• Email
• Facebook
• Twitter
• Google+
• Linkedin

PUA.Win32.BundledGTB.A

---

• マルウェアタイプ: 潜在的に迷惑なアプリケーション
• 破壊活動の有無: なし
• 暗号化:  
• 感染報告の有無: はい

---

  概要

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

---

  詳細

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のプロセスを追加します。

• ping -n 1 -w 5000 www.piriform.com
• %System Root%\Program Files\CCleaner\CCleaner64.exe /createSkipUAC
• "%System Root%\Program Files\Internet Explorer\iexplore.exe" http://www.{BLOCKED}rm.com/go/app_releasenotes?p=1&v=5.11.5408&l=1033&b=1&a=0
• "http://www.{BLOCKED}rm.com/go/app_releasenotes?p=1&v=5.11.5408&l=1033&b=1&a=0" --new-window
• %System Root%\Program Files\CCleaner\CCleaner64.exe
• %System Root%\Program Files\CCleaner\CCleaner64.exe /monitor
• %System%\sppsvc.exe
• "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"
• %System%\svchost.exe -k LocalServiceAndNoImpersonation

マルウェアは、以下のフォルダを作成します。

• %System Root%\Program Files\CCleaner\Lang
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs
• %Windows%\ServiceProfiles\NetworkService\AppData\Local\Microsoft
• %System Root%\Program Files
• %User Profile%\AppData
• %All Users Profile%\Microsoft\Windows\Start Menu
• %All Users Profile%\Microsoft\Windows
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\CCleaner
• %System Root%\Users
• %All Users Profile%\Microsoft
• %System Root%\Program Files\CCleaner

(註：%System Root%フォルダは、オペレーティングシステム(OS)が存在する場所で、いずれのOSでも通常、 "C:" です。.. %All Users Profile%フォルダは、ユーザの共通プロファイルフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\All Users” です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\ProgramData” です。. %Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %User Profile%フォルダは、現在ログオンしているユーザのプロファイルフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞" です。)

自動実行方法

マルウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CCleaner Monitoring = "%System Root%\Program Files\CCleaner\CCleaner64.exe /MONITOR"

他のシステム変更

マルウェアは、以下のファイルを改変します。

• %User Temp%\AdobeARM.log
• %Windows%\DtcInstall.log
• %Windows%\setupact.log
• %Windows%\setuperr.log
• %Windows%\debug\PASSWD.LOG
• %Windows%\security\logs\scesetup.log
• %Windows%\security\logs\scecomp.old

(註：%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。. %Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.)

マルウェアは、以下のファイルを削除します。

• %Windows%\Tasks\CCleanerSkipUAC.job

(註：%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.)

マルウェアは、以下のフォルダを削除します。

• %User Temp%\nsz5A8F.tmp

(註：%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。)

マルウェアは、以下のレジストリキーを追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Google Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Google\
No Toolbar Offer Until

HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\
Shell\Run CCleaner\command

HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\
Shell\Open CCleaner...\command

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\
CCleaner

HKEY_CLASSES_ROOT\cclaunch

HKEY_CLASSES_ROOT\cclaunch\shell

HKEY_CLASSES_ROOT\cclaunch\shell\
open

HKEY_CLASSES_ROOT\cclaunch\shell\
open\command

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\App Paths\
ccleaner.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner

HKEY_USERS\.DEFAULT\Software\
Piriform\CCleaner

HKEY_USERS\S-1-5-19\Software\
Piriform\CCleaner

HKEY_USERS\S-1-5-20\Software\
Piriform\CCleaner

HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\
Piriform\CCleaner

HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500_Classes\Software\
Piriform\CCleaner

マルウェアは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Google Toolbar
test = "test"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Shell Extensions\
Cached
{random string} = "\x01\x00\x00\x00\x00\x00\x00\x00k\x8a\x0b\xb8\xaeg\xd5\x01"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\
Run CCleaner\command
(Default) = "%System Root%\Program Files\CCleaner\ccleaner.exe /AUTORB"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\
Open CCleaner...\command
(Default) = "%System Root%\Program Files\CCleaner\ccleaner.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\
CCleaner
UpdateCheck = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cclaunch
(Default) = "URL: CCleaner Protocol"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cclaunch
URL Protocol = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cclaunch\shell
(Default) = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cclaunch\shell\open
(Default) = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cclaunch\shell\open\
command
(Default) = "%System Root%\Program Files\CCleaner\ccleaner.exe /%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
ccleaner.exe
(Default) = "%System Root%\Program Files\CCleaner\CCleaner64.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
ccleaner.exe
Path = "%System Root%\Program Files\CCleaner"

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\
CCleaner
(Default) = "%System Root%\Program Files\CCleaner"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
DisplayName = "CCleaner"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
UninstallString = "%System Root%\Program Files\CCleaner\uninst.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
Publisher = "Piriform"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
InstallLocation = "%System Root%\Program Files\CCleaner"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
VersionMajor = "5"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
VersionMinor = "11"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
DisplayVersion = "5.11"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner
DisplayIcon = "%System Root%\Program Files\CCleaner\CCleaner64.exe"

HKEY_USERS\.DEFAULT\SOFTWARE\
Piriform\CCleaner
AutoICS = "1"

HKEY_USERS\S-1-5-19\Software\
Piriform\CCleaner
AutoICS = "1"

HKEY_USERS\S-1-5-20\Software\
Piriform\CCleaner
AutoICS = "1"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
AutoICS = "1"

HKEY_CURRENT_USER\Software\Classes\
Software\Piriform\CCleaner
AutoICS = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer
GlobalAssocChangedCounter = "12"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
Language = "1033"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
SkipUAC = "1"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
UpdateKey = "09/10/2019 08:06:55 AM"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
WipeFreeSpaceDrives = "%System Root%"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
CookiesToSave = "{random characters}"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
RunICS = "0"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
Monitoring = "1"

HKEY_CURRENT_USER\Software\Piriform\
CCleaner
SystemMonitoring = "1"

マルウェアは、以下のレジストリキーを削除します。

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Google Toolbar\test

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
CCleaner\InstallDate

HKEY_CURRENT_USER\Software\Piriform\
CCleaner\AutoICS

HKEY_CURRENT_USER\Software\Piriform\
CCleaner\AutoUpdateNotificationExpiryTime

作成活動

マルウェアは、以下のファイルを作成します。

• %System Root%\Program Files\CCleaner\Lang\lang-1054.dll
• %All Users Profile%\Microsoft\Search\Data\Applications\Windows\MSS0000D.log
• %System Root%\Program Files\CCleaner\Lang\lang-1029.dll
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\TS_InaccurateSystemTime.ps1
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\CL_Utility.ps1
• %Windows%\Panther\UnattendGC\setupact.log
• %System Root%\Program Files\CCleaner\Lang\lang-2052.dll
• %Windows%\Temp\TS_BE95.tmp
• %System Root%\Program Files\CCleaner\Lang\lang-1045.dll
• %AppDataLocal%\Microsoft\Feeds Cache\COOE7IBP\fwlink[2]
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{2FC6C179-A7BF-4BCE-8F12-19A9E914FC76}
• %User Temp%\ose00000.exe
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\an-imp.bid.ace.advertising[1].xml
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{F1C5CECF-2C7E-4512-9ACD-7CAB7C0AE1E8}
• %System Root%\Program Files\CCleaner\Lang\lang-1081.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1026.dll
• %Application Data%\Microsoft\Office\Recent\Templates.LNK
• %System Root%\Program Files\CCleaner\Lang\lang-1071.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1050.dll
• %Windows%\PFRO.log
• %Application Data%\Microsoft\Office\Recent\index.dat
• %System Root%\Program Files\CCleaner\Lang\lang-1044.dll
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\PDYB5D8B\www.dropbox[1].xml
• %System Root%\Program Files\CCleaner\Lang\lang-1042.dll
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{211D5B32-87D3-4E7D-BB9E-851130F2AA39}
• %Windows%\Temp\TS_97FC.tmp
• %All Users Profile%\Microsoft\Network\Downloader\qmgr1.dat
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{1501753C-381A-46FD-87CE-0E9D58A990F7}
• %AppDataLocal%\Microsoft\Feeds Cache\8TQ1M9OZ\desktop.ini
• %Windows%\Temp\TS_735A.tmp
• %System Root%\Program Files\CCleaner\Lang\lang-1049.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1079.dll
• %Windows%\IE11_main.log
• %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
• %AppDataLocal%\Microsoft\Feeds Cache\NWKETFVL\fwlink[1]
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\PDYB5D8B\c.betrad[1].xml
• %User Temp%\MSIcaa33.LOG
• %User Temp%\WebInstaller\ServiceUpdaterLogs.log
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\sessionstore-backups\previous.jsonlz4
• %Windows%\debug\sammui.log
• %System Root%\Program Files\CCleaner\uninst.exe
• %User Temp%\{username}.bmp
• %System Root%\Program Files\CCleaner\Lang\lang-9999.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1061.dll
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\GUFNQG0Q\ad.doubleclick[1].xml
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{1B4E836F-F983-4549-A9B2-21331043FDE0}
• %User Temp%\Microsoft .NET Framework 4.5.2 Setup_20161212_135033207.html
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\webappsstore.sqlite-wal
• %System Root%\Program Files\CCleaner\Lang\lang-1053.dll
• %Windows%\Temp\MpCmdRun.log
• %Windows%\Logs\DPX\setupact.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{8783061A-9641-46A0-82CB-CEC374BA6659}
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\DiagPackage.diagpkg
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{AB56FE97-CBDE-4A5E-A1F1-B66F12D98965}
• %Windows%\Temp\TS_A1EE.tmp
• %System Root%\Program Files\CCleaner\Lang\lang-1043.dll
• %Windows%\Temp\Crashpad\settings.dat
• %System Root%\Program Files\CCleaner\Lang\lang-1057.dll
• %Windows%\Temp\TS_73C9.tmp
• %Windows%\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\8a795e84ea16233eada1782efb7b6985ae5a6631.HomeGroupClassifier\e4ae042598e65e6b1960d6d527a91d4b\grouping\edb00056.log
• %User Temp%\wmsetup.log
• %Windows%\Temp\Crashpad\metadata
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_UserWERQueue.ps1
• %Windows%\Performance\WinSAT\winsat.log
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\sessionstore-backups\upgrade.jsonlz4-20190326175229
• %AppDataLocal%\Microsoft\Windows\WebCache\V0100107.log
• %Windows%\Panther\setuperr.log
• %User Temp%\chrome_installer.log
• %System Root%\Program Files\CCleaner\CCleaner64.exe
• %Windows%\Logs\IE11_NR_Setup.log
• %AppDataLocal%\Microsoft\Windows\Explorer\thumbcache_idx.db
• %AppDataLocal%\Microsoft\Feeds Cache\JPOHUSHF\fwlink[2]
• %AppDataLocal%\Microsoft\Internet Explorer\MSIMGSIZ.DAT
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.lnk
• %User Temp%\Adobe_ADMLogs\Adobe_ADM.log
• %AppDataLocal%\Microsoft\Windows\Explorer\thumbcache_1024.db
• %User Temp%\MSI97997.LOG
• %AppDataLocal%\Microsoft\Windows\WebCache\V01.log
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner Homepage.url
• %User Temp%\dd_wcf_CA_smci_20161212_135110_351.txt
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{7362242C-EEF6-4FA5-B107-29275EC4FB85}
• %System Root%\Program Files\CCleaner\Lang\lang-1102.dll
• %Windows%\Panther\setupact.log
• %System Root%\Program Files\CCleaner\Lang\lang-1028.dll
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\TS_DiagnosticHistory.ps1
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\82DF2NUK\c.betrad[1].xml
• %System Root%\Program Files\CCleaner\CCleaner.exe
• %System Root%\Program Files\CCleaner\Lang\lang-1052.dll
• %Windows%\Temp\TS_A385.tmp
• %AppDataLocal%\Microsoft\Feeds Cache\desktop.ini
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\GUFNQG0Q\cdn.w55c[1].xml
• %User Temp%\Guest.bmp
• %Application Data%\Microsoft\Office\Recent\data.LNK
• %Windows%\Temp\TS_987A.tmp
• %Windows%\inf\setupapi.app.log
• %Windows%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log
• %Windows%\Temp\MpSigStub.log
• %User Temp%\MSIa2c4d.LOG
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{449D044E-1541-4BA4-A54F-B1F21EF6D113}
• %System Root%\Program Files\CCleaner\Lang\lang-1110.dll
• %User Temp%\dd_vcredistMSI0FC1.txt
• %Windows%\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log
• %AppDataLocal%\Mozilla\Firefox\Profiles\lj5mikyj.default\OfflineCache\index.sqlite
• %Windows%\Temp\sciD376.tmp
• %Windows%\Temp\TS_A412.tmp
• %User Temp%\au-descriptor-1.8.0_211-b12.xml
• %User Temp%\MSIb5e83.LOG
• %All Users Profile%\McAfee\MCLOGS\Common\SmallInstaller\SmallInstaller000.log
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_MachineWERQueue.ps1
• %System Root%\Program Files\CCleaner\Lang\lang-1037.dll
• %All Users Profile%\McAfee\MCLOGS\PartnerCustom\SSScheduler\SSScheduler000.log
• %User Temp%\jawshtml.html
• %All Users Profile%\McAfee\MCLOGS\PartnerCustom\Un_A\Un_A000.log
• %System Root%\Program Files\CCleaner\Lang\lang-1027.dll
• %AppDataLocal%\Microsoft\Windows\Explorer\thumbcache_96.db
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\en-US\CL_LocalizationData.psd1
• %System Root%\Users\Public\Desktop\CCleaner.lnk
• %User Temp%\dd_vcredistMSI0FD5.txt
• %User Temp%\vmmsi.log_20170124_112725.log
• %User Temp%\dd_wcf_CA_smci_20161212_135109_353.txt
• %Windows%\Logs\DISM\dism.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{75530F4C-8F76-483B-8CA3-661BBA9307B9}
• %User Temp%\vminst.log_20170124_112725.log
• %Windows%\Temp\DMIC57F.tmp
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\GUFNQG0Q\www.pluralsight[1].xml
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\PDYB5D8B\tag.sp.advertising[1].xml
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{DA1213B6-2325-4F72-BADA-733D11D861B1}
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\TS_BrokenShortcuts.ps1
• %User Temp%\MSI547d8.LOG
• %User Temp%\MSI18620.LOG
• %AppDataLocal%\Microsoft\Windows\History\Low\History.IE5\container.dat
• %User Temp%\AdobeSFX.log
• %All Users Profile%\Microsoft\Search\Data\Applications\Windows\MSS.log
• %User Temp%\SetupExe(201701240615299E0).log
• %Windows%\Temp\TS_9E74.tmp
• %Windows%\TSSysprep.log
• %User Temp%\MSIf9aa9.LOG
• %System Root%\Program Files\CCleaner\Lang\lang-1109.dll
• %User Temp%\MSIa6383.LOG
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{FE64A55E-136F-44F2-8203-5C1A3CF203D9}
• %All Users Profile%\McAfee\MCLOGS\SmallInstaller\SmallInstaller000.log
• %Application Data%\Microsoft\Office\Recent\tmp.doc.LNK
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{23C9CD79-C783-48F4-8529-B08050572200}
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_UserDiagnosticHistory.ps1
• %Windows%\inf\setupapi.dev.log
• %AppDataLocal%\Microsoft\Feeds Cache\NWKETFVL\fwlink[2]
• %System Root%\Program Files\CCleaner\Lang\lang-1055.dll
• %User Temp%\dd_SetupUtility.txt
• %User Temp%\Tom.bmp
• %Windows%\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\8a795e84ea16233eada1782efb7b6985ae5a6631.HomeGroupClassifier\e4ae042598e65e6b1960d6d527a91d4b\grouping\edb.log
• %Application Data%\Microsoft\Office\fbc4807.tmp
• %AppDataLocal%\Microsoft\Windows\Explorer\thumbcache_32.db
• %Windows%\Panther\UnattendGC\setuperr.log
• %System Root%\Program Files\CCleaner\Lang\lang-1065.dll
• %User Temp%\MSId1a0.LOG
• %User Temp%\StructuredQuery.log
• %User Temp%\MSI19f3b.LOG
• %System Root%\Program Files\CCleaner\Lang\lang-5146.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1035.dll
• %User Temp%\MSI25c23.LOG
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\cookies.sqlite
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\result\results.xsl
• %System Root%\Program Files\CCleaner\Lang\lang-1030.dll
• %User Temp%\Adobe_ADMLogs\Adobe_GDE.log
• %User Temp%\MSI5a7c3.LOG
• %User Temp%\FXSAPIDebugLogFile.txt
• %User Temp%\CheckUpdate.log
• %AppDataLocal%\Microsoft\Feeds Cache\JPOHUSHF\fwlink[1]
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\GUFNQG0Q\helpx.adobe[1].xml
• %System Root%\Program Files\CCleaner\Lang\lang-1046.dll
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{74AB26B2-FB78-462C-8533-72277F0891A5}
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_RemoveUnusedDesktopIcons.ps1
• %User Temp%\ASPNETSetup_00000.log
• %Windows%\Logs\IE11_HardwareCheck.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{50C434EC-8204-4519-878C-1D96ECFC2C76}
• %System Root%\Program Files\CCleaner\Lang\lang-1155.dll
• %User Temp%\chrome_BITS_3756_19263\9.1_all_easylist.crx3
• %AppDataLocal%\Microsoft\Windows\Explorer\thumbcache_sr.db
• %User Temp%\MSIaaade.LOG
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\universal.iperceptions[1].xml
• %System Root%\Program Files\CCleaner\Lang\lang-1036.dll
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\webappsstore.sqlite-shm
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\cookies.sqlite-shm
• %All Users Profile%\McAfee\MCLOGS\PartnerCustom\McCHSvc\McCHSvc000.log
• %System Root%\Program Files\CCleaner\Lang\lang-1068.dll
• %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
• %System Root%\Program Files\CCleaner\Lang\lang-1038.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1040.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1062.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1048.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1059.dll
• %User Temp%\MSIbaba9.LOG
• %User Temp%\dd_vcredistUI0FC1.txt
• %System Root%\Program Files\CCleaner\Lang\lang-1063.dll
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\PDYB5D8B\www.microsoft[1].xml
• %System Root%\Program Files\CCleaner\Lang\lang-1060.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1066.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1041.dll
• %All Users Profile%\Microsoft\Network\Downloader\qmgr0.dat
• %Windows%\Logs\CBS\CBS.log
• %AppDataLocal%\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{4555A5E7-C06D-11E6-8AB1-005056BC3E18}.dat
• %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\TS_WERQueue.ps1
• %System Root%\Program Files\CCleaner\Lang\lang-3098.dll
• %All Users Profile%\McAfee\MCLOGS\PartnerCustom\550F8967-2EE2-4F33-8E16-1BFFBE114803\550F8967-2EE2-4F33-8E16-1BFFBE114803000.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{9F24D76D-6DFD-40E7-82C7-8ADBDDCC4703}
• %AppDataLocal%\Microsoft\Internet Explorer\Recovery\High\Last Active\{AD285A8B-713F-11E9-85F8-005056BC44A9}.dat
• %Windows%\Temp\TS_906D.tmp
• %User Temp%\dd_vcredistUI0FD5.txt
• %AppDataLocal%\Microsoft\Feeds Cache\NNO7APUS\ieonline.microsoft[1].microsoft[1]
• %System Root%\Program Files\CCleaner\Lang\lang-1058.dll
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{B1A67ACB-5EA3-4D6B-A8A7-EE585C2CCEF9}
• %AppDataLocal%\Microsoft\Feeds Cache\CRAV926P\desktop.ini
• %User Temp%\MSI20ab9.LOG
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\sessionCheckpoints.json
• %User Temp%\MSI351f6.LOG
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\ul1.dvtps[1].xml
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_AdminDiagnosticHistory.ps1
• %AppDataLocal%\Microsoft\Feeds Cache\M7X9O6Z1\desktop.ini
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\SiteSecurityServiceState.txt
• %User Temp%\jusched.log
• %System Root%\Program Files\CCleaner\Lang\lang-1067.dll
• %User Temp%\MSI733bc.LOG
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{87343C49-2C5C-43C3-9D84-B04144D9982D}
• %System Root%\Program Files\CCleaner\Lang\lang-1051.dll
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{73BE3E4B-61E2-4C42-A6D4-59A170F56334}
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{BB69DF7E-540D-42CB-BDEF-A49E8A899C4F}
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\PDYB5D8B\www.msn[1].xml
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\www.youtube[1].xml
• %AppDataLocal%\Microsoft\Feeds Cache\NKNYYDHU\desktop.ini
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\DiagPackage.dll
• %User Temp%\MSIbab6b.LOG
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\82DF2NUK\secure-ds.serving-sys[1].xml
• %System Root%\Program Files\CCleaner\Lang\lang-1025.dll
• %User Temp%\RGI282A.tmp-tmp
• %AppDataLocal%\Microsoft\Feeds Cache\container.dat
• %User Temp%\MSI6f768.LOG
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\TS_VolumeErrors.ps1
• %System Root%\Program Files\CCleaner\Lang\lang-1092.dll
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\en-US\DiagPackage.dll.mui
• %System Root%\Program Files\CCleaner\Lang\lang-1034.dll
• %User Temp%\Microsoft .NET Framework 4.5.2 Setup_20161212_135033207-MSI_netfx_Full_GDR_x64.msi.txt
• %System Root%\Program Files\CCleaner\Lang\lang-2070.dll
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\places.sqlite
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\cookies.sqlite-wal
• %User Temp%\ASPNETSetup_00001.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{E9F526E5-0280-4337-A63E-3310EA7FDB7D}
• %System Root%\Program Files\CCleaner\Lang\lang-1032.dll
• %System Root%\Program Files\CCleaner\Lang\lang-1031.dll
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\82DF2NUK\www.google[1].xml
• %User Temp%\JavaDeployReg.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Resource\{E8259C30-9018-40DE-872C-F194A630A99C}
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\TS_UnusedDesktopIcons.ps1
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\permissions.sqlite
• %User Temp%\CR_E83EE.tmp\setup.exe
• %Windows%\Temp\TS_BF9F.tmp
• %Windows%\Logs\DPX\setuperr.log
• %All Users Profile%\Microsoft\Windows Defender\Scans\History\Results\Quick\{6C75477A-C74C-4EB9-8698-FFF7547DD73E}
• %User Temp%\MSI7e436.LOG
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\82DF2NUK\widgets.outbrain[1].xml
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\webappsstore.sqlite
• %User Temp%\MSIbee93.LOG
• %System Root%\Program Files\CCleaner\Lang\lang-1104.dll
• %AppDataLocal%\Microsoft\Feeds Cache\COOE7IBP\fwlink[1]
• %User Temp%\MSI11747.LOG
• %AppDataLocal%\Microsoft\Windows\Explorer\thumbcache_256.db
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\GUFNQG0Q\get.adobe[1].xml
• {malware file path and name}
• %User Temp%\dd_NDP452-KB2901907-x86-x64-AllOS-ENU_decompression_log.txt
• %System Root%\Program Files\CCleaner\Lang\lang-2074.dll
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_SyncSystemTime.ps1
• %User Temp%\MSI27204.LOG
• %Windows%\Temp\SDIAG_382c0e08-1d14-4bb1-b2c6-3c5c068fc13a\RS_RemoveShortcuts.ps1
• %All Users Profile%\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log
• %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\82DF2NUK\www.msn[1].xml
• %System Root%\Program Files\CCleaner\Lang\lang-1087.dll

その他

マルウェアは、以下の不正なWebサイトにアクセスします。

• http://service.{BLOCKED}rm.com/installcheck.aspx?{random characters}
• http://www.{BLOCKED}rm.com
• http://www.{BLOCKED}er.com

このウイルス情報は、自動解析システムにより作成されました。

---

  対応方法

ご利用はいかがでしたか？　アンケートにご協力ください