PUA.Win32.AppBundler.C

プログラムは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

侵入方法

プログラムは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

プログラムは、以下のプロセスを追加します。

• "%Program Files%\MarkAny\maepscourt\nos_launcher.exe"
• "%Program Files%\MarkAny\maepscourt\TrustedSiteCtrl_S.exe"
• %User Temp%\nos_setup.exe
• "%System%\sc.exe" control nossvc 200
• "%Program Files%\INCAInternet\nProtect Online Security\cert\certutil.exe" -L -d sql:"%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default"
• "%Program Files%\INCAInternet\nProtect Online Security\cert\certutil.exe" -d sql:"%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default" -A -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "%Program Files%\INCAInternet\nProtect Online Security\cert\nprotect-root_ca.cer"
• "%System%\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="%Program Files%\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any
• netsh advfirewall firewall add rule name="nProtect Online Security Starter" program="%Program Files%\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any
• %Program Files%\INCAInternet\nProtect Online Security\nprotect_install.exe /T:%System Root%\temp
• "%System%\sc.exe" create "nossvc" binPath= "\"%Program Files%\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto
• "%System%\sc.exe" description "nossvc" "nProtect Online Security(PFS)"
• "%System%\sc.exe" start "nossvc"
• "%Program Files%\INCAInternet\nProtect Online Security\nosstarter.npe" /SET
• "%Program Files%\INCAInternet\nProtect Online Security\nossvc.exe" /SVC
• "%Program Files%\INCAInternet\nProtect Online Security\npk\noske64.exe" u3j6oP
• "%Program Files%\INCAInternet\nProtect Online Security\nosstarter.npe" /SVC
• netsh advfirewall firewall add rule name="nProtect Online Security Updater" program="%Program Files%\INCAInternet\nProtect Online Security\npupdatec.exe" description="nProtect Online Security Updater" dir=Out action=allow protocol=any enable=yes profile=any

(註：%Program Files%フォルダは、デフォルトのプログラムファイルフォルダです。C:\Program Files in Windows 2000(32-bit)、Server 2003(32-bit)、XP、Vista(64-bit)、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Program Files"です。また、Windows XP(64-bit)、Vista(64-bit)、7(64-bit)、8(64-bit)、8.1(64-bit)、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Program Files（x86）" です。. %User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.. %Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Roaming" です。. %System Root%フォルダは、オペレーティングシステム(OS)が存在する場所で、いずれのOSでも通常、 "C:" です。.)

プログラムは、以下のフォルダを作成します。

• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\dll
• %System%\config\systemprofile\AppData\LocalLow\nProtect
• %Program Files%\INCAInternet UnInstall\nProtect Online Security\npx
• %Program Files%\INCAInternet\nProtect Online Security\npk
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd
• %Program Files%\INCAInternet\nProtect Online Security\ns
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network
• %AppDataLocal%Low\nProtect\nProtect Online Security
• %AppDataLocal%Low\nProtect\Log
• %Program Files%\MarkAny
• %Program Files%\MarkAny\maepscourt
• %Program Files%\INCAInternet UnInstall\nProtect Online Security
• %Program Files%\INCAInternet\nProtect Online Security\nps
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\INCAInternet
• %Program Files%\INCAInternet\nProtect Online Security\cert
• %Program Files%\Common Files\nProtect Shared\Engine
• %System%\config\systemprofile\AppData\LocalLow\nProtect\Log
• %Program Files%\INCAInternet\nProtect Online Security\bsc20
• %Program Files%\Common Files\nProtect Shared
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86
• %Program Files%\INCAInternet
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll
• %Program Files%\INCAInternet UnInstall
• %Program Files%\INCAInternet\nProtect Online Security\npx
• %AppDataLocal%Low\nProtect
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86
• %Program Files%\INCAInternet\nProtect Online Security
• %AppDataLocal%Low\nProtect\nProtect Online Security\npx

(註：%Program Files%フォルダは、デフォルトのプログラムファイルフォルダです。C:\Program Files in Windows 2000(32-bit)、Server 2003(32-bit)、XP、Vista(64-bit)、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Program Files"です。また、Windows XP(64-bit)、Vista(64-bit)、7(64-bit)、8(64-bit)、8.1(64-bit)、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Program Files（x86）" です。. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.. %AppDataLocal%フォルダは、ローカルアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local" です。. %All Users Profile%フォルダは、ユーザの共通プロファイルフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\All Users” です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\ProgramData” です。)

自動実行方法

プログラムは、自身をシステムサービスとして登録し、Windows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\nosku
ImagePath = "\??\%Windows%\syswow64\nosku64.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\nossvc
ImagePath = "%Program Files%\INCAInternet\nProtect Online Security\nossvc.exe /SVC"

他のシステム変更

プログラムは、以下のファイルを改変します。

• %Windows%\Temp\TarEF5E.tmp
• %Windows%\Temp\Cab4524.tmp
• %Windows%\Temp\TarA4FC.tmp
• %Windows%\Temp\CabD0B2.tmp
• %Windows%\Temp\Cab7A51.tmp
• %Windows%\Temp\Tar7A52.tmp
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\key4.db
• %Windows%\Temp\Tar26B9.tmp
• %Windows%\Temp\Cab26B8.tmp
• %Windows%\Temp\Cab3BC7.tmp
• %Windows%\Temp\CabE56C.tmp
• %Windows%\Temp\CabC5B8.tmp
• %Windows%\Temp\Cab3099.tmp
• %Windows%\Temp\Tar4525.tmp
• %Windows%\Temp\Tar10D7.tmp
• %Windows%\Temp\CabEF5D.tmp
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\cert9.db
• %Windows%\Temp\TarD0B3.tmp
• %Windows%\Temp\Cab6568.tmp
• %Windows%\Temp\Cab465.tmp
• %Windows%\Temp\CabA4FB.tmp
• %Windows%\Temp\Tar3BC8.tmp
• %Windows%\Temp\Tar6569.tmp
• %Windows%\Temp\Tar309A.tmp
• %Windows%\Temp\TarC5B9.tmp
• %Windows%\Temp\Cab10D6.tmp
• %Windows%\Temp\TarB0A2.tmp
• %Windows%\Temp\CabB0A1.tmp
• %Windows%\Temp\TarE57D.tmp
• %Windows%\Temp\Tar466.tmp

(註：%Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Roaming" です。)

プログラムは、以下のフォルダを削除します。

• %User Temp%\nsp386F.tmp

(註：%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。)

プログラムは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rprtregisterxctrl
(Default) = "URL:rprtregisterxctrl Protocol"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rprtregisterxctrl
URL Protocol = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rprtregisterxctrl\shell\open\
command
(Default) = "%Program Files%\markany\maepscourt\rprtregisterxctrl.exe %1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\RPRTSetup
DisplayName = "RPRTSetup"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\RPRTSetup
UninstallString = "%Program Files%\MarkAny\maepscourt\uninst_RPRTSetup.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\RPRTSetup
DisplayVersion = "1.0.0.20"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
INCAInternet
retDown = "-1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\ROOT\Certificates\
6C6DFA1ED61736476EDA0364D132A786CF3D3475
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SESSION MANAGER
PendingFileRenameOperations = ""

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SESSION MANAGER
PendingFileRenameOperations = "\x00\x00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SESSION MANAGER
PendingFileRenameOperations = "\x00"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SESSION MANAGER
PendingFileRenameOperations = "\x00\x00\x007P"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
DisplayName = "nProtect Online Security V1.0(PFS)"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
DisplayIcon = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
DisplayVersion = "2020.04.29.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
Publisher = "INCA Internet Co., Ltd."

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
UninstallString = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\nProtect Online Security V1.0(PFS)
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
INCAInternet\nProtect Online Security\V1.0
InstallDate = "20200429"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
INCAInternet\nProtect Online Security\V1.0
devlog = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}
(Default) = "_Dnosxplatform"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\
ProxyStubClsid32
(Default) = "{00020420-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\
TypeLib
(Default) = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}
(Default) = "_DnosxplatformEvents"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\
ProxyStubClsid32
(Default) = "{00020420-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\
TypeLib
(Default) = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{EEB5B174-82E3-4669-9210-C2EE035DEAC0}
(Default) = "nosxplatform Property Page"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{EEB5B174-82E3-4669-9210-C2EE035DEAC0}\
InprocServer32
(Default) = "%Windows%\DOWNLO~1\NOSXPL~1.OCX"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
NOSXPLATFORM.nosxplatformCtrl.1
(Default) = "nosxplatform Control"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
NOSXPLATFORM.nosxplatformCtrl.1\CLSID
(Default) = "{861398E7-66F0-4083-A39E-7FC6AAB919A6}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}
(Default) = "nosxplatform Control"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
ProgID
(Default) = "NOSXPLATFORM.nosxplatformCtrl.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
InprocServer32
(Default) = "%Windows%\DOWNLO~1\NOSXPL~1.OCX"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
ToolboxBitmap32
(Default) = "%Windows%\DOWNLO~1\NOSXPL~1.OCX, 1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
MiscStatus
(Default) = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
MiscStatus\1
(Default) = "131473"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
Control
(Default) = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
TypeLib
(Default) = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
Version
(Default) = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\
InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\nosku
Type = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\nosku
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\nosku
Start = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
INCAInternet\nProtect Online Security\V1.0
starterterminatedsafely = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\nossvc
DisplayName = "nProtect Online Security(PFS)"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\nossvc
Start = "SERVICE_AUTO_START"

作成活動

プログラムは、以下のファイルを作成します。

• %Program Files%\INCAInternet\nProtect Online Security\npk\noskes.dll
• %Program Files%\INCAInternet\nProtect Online Security\nps\nphapsie_eng.nph
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwfltU.dll
• %Program Files%\INCAInternet\nProtect Online Security\cert\certutil.exe
• %Program Files%\INCAInternet\nProtect Online Security\cert\nssdbm3.dll
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimsg1.npi
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\cert9.db-journal
• %Program Files%\Common Files\nProtect Shared\Engine\BwtTrust.dll
• %Program Files%\INCAInternet\nProtect Online Security\ns\npinpnmini.npi
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\key4.db
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\tyavexcept.dat
• %System%\TKPcFtCb.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKPcFtHk64.sys
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimsg6.npi
• %Program Files%\INCAInternet\nProtect Online Security\npebsc20.npd
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\tkfwfltU.dll
• %System%\tkfwvt64.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\npkfxa.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKFWVT64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgFt2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskp.sys
• %Windows%\Temp\CabE56C.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWFV.inf
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimsg5.npi
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKToolU.dll
• %Program Files%\Common Files\nProtect Shared\Engine\TYAVPU_000.bin
• %Program Files%\INCAInternet\nProtect Online Security\cert\Root Certification Authority.cer
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimain_conf.npi
• %Program Files%\INCAInternet\nProtect Online Security\cert\softokn3.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKRgAcu.dll
• %Program Files%\INCAInternet\nProtect Online Security\npeUpdate.xml
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimsg7.npi
• %Program Files%\MarkAny\maepscourt\nos_param.dat
• %Windows%\Temp\TarE57D.tmp
• %Program Files%\INCAInternet\nProtect Online Security\nossdk.npd
• %AppDataLocal%Low\nProtect\Log\nosstarter.npe.npo
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKCtrl2k64.sys
• %System%\TKIdsVt64.sys
• %Windows%\Temp\TarEF5E.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsAvMU.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKFsAv.sys
• %Program Files%\INCAInternet\nProtect Online Security\ns\nphapsie_eng.nph
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskm.dll
• %Program Files%\INCAInternet\nProtect Online Security\cert\libplds4.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tkids.sys
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimain_conf.npi
• %Program Files%\INCAInternet\nProtect Online Security\nosstarter.npe
• %Program Files%\INCAInternet\nProtect Online Security\nosuseractor.npe
• %Program Files%\INCAInternet\nProtect Online Security\npk\nosksdk64.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKRgAc2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\TeCtrl.dll
• %System%\TKRgAc2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKIdsVt.sys
• %Program Files%\INCAInternet UnInstall\nProtect Online Security\npcf_win_32u.dll
• %Program Files%\INCAInternet\nProtect Online Security\npefsav.npd
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKCtrl2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskes64.dll
• %Program Files%\INCAInternet\nProtect Online Security\nprotect_install.exe
• %System%\TKToolu.dll
• %Program Files%\INCAInternet\nProtect Online Security\ns\nphapsie_kor.nph
• %Program Files%\INCAInternet\nProtect Online Security\cert\dcrootca.cer
• %System%\TKFWFV.cat
• %Program Files%\Common Files\nProtect Shared\Engine\tyavcuremap.dat
• %System%\npkakl.sys
• %Windows%\Temp\Cab3BC7.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg64.exe
• %Program Files%\INCAInternet\nProtect Online Security\cert\nssckbi.dll
• %System%\TKFWFV.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKRgAc2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\teexcept.dat
• %System%\TKFsFt.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\np_ck32s.sys
• %Program Files%\MarkAny\maepscourt\uninst_RPRTSetup.exe
• %Program Files%\INCAInternet\nProtect Online Security\npk\INICRYPTOSDK.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKFsFt64.sys
• %Program Files%\INCAInternet\nProtect Online Security\bsc20\npacr_64.dll
• %Program Files%\INCAInternet\nProtect Online Security\npUpdateC.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKPcFtHk.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKPcFtCb64.sys
• %System%\TKCtrlU.dll
• %System%\TKFWFV.inf
• %Windows%\Temp\Tar466.tmp
• %Program Files%\INCAInternet\nProtect Online Security\cert\nprotect-rootca.cer
• %Program Files%\MarkAny\maepscourt\nos_launcher.exe
• %System%\TKTool2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKCtrl2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\nosscanner.npe
• %Program Files%\INCAInternet\nProtect Online Security\7z.dll
• %Windows%\Temp\Tar7A52.tmp
• %Program Files%\INCAInternet\nProtect Online Security\npk\np_ck64s.sys
• %System%\TKFWU.dll
• %System%\TKFsAv64.sys
• %Program Files%\INCAInternet\nProtect Online Security\cert\cap.npb
• %System%\TKFW.sys
• %Program Files%\Common Files\nProtect Shared\Engine\TeCtrlu.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\noske64.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\NpHttpsLib.dll
• %System%\TKFsFt64.sys
• %System%\tkids.sys
• %Program Files%\Common Files\nProtect Shared\Engine\BWTTrustList.dat
• %Program Files%\INCAInternet\nProtect Online Security\nps\bgBottom.npi
• %Program Files%\INCAInternet\nProtect Online Security\ns\npicommon.npi
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64\tkfwvt64.sys
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\cert9.db
• %Program Files%\INCAInternet\nProtect Online Security\nppb.dll
• %Program Files%\INCAInternet\nProtect Online Security\npk\nosku.sys
• %Program Files%\Common Files\nProtect Shared\Engine\tyavexcept.dat
• %System%\tkidsxU.dll
• %Windows%\Temp\Cab6568.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKFsFt.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskfx.dll
• %Windows%\Temp\CabA4FB.tmp
• %Program Files%\Common Files\nProtect Shared\Engine\NpBWT.dll
• %System%\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo
• %Windows%\Temp\TarB0A2.tmp
• %Program Files%\INCAInternet\nProtect Online Security\npslm20.npd
• %Program Files%\INCAInternet\nProtect Online Security\nps\close.npi
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\tkidsxU.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\TYAVPU_000.bin
• %System%\TKTool2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\tktool2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimsg1.npi
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKPcFtCb.sys
• %System%\TKRgFtXp64.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskp64.sys
• %Program Files%\INCAInternet\nProtect Online Security\npesm.npd
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg.exe
• %System%\noska.sys
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimsg2.npi
• %Program Files%\INCAInternet\nProtect Online Security\nossvc.exe
• %Program Files%\MarkAny\maepscourt\court.bmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsFtMU.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKFsAv64.sys
• %Program Files%\Common Files\nProtect Shared\Engine\TySUtilu.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWU.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKNetCfg64.exe
• %Program Files%\INCAInternet\nProtect Online Security\nosapp.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKToolU.dll
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskre.dll
• %Windows%\Temp\CabEF5D.tmp
• %System%\nosku64.sys
• %System%\npkfxa.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKIdsVt64.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskcp.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64\TKFWFV64.sys
• %Windows%\Temp\Tar309A.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKTool2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKToolu.dll
• %Program Files%\INCAInternet\nProtect Online Security\npk\npcf_win_32u.dll
• %Program Files%\INCAInternet UnInstall\nProtect Online Security\nProtectUninstaller.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\tkfwfvarm64.cat
• %Program Files%\INCAInternet\nProtect Online Security\nps\bi.npi
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskne64.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKRgFtXp64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\BWT.dll
• %System%\config\systemprofile\AppData\LocalLow\nProtect\Log\nosstarter.npe.npo
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgFtXp.sys
• %Program Files%\INCAInternet\nProtect Online Security\nps\nphapsie_kor.nph
• %Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\key4.db-journal
• %System%\TKFWFV64.sys
• %System%\TKCtrl2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\cert\ssl3.dll
• %Program Files%\INCAInternet\nProtect Online Security\npk\npkakl.sys
• %Program Files%\INCAInternet\nProtect Online Security\bsc20\npacr_32.dll
• %Windows%\Temp\Tar26B9.tmp
• %Program Files%\INCAInternet\nProtect Online Security\cert\freebl3.dll
• %System%\TKIdsVt.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWFV.cat
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\tyavexcept.bin
• %Program Files%\INCAInternet\nProtect Online Security\npk\nosksdk.dll
• %System%\TKFWFV64.cat
• %System%\TKRgFt2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\nps\logo.npi
• %Windows%\Temp\Cab26B8.tmp
• %Program Files%\MarkAny\maepscourt\RPRTRegisterXCtrl.xgh
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\nosku64.sys
• %Program Files%\INCAInternet\nProtect Online Security\nosApsData.npb
• %Program Files%\INCAInternet\nProtect Online Security\ns\icon_warn.npi
• %Program Files%\Common Files\nProtect Shared\Engine\tyav32u.dll
• %Program Files%\Common Files\nProtect Shared\Engine\teexcept.dat
• %Program Files%\INCAInternet\nProtect Online Security\sqlite3.dll
• %Program Files%\INCAInternet\nProtect Online Security\npefuncmgr.npd
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKRgFtu.dll
• %System%\tkfwfltU.dll
• %Program Files%\INCAInternet\nProtect Online Security\cert\nprotect-root_ca.cer
• %Program Files%\INCAInternet\nProtect Online Security\npeurlmon.npd
• %Program Files%\INCAInternet\nProtect Online Security\npk\noske64.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKCtrlU.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\dll\TKPcFtU.dll
• %Program Files%\INCAInternet\nProtect Online Security\nps\npiui.npi
• %System%\TKPcFtCb64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\TYAVP_001.bin
• %Program Files%\Common Files\nProtect Shared\Engine\TeCtrl.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64\TKFWFV64.cat
• %System%\noskp64.sys
• %Program Files%\MarkAny\maepscourt\RPRTRegisterXCtrl.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKRgFtXp64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwvt.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tkidsxU.dll
• %System%\nosku.sys
• %System%\tkfwvt.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\BwtTrust.dll
• %User Temp%\nos_setup.exe
• %Program Files%\Common Files\nProtect Shared\Engine\TYAVP_001.bin
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskcv.dll
• %Program Files%\INCAInternet UnInstall\nProtect Online Security\nppb.dll
• %System%\TKRgFtXp.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\TySUtilu.dll
• %Program Files%\INCAInternet\nProtect Online Security\bsc20\npasdk.dll
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimsg5.npi
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskfx64.dll
• %Windows%\Temp\CabC5B8.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\dll\TKRgFtu.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x86\TKRgAc2k.sys
• %Windows%\Temp\Tar4525.tmp
• %System%\TKFsAv.sys
• %System%\TKRgAc2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\npealert.npd
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimsg6.npi
• %Windows%\Temp\Cab465.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\dll\TKRgAcu.dll
• %Windows%\Temp\Tar6569.tmp
• %Windows%\Temp\TarC5B9.tmp
• %Windows%\Temp\Cab10D6.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKFsAv64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\noskp64.sys
• %Program Files%\INCAInternet\nProtect Online Security\bsc20\npamgr_64.exe
• %Program Files%\INCAInternet\nProtect Online Security\cert\libnspr4.dll
• %System%\TKPcFtHk.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\NpBWT.dll
• %Windows%\Downloaded Program Files\nosxplatform.ocx
• %Windows%\Temp\TarA4FC.tmp
• %Program Files%\INCAInternet\nProtect Online Security\ns\icon_logo.npi
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64\TKCtrl2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskne.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKFWFV.inf
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimsg2.npi
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimsg7.npi
• %Program Files%\INCAInternet\nProtect Online Security\bsc20\npamgr_32.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKPcFtU.dll
• %Program Files%\Common Files\nProtect Shared\Engine\NpHttpsLib.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\BWTTrustList.dat
• %Program Files%\INCAInternet\nProtect Online Security\cert\nssutil3.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKFWFV.sys
• %Program Files%\MarkAny\maepscourt\nosapp.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKFsFt64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\dll\TKFsAvMU.dll
• %Program Files%\MarkAny\maepscourt\TrustedSiteCtrl_S.exe
• %Program Files%\INCAInternet\nProtect Online Security\nos_launcher.exe
• %Program Files%\INCAInternet\nProtect Online Security\cert\libplc4.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\dll\TKFsFtMU.dll
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\INCAInternet\nProtect Online Security V1.0.lnk
• %AppDataLocal%Low\nProtect\Log\nos_launcher.exe.npo
• %Program Files%\INCAInternet\nProtect Online Security\nps\npinpnmini.npi
• %Program Files%\INCAInternet\nProtect Online Security\npk\nosku64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKSPXP64.sys
• %System%\TKCtrl2k.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\TYAVSU_000.bin
• %Program Files%\INCAInternet\nProtect Online Security\npk\noska.sys
• %System%\TKPcFtHk64.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\tyavcuremap.dat
• %Windows%\Temp\CabB0A1.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKNetCfg64.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\TeCtrlu.dll
• %Program Files%\Common Files\nProtect Shared\Engine\BWT.dll
• %Program Files%\INCAInternet\nProtect Online Security\nps\npicommon.npi
• %Windows%\Temp\Cab4524.tmp
• %Program Files%\INCAInternet\nProtect Online Security\npertd.npd
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKCtrlU.dll
• %Program Files%\INCAInternet\nProtect Online Security\npefw.npd
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskcv64.dll
• %Program Files%\INCAInternet\nProtect Online Security\nps\npimsg3.npi
• %Windows%\Temp\CabD0B2.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\rtd\tyav32u.dll
• %System%\np_ck32s.sys
• %Windows%\Temp\Cab7A51.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TkPcFtCb64.sys
• %Program Files%\INCAInternet\nProtect Online Security\nps\imgWarn.npi
• %Program Files%\INCAInternet\nProtect Online Security\nps\bar_full.npi
• %System%\tknetcfg.exe
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64\TKFWFV64.sys
• %Program Files%\INCAInternet\nProtect Online Security\cert\dc-rootca.cer
• %System%\tkfwflt.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64\TKIdsVt64.sys
• %System%\tknetcfg64.exe
• %Program Files%\INCAInternet\nProtect Online Security\npcf_win_32u.dll
• %Program Files%\INCAInternet\nProtect Online Security\cert\sqlite3.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\TKFW.sys
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x86\tkfwflt.sys
• %Program Files%\Common Files\nProtect Shared\Engine\TYAVSU_000.bin
• %System%\noskp.sys
• %Program Files%\INCAInternet\nProtect Online Security\nos_param.dat
• %Program Files%\INCAInternet\nProtect Online Security\cert\smime3.dll
• %Windows%\Temp\Cab3099.tmp
• %Windows%\Temp\Tar10D7.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\protect\x64\TKTool2k64.sys
• %Program Files%\INCAInternet\nProtect Online Security\cert\certmgr.exe
• %Windows%\Temp\TarD0B3.tmp
• %Program Files%\INCAInternet\nProtect Online Security\coredll\network\x64\TKFWFV.inf
• %Program Files%\INCAInternet\nProtect Online Security\cert\nss3.dll
• %Program Files%\Common Files\nProtect Shared\Engine\tyavexcept.bin
• %Program Files%\INCAInternet\nProtect Online Security\ns\npimsg3.npi
• %Windows%\Temp\Tar3BC8.tmp
• %Program Files%\MarkAny\maepscourt\dbghelp.dll
• %Program Files%\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFWU.dll
• %System%\np_ck64s.sys
• %Program Files%\INCAInternet\nProtect Online Security\nps\bar_bg.npi
• %Program Files%\INCAInternet\nProtect Online Security\npk\noskre64.dll

(註：%Program Files%フォルダは、デフォルトのプログラムファイルフォルダです。C:\Program Files in Windows 2000(32-bit)、Server 2003(32-bit)、XP、Vista(64-bit)、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Program Files"です。また、Windows XP(64-bit)、Vista(64-bit)、7(64-bit)、8(64-bit)、8.1(64-bit)、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Program Files（x86）" です。. %Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Roaming" です。. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.. %Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %AppDataLocal%フォルダは、ローカルアプリケーションデータフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local" です。. %User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。. %All Users Profile%フォルダは、ユーザの共通プロファイルフォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\All Users” です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\ProgramData” です。)

このウイルス情報は、自動解析システムにより作成されました。