmp\ns41.tmp
- %User Temp%\nsl46.tmp\ns58.tmp
- %User Temp%\nsl46.tmp\ns66.tmp
- %User Temp%\nsl46.tmp\ns74.tmp
- %User Temp%\nsl46.tmp\ns83.tmp
- %User Temp%\nsl46.tmp\nsE9.tmp
- %User Temp%\nsl46.tmp\nsF0.tmp
- %User Temp%\nsl46.tmp\nsF7.tmp
- %User Temp%\nsl46.tmp\ns101.tmp
- %Application Data%\entrusted\ldrtbentr.dll
- %Application Data%\entrusted\tbentr.dll
- %Application Data%\entrusted\hktbentr.dll
- %Application Data%\entrusted\hk64tbentr.dll
- %Application Data%\entrusted\toolbar.cfg
(註:%User Temp%フォルダはWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 2000、XP および Server 2003 の場合、"C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Local\Temp" です。. %User Profile% フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\<ユーザ名>"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>" です。. %Program Files%フォルダは、Windows 2000、Server 2003、XP (32ビット)、通常 Vista (32ビット) および 7 (32ビット) の場合、通常 "C:\Program Files"、Windows XP (64ビット)、Vista (64ビット) および 7 (64ビット) の場合、通常 "C:\Program Files (x86)" です。. %Application Data%フォルダは、Windows 2000、XP および Server 2003 の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Roaming" です。)
その他
マルウェアは、以下の不正なWebサイトにアクセスします。
- http://www.{BLOCKED}nload.com/adm/stat.php?idp=24&ls=&of=aoc
- http://www.{BLOCKED}-analytics.com/collect?{random characters}
- http://www.{BLOCKED}-analytics.com/usage.ashx
- http://www.{BLOCKED}-analytics.com/ps/conduitinstaller/stublogic.exe
- http://www.{BLOCKED}-analytics.com/Properties/INI/ct3281675
- http://www.{BLOCKED}-analytics.com/ps/utilities/checktbexist.exe
- http://www.{BLOCKED}-analytics.com/ie?{random characters}
- http://www.{BLOCKED}-analytics.com/ps/conduitinstaller/statisticsstub.exe
- http://www.{BLOCKED}-analytics.com/75/328/ct3281675/Downloads/IE/Releases/setup.ini.txt
- http://www.{BLOCKED}-analytics.com/75/328/ct3281675/Downloads/ChromeWebToolbar/ct3281675.txt
- http://www.{BLOCKED}-analytics.com/download/CT3281675
このウイルス情報は、自動解析システムにより作成されました。
対応方法
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
起動中ブラウザのウインドウを全て閉じてください。
手順 3
不明なレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\Software\entrusted
- toolbar
- In HKEY_CURRENT_USER\Software\Conduit\ISM
- IE
- In HKEY_CURRENT_USER\Software\entrusted
- toolbar
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- IE5
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- Settings
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- FeatureProtector
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector
- HomePage
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector
- BrowserSearch
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\settings
- MyStuff
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- Monitored
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\settings
- RadioPlayer
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Search
- Settings
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit
- InstallationGlobalKeys
- In HKEY_LOCAL_MACHINE\Software\entrusted
- Communicator
- In HKEY_LOCAL_MACHINE\Software\Conduit\Platforms
- {e44a1809-4d10-4ab8-b343-3326b64c7cdd}
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
- {afdbddaa-5d3f-42ee-b79c-185a7020515b}
- In HKEY_CURRENT_USER\Software
- ConduitSearchScopes
- In HKEY_LOCAL_MACHINE\Software\Conduit
- HomePage
- In HKEY_CURRENT_USER\Software\Conduit
- RevertSettings
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- IECT3281675
- In HKEY_CURRENT_USER\Software\Conduit\IE
- Hook
- In HKEY_CURRENT_USER\Software\Conduit\IE\Hook
- entrusted
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- Log
- In HKEY_CLASSES_ROOT\CLSID
- {E44A1809-4D10-4AB8-B343-3326B64C7CDD}
- In HKEY_CLASSES_ROOT\CLSID\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}
- InprocServer32
- In HKEY_CURRENT_USER\Software
- Smartbar
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit
- Toolbars
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Repository\conduit_CT3281675
- Coordinator
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
- {F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
- {CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
- In HKEY_CLASSES_ROOT\CLSID
- {01335480-2AED-4070-AFF3-B4C8BC22FF35}
- In HKEY_CLASSES_ROOT\CLSID\{01335480-2AED-4070-AFF3-B4C8BC22FF35}
- InprocServer32
- In HKEY_CLASSES_ROOT\CLSID\{01335480-2aed-4070-aff3-b4c8bc22ff35}
- ProgID
- In HKEY_CLASSES_ROOT\CLSID\{01335480-2aed-4070-aff3-b4c8bc22ff35}
- VersionIndependentProgID
- In HKEY_CLASSES_ROOT
- Toolbar.CT3281675
- In HKEY_CLASSES_ROOT\Toolbar.CT3281675
- CLSID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved
- {01335480-2aed-4070-aff3-b4c8bc22ff35}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms
- {01335480-2aed-4070-aff3-b4c8bc22ff35}
- In HKEY_CURRENT_USER\Toolbar
- RegisteredSources
- In HKEY_CLASSES_ROOT\CLSID
- {F45AB5EB-4700-4745-AD30-7592EAB1C986}
- In HKEY_CLASSES_ROOT\CLSID\{F45AB5EB-4700-4745-AD30-7592EAB1C986}
- InprocServer32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms
- {f45ab5eb-4700-4745-ad30-7592eab1c986}
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\settings\BackHandStorage
- GlobalKeys
- In HKEY_LOCAL_MACHINE\Software\entrusted\toolbar
- InstalledApps
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts
- Settings
- In HKEY_LOCAL_MACHINE\Software\Conduit
- Community Alerts
- In HKEY_CLASSES_ROOT\CLSID
- {3c471948-f874-49f5-b338-4f214a2ee0b1}
- In HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}
- InprocServer32
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\settings
- Tips
手順 4
このレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- MarkOldApps = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ALIGNMODE_ = "0"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ALLOW_SILENT_INSTALLATION_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _AUTOUPDATE_URL_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BHO_COMID_ = "{41578b15-ffa2-47f6-8fe1-1f0bf8a3317e}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BRANDDLLNAME_ = "tbentr.dll"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BRANDTOOLBARNAME_ = "entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BRANDTOOLBARSETUPFILENAME_ = "entrusted.exe"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BRANDTOOLBARSPONSORID_ = "CT3281675"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BRANDTOOLBARTITLE_ = "entrusted Toolbar"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _BUILDER_SERVER_ = "VM2254"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _CFGFILEPATH_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _CHROME25_FIX_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _COMID_ = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _COUNTRY_CODE_ = "US"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _CRE_MODE_ = "1"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _DEFAULT_BROWSER_INSTALLATION_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _DISPLAY_TRUSTE_SEAL_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _EMAIL_NOTIFY_SHOW_STATE_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENABLE_ALERTS_ = "True"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENABLE_GROUPING_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENABLE_SEARCH_FROM_ADDRESS_ = "True"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENABLE_SEARCH_SUGGEST_FROM_ADDRESS_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENABLE_SEARCH_SUGGEST_FROM_ADDRESS_IE_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENABLE_SEARCH_SUGGEST_FROM_SEARCH_BOX_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _ENVIRONMENT_ = "conduit"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _FF_AUTOUPDATE_URL_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _FINDBAR_COMID_ = "{f45ab5eb-4700-4745-ad30-7592eab1c986}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _IE_EXE_MODE_ = "1"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _INSTALATIONDIRECTORY_ = "entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _INSTALL_SP_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _INSTALL_TOOLBAR_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _IS_MOZILLA_RETENTION_DIALOG_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _LINKWRITEUS_ = "anders@opencandy.com"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _MAM_ENABLED_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _MULTI_COMMUNITY_ENABLED_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _MULTI_UNINSTALLER_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _MY_STUFF_ENABLED_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _MYWEBSERVERURL_ = "http://entrusted.OurToolbar.com"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _POPUP_SHOW_STATE_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _PRODUCT_ID_ = "10"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _RADIO_SHOW_STATE_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _REALTOOLBARNAME_ = "entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _REGMAINKEY_ = "entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _REGSUBKEY_ = "toolbar"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SEARCH_FROM_ADDRESS_URL_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SEARCH_PROVIDER_ = "CUSTOMIZED"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SEARCH_PROVIDER_ID_ = "2"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SEARCH_PROVIDER_NAME_ = "Bing"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SEARCH_REVERT_ = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SERVER_ = "users.conduit.com"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SET_DEFAULT_SEARCH_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SETUP_FIX_404_CHK_BOX_VAL_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SETUP_PUBLISHER_LOGO_IMG_PATH_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SETUP_SHOW_FIX_404_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SETUPICONPATH_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SETUPPATH_ = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SETUPSOURCESPATH_ = "\\{BLOCKED}8.17.111\clients\SetupSource\ChromeWebToolbar\10.23.0.822"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SHOWUNINSTALLPAGE_ = "True"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SP_CHP_URL_ = "http://www.{BLOCKED}t.com/privacy/search-protect-description.aspx"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _SSO_ID_ = "CB48B495-F878-40EA-AA03-196C985E13C3"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _START_PAGE_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _TOOLBAR_API_COMID_ = "{01335480-2aed-4070-aff3-b4c8bc22ff35}"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _TOOLBAR_LANGUAGE_ = "EN"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _TRUSTE_SEAL_URL_ = "http://trust.{BLOCKED}t.com/CT3281675"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _TWITTER_SHOW_STATE_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _UM_ = "2"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _UNINSTALL_FROM_ADD_REMOVE_ENABLED_ = "False"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _WEATHER_SHOW_STATE_ = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _WEBSERVERURL_ = "http://entrusted.OurToolbar.com"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- _XPE_MODE_ = "1"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- TOOLBARNAME = "entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\ISM\IE
- TimeStamp = "2235d"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- GroupingServerURL = "http://grouping.{BLOCKED}es.conduit.com"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- SearchServerUrl = "http://search.{BLOCKED}t.com"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- Server = "users.conduit.com"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- ShouldPerformGroupByOS = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- UsageURL = "http://usage.{BLOCKED}s.conduit.com/UsersWebService.asmx/UsersRequests"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- WebServerUrl = "http://entrusted.OurToolbar.com"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- Write us link = "anders@opencandy.com"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- ShouldCheckEnableAlerts = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\IE5
- CabinetVisible = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\IE5
- ExplorerVisible = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\IE5
- FirstTime = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\IE5
- Visible = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- EnableSearchFromAddress = "true"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- SearchFromAddressUrl = "{random characters}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- OpenSetupFinishPage = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- ShouldSendReferalCookie = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- SaveRevertSettingsData = "false"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector
- NotifyOfSettingsChange = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector\HomePage
- HPProtectCount = "0"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector\BrowserSearch
- DSProtectCount = "0"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector
- SendProtectorDataViaLogin = "TRUE"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Enable Browser Extensions = "yes"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Use Search Asst = "no"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- LoginRequestsNum = "0"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- AUTOUPDATE = "1"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\MyStuff
- StagingEnable = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Monitored
- SHRINK_TOOLBAR = "0"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\RadioPlayer
- ShrinkState = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- UserMode = "2"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- ContextMenuUserMode = "2"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- SessionID = "{22809240-35D6-4815-BCE1-7EB1256D2C59}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- UninstallType = "IE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\Search\Settings
- ShowSearchSuggestions = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ComId = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ToolbarAPIComId = "{01335480-2aed-4070-aff3-b4c8bc22ff35}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- FindBarComId = "{f45ab5eb-4700-4745-ad30-7592eab1c986}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- DisplayName = "entrusted"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- DisplayTitle = "entrusted Toolbar"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- GroupingEnabled = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- InstallationType = "ConduitNSISIntegration"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- MultiCommunityEnabled = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- Path = "%Program Files%\entrusted"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- Server = "users.conduit.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ShouldPerformGroupByOS = "TRUE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ShouldShowPersonalComponentDlg = "false"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- SponsorId = "CT3281675"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ToolbarHelperFileName = "%Program Files%\entrusted\entrustedToolbarHelper.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- PlatformType = "ConduitToolbarMyStuff"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- IsEngineHost = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- AllowToUninstallFromEngine = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ToolbarDllName = "tbentr.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- LoaderDllName = "ldrtbentr.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- HookDllName = "hktbentr.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- Hook64DllName = "hk64tbentr.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- AutoUpdateHelperPath = "%Application Data%\Conduit\CT3281675\entrustedAutoUpdateHelper.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- AllowUntrustedApps = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ProtectHomePage = "true"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ProtectBrowserSearch = "true"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- PublisherProtectHomePage = "true"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- PublisherProtectBrowserSearch = "true"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- IsConduitAppsToolbar = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ImportMyStuffApps = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- EnableAlertsFromInstallation = "true"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- NavigateToUrlOnSearch = "FALSE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\InstallationGlobalKeys
- CT3281675 = "{mam_gk_installer_preapproved:0}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ShouldSendToolbarAge = "TRUE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\Communicator
- Url = "http://servicemap.{BLOCKED}t-services.com/Toolbar/?ownerId=EB_ORIGINAL_CTID"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\Communicator
- UsageUrl = "http://usage.{BLOCKED}r.conduit-services.com/ToolbarUsage.ashx"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{e44a1809-4d10-4ab8-b343-3326b64c7cdd}
- Name = "entrusted"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ForceEngineUninstall = "TRUE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
- {e44a1809-4d10-4ab8-b343-3326b64c7cdd} = "entrusted Toolbar"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- SocialDomains = "http://apps.conduit.com; http://social.conduit.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- BrowserSearchURL = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- BrowserSearchDisplayName = "entrusted Customized Web Search"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- BrowserSuggestionsURL = "{random characters}"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
- DisplayName = "entrusted Customized Web Search"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
- URL = "{random characters}"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
- DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector\BrowserSearch
- DSInstall = "TRUE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\HomePage
- {e44a1809-4d10-4ab8-b343-3326b64c7cdd} = "{random characters}"
- In HKEY_CURRENT_USER\Software\Conduit\RevertSettings
- ConduitLatestHomePage = "{random characters}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\FeatureProtector\HomePage
- HPInstall = "TRUE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- DisplayName = "entrusted Toolbar for IE"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- DisplayVersion = "6.17.2.8"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- HelpLink = "http://entrusted.OurToolbar.com/help"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- Publisher = "entrusted"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- URLInfoAbout = "http://entrusted.OurToolbar.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- DisplayIcon = "%User Profile%\CT3281675\SetupIcon.ico"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- EstimatedSize = "294"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT3281675
- UninstallString = "{random characters}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- LoaderDllName = "ldrtbentr.dll"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- ToolbarDllName = "tbentr.dll"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- HookDllName = "hktbentr.dll"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- Hook64DllName = "hk64tbentr.dll"
- In HKEY_CURRENT_USER\Software\Conduit\IE\Hook
- ActiveHookToolbarName = "entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\IE\Hook\entrusted
- HookDllPath = "%Application Data%\entrusted"
- In HKEY_CURRENT_USER\Software\Conduit\IE\Hook\entrusted
- HookDllVersion = "6.17.2.8"
- In HKEY_CURRENT_USER\Software\Conduit\IE\Hook\entrusted
- HookDllName = "hktbentr.dll"
- In HKEY_CURRENT_USER\Software\Conduit\IE\Hook\entrusted
- Hook64DllName = "hk64tbentr.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- ProxyDllPath = "%Program Files%\entrusted\prxtbentr.dll"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- DisplayName = "entrusted"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- ToolbarInstallTime = "52ab3f61"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- version = "6.17.2.8"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E44A1809-4D10-4AB8-B343-3326B64C7CDD}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
- {E44A1809-4D10-4AB8-B343-3326B64C7CDD} = "entrusted Toolbar"
- In HKEY_CURRENT_USER\Software\Smartbar
- GlobalUserId = "9F7CC2C6-93F9-4DBE-8E4E-7D095A3E7E24"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Toolbars
- entrusted Toolbar = "{E44A1809-4D10-4AB8-B343-3326B64C7CDD}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\IE5
- ToolbarRunFirstTimeAfterInstall = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Repository\conduit_CT3281675\Coordinator
- ResetServiceMap = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- VistaElevationComId = "{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
- AppPath = "%Program Files%\entrusted"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
- AppName = "entrustedToolbarHelper.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9389F6B-8DDF-45D1-9743-FE6264ABEB65}
- Policy = "3"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- AutoupdateElevationComId = "{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
- AppPath = "%Application Data%\Conduit\CT3281675"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
- AppName = "entrustedAutoUpdateHelper.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCA4E328-8C78-4D90-866E-6DC3C9C17CE7}
- Policy = "3"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01335480-2AED-4070-AFF3-B4C8BC22FF35}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{01335480-2aed-4070-aff3-b4c8bc22ff35}
- HostID = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e44a1809-4d10-4ab8-b343-3326b64c7cdd}
- NoExplorer = "1"
- In HKEY_CURRENT_USER\Toolbar\RegisteredSources
- CT3281675 = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
- PendingFileRenameOperations = "\??\%User Temp%\nsn3.tmp\nsisdl.dll"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\IE5
- ToolbarHeight = "1c"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F45AB5EB-4700-4745-AD30-7592EAB1C986}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{f45ab5eb-4700-4745-ad30-7592eab1c986}
- HostID = "{e44a1809-4d10-4ab8-b343-3326b64c7cdd}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\BackHandStorage\GlobalKeys
- mam_gk_installer_preapproved = "{random values}"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- AutoUpdateEnabled = "TRUE"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- ALPClientsServerName = "http://alert.{BLOCKED}t.conduit.com"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- ALPServicesServerName = "http://alert.{BLOCKED}es.conduit.com"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- ShowAlerts = "true"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Community Alerts
- Path = "%Program Files%\Conduit\Community Alerts\Alert.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- UserID = "238740DB-7F8F-4E32-8BB4-F75DBF2A7004"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- FirstTimeMessageDisplayed = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- SampleAlertWasShown = "FALSE"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- LoginMessageLastCheckTime = "0"
- In HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
- LoginMessageLastUpdateTime = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- OpenUninstallPage = "true"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- MultiCommunityEnabled = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Monitored
- MultiCommunityEnabled = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- GroupingEnabled = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Monitored
- GroupingEnabled = "FALSE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Monitored
- MultiCommunityID = "CT3281675"
- In HKEY_LOCAL_MACHINE\SOFTWARE\entrusted\toolbar
- UserID = "UN40667011881295725"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- UserID = "UN40667011881295725"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar
- MachineID = "SB_E0VDZWGTSPEIPGHO6ECYLKWRJ2E"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings
- SendUsageReport = "TRUE"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Repository\conduit_CT3281675\Coordinator
- LastRequestTime = "52ab3f6b"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
- Blob = "{random values}"
- In HKEY_CURRENT_USER\Software\entrusted\toolbar\Settings\Tips
- UsageIndication = "1"
手順 5
変更されたレジストリ値を修正します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- From: Start Page = "{random characters}"
To: Start Page = ""http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome""
- From: Start Page = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47AFB915CDA26D82467B97FA42914468726138DD
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4463C531D7CCC1006794612BB656D3BF8257846F
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43F9B110D5BAFD48225231B0D0082B372FEF9A54
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43DDB1FFF3B49B73831407F6BC8B975023D07C50
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4072BA31FEC351438480F62E6CB95508461EAB2F
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F173F7DE99667AFA57AF80AA2D1B12FAC830338
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\284F55C41A1A7A3F8328D4C262FB376ED6096F24
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\273EE12457FDC4F90C55E82B56167F62F532E547
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\216B2A29E62A00CE820146D8244141B92511B279
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\209900B63D955728140CD13622D8C687A4EB0085
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F55E8839BAC30728BE7108EDE7B0BB0D3298224
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0048F8D37B153F6EA2798C323EF4F318A5624A9E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
手順 6
以下のファイルを検索し削除します。
- %User Temp%\nsn3.tmp\button.bmp
- %User Temp%\nsn3.tmp\System.dll
- %User Temp%\nsn3.tmp\OCSetupHlp.dll
- %User Temp%\nsn3.tmp\skinnedbutton.dll
- %User Temp%\nsn3.tmp\nsDialogs.dll
- %User Temp%\nsn3.tmp\nsisdl.dll
- %User Temp%\rmi/download-install_flash_player.exe
- %User Temp%\nsn3.tmp\statistic.dll
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\B8DCC36F-4F05-445F-B1EE-FD8FC38CBBDA
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\47A647BD-4905-48C7-9539-A95F199019A4
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\5254.ico
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\RAWinstaller.exe
- %User Temp%\nsd2D.tmp\System.dll
- %User Profile%\BB23B09C45224A2B959897BFAD6D4DB2\mconduitinstaller.exe
- %User Temp%\nsd2D.tmp\inetc.dll
- %User Temp%\nss110.tmp
- %User Temp%\nsh34.tmp\InetC.dll
- /END
- %User Temp%\ct3281675\stub.exe
- %User Temp%\nsh34.tmp\nsExec.dll
- %User Temp%\nsl46.tmp\System.dll
- %User Temp%\nsl46.tmp\inetc.dll
- %User Temp%\nsl46.tmp\t.txt
- %User Temp%\nsf50.tmp
- %User Temp%\ct3281675\ctbe.exe
- %User Temp%\nsl46.tmp\nsExec.dll
- %User Temp%\ct3281675\ieLogic.exe
- %User Temp%\ct3281675\statisticsStub.exe
- %User Temp%\nsg5D.tmp\inetc.dll
- %User Temp%\ct3281675\setup.ini.txt
- %User Temp%\nsa6B.tmp\inetc.dll
- %User Temp%\ct3281675\chromeid.txt
- %User Temp%\nsi88.tmp
- %User Temp%\nsn8A.tmp\PublisherLogoDefault.bmp
- %User Temp%\nsn8A.tmp\setup_top.bmp
- %User Temp%\nsn8A.tmp\alerts_icon.bmp
- %User Temp%\nsn8A.tmp\truste_setup.bmp
- %User Temp%\nsn8A.tmp\search_icon.bmp
- %User Temp%\nsn8A.tmp\home_icon.bmp
- %User Temp%\nsn8A.tmp\revert_icon.bmp
- %User Temp%\nsn8A.tmp\nsUtils.dll
- %User Temp%\nsl95.tmp.tbentr.dll
- %User Temp%\toolbar.cfg
- %User Temp%\nsn8A.tmp\System.dll
- %User Temp%\nsn8A.tmp\license.txt
- %Program Files%\entrusted\toolbar.cfg
- %Program Files%\entrusted\entrustedToolbarHelper.exe
- %Application Data%\Conduit\CT3281675\entrustedAutoUpdateHelper.exe
- %Program Files%\entrusted\tbentr.dll
- %Program Files%\entrusted\prxtbentr.dll
- %Program Files%\entrusted\ldrtbentr.dll
- %Program Files%\entrusted\hktbentr.dll
- %Program Files%\entrusted\hk64tbentr.dll
- %Program Files%\entrusted\GottenAppsContextMenu.xml
- %Program Files%\entrusted\OtherAppsContextMenu.xml
- %Program Files%\entrusted\SharedAppsContextMenu.xml
- %Program Files%\entrusted\ToolbarContextMenu.xml
- %User Profile%\CT3281675\UninstallerUI.exe
- %User Profile%\CT3281675\SetupIcon.ico
- %Program Files%\Conduit\Community Alerts\Alert.dll
- %User Profile%\CT3281675\configutaion.json
- %User Temp%\nsn8A.tmp\nsJSON_2_0_1_1.dll
- %User Temp%\SPStub.exe
- %User Temp%\nsaCA.tmp\inetc.dll
- %User Profile%\Res\SPSetup.exe
- %User Profile%\MetaData\2BF68F4714092295550497DD56F57004
- %User Profile%\Content\2BF68F4714092295550497DD56F57004
- %User Profile%\MetaData\94308059B57B3142E455B38A6EB92015
- %User Profile%\Content\94308059B57B3142E455B38A6EB92015
- %User Temp%\CabDD.tmp
- %User Temp%\TarDF.tmp
- %User Temp%\nsf106.tmp\InetC.dll
- 1
- %User Temp%\nsh34.tmp\ns41.tmp
- %User Temp%\nsl46.tmp\ns58.tmp
- %User Temp%\nsl46.tmp\ns66.tmp
- %User Temp%\nsl46.tmp\ns74.tmp
- %User Temp%\nsl46.tmp\ns83.tmp
- %User Temp%\nsl46.tmp\nsE9.tmp
- %User Temp%\nsl46.tmp\nsF0.tmp
- %User Temp%\nsl46.tmp\nsF7.tmp
- %User Temp%\nsl46.tmp\ns101.tmp
- %Application Data%\entrusted\ldrtbentr.dll
- %Application Data%\entrusted\tbentr.dll
- %Application Data%\entrusted\hktbentr.dll
- %Application Data%\entrusted\hk64tbentr.dll
- %Application Data%\entrusted\toolbar.cfg
手順 7
以下のフォルダを検索し削除します。
- %System Root%\DOCUME~1
- %System Root%\DOCUME~1\Wilbert
- %User Profile%\LOCALS~1
- %User Temp%\nsn3.tmp
- %User Temp%\rmi
- %User Profile%\Application Data\OpenCandy
- %User Profile%\OpenCandy\BB23B09C45224A2B959897BFAD6D4DB2
- %System Root%\Documents and Settings\Wilbert
- %User Temp%\nsd2D.tmp
- %User Temp%\nsh34.tmp
- %User Temp%\ct3281675
- %User Temp%\nsl46.tmp
- %User Temp%\nsg5D.tmp
- %User Temp%\nsa6B.tmp
- %User Temp%\nsn8A.tmp
- %Program Files%\entrusted
- %Application Data%\Conduit
- %Application Data%\Conduit\CT3281675
- %User Profile%\Application Data\Conduit
- %User Profile%\Conduit\IE
- %User Profile%\IE\CT3281675
- %User Profile%\Conduit\Multi
- %User Profile%\Multi\CT3281675
- %Program Files%\Conduit
- %Program Files%\Conduit\Community Alerts
- %User Temp%\nsaCA.tmp
- %User Profile%\Application Data\SearchProtect
- %User Profile%\SearchProtect\Res
- %User Profile%\CryptnetUrlCache\MetaData
- %User Profile%\Microsoft\CryptnetUrlCache
- %User Profile%\CryptnetUrlCache\Content
- %User Temp%\nsf106.tmp
手順 8
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「TROJ_JOYDLOAD.A」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 9
以下のファイルをバックアップを用いて修復します。なお、マイクロソフト製品に関連したファイルのみ修復されます。このマルウェア/グレイウェア/スパイウェアが同社製品以外のプログラムをも削除した場合には、該当プログラムを再度インストールする必要があります。
- %User Temp%\nss1.tmp
- %User Temp%\nsn3.tmp
- %Temp%\scs18.tmp
- %Temp%\scs1B.tmp
- %User Temp%\nsv28.tmp
- ConduitRBCB_e1v0.exe
- %User Temp%\nst2B.tmp
- %User Temp%\nsd2D.tmp
- RAWinstaller.exe
- %User Temp%\nsm32.tmp
- %User Temp%\nsh34.tmp
- %User Temp%\nsh34.tmp\ns41.tmp
- %User Temp%\nsv44.tmp
- %User Temp%\nsl46.tmp
- %User Temp%\nsl46.tmp\ns58.tmp
- %User Temp%\nsl46.tmp\ns66.tmp
- %User Temp%\nsl46.tmp\ns74.tmp
- %User Temp%\nsl46.tmp\ns83.tmp
- %User Temp%\nsl46.tmp\nsE9.tmp
- %User Temp%\nsl46.tmp\nsF0.tmp
- %User Temp%\nsl46.tmp\nsF7.tmp
- %User Temp%\nsl46.tmp\ns101.tmp
- %User Temp%\nsq5B.tmp
- %User Temp%\nsg5D.tmp
- %User Temp%\nsv69.tmp
- %User Temp%\nsa6B.tmp
- %User Temp%\nsv77.tmp
- %User Temp%\nss86.tmp
- %User Temp%\nsn8A.tmp
- %User Temp%\nspC8.tmp
- %User Temp%\nsaCA.tmp
- %User Temp%\nswEC.tmp
- %User Temp%\nskF3.tmp
- %User Temp%\nsmFA.tmp
- %User Temp%\nsf104.tmp
- %User Temp%\nsf106.tmp
- %User Temp%\ct3281675\conduitStatistics.csf
手順 10
以下の削除されたレジストリキーまたはレジストリ値をバックアップを用いて修復します。
※註:マイクロソフト製品に関連したレジストリキーおよびレジストリ値のみが修復されます。このマルウェアもしくはアドウェア等が同社製品以外のプログラムも削除した場合には、該当プログラムを再度インストールする必要があります。
- In HKEY_CURRENT_USER\Software\Conduit
- ISM
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
- {E44A1809-4D10-4AB8-B343-3326B64C7CDD}
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings
- {E44A1809-4D10-4AB8-B343-3326B64C7CDD}
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}
- Enum
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}
- Enum
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{00021493-0000-0000-C000-000000000046}
- Enum
ご利用はいかがでしたか? アンケートにご協力ください