TROJ_RANSOM.YMIH
Windows 2000, Windows XP, Windows Server 2003
マルウェアタイプ:
トロイの木馬型
破壊活動の有無:
なし
暗号化:
感染報告の有無 :
はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
マルウェアは、実行後、自身を削除します。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のフォルダを作成します。
- %User Profile%\CryptnetUrlCache\MetaData
- %User Profile%\Microsoft\CryptnetUrlCache
- %User Profile%\CryptnetUrlCache\Content
(註:%User Profile% フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\<ユーザ名>"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>" です。)
自動実行方法
マルウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
bbbfea = "%System Root%\bbbfeac\bbbfeac.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
bbbfeac = "%User Profile%\Application Data\bbbfeac.exe"
他のシステム変更
マルウェアは、以下のファイルを改変します。
- %User Profile%\Application Data\Microsoft
- %Application Data%\Microsoft\Windows Media\9.0\WMSDKNS.DTD
- %User Profile%\Templates\excel.xls
- %User Profile%\Templates\excel4.xls
- %User Profile%\Templates\powerpnt.ppt
- %User Profile%\Templates\quattro.wb2
- %User Profile%\Templates\winword.doc
- %User Profile%\Templates\winword2.doc
- %User Profile%\Templates\wordpfct.wpd
(註:%User Profile% フォルダは、Windows 2000、XP および Server 2003 の場合、通常、"C:\Documents and Settings\<ユーザ名>"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>" です。. %Application Data%フォルダは、Windows 2000、XP および Server 2003 の場合、通常 "C:\Documents and Settings\<ユーザ名>\Local Settings\Application Data"、Windows Vista および 7 の場合、"C:\Users\<ユーザ名>\AppData\Roaming" です。)
マルウェアは、以下のファイルを削除します。
- %System Root%\bbbfeac
(註:%System Root%フォルダは、標準設定では "C:" です。また、オペレーティングシステムが存在する場所です。)
マルウェアは、以下のレジストリキーを追加します。
HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345
HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345\
DISKS
HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
マルウェアは、以下のレジストリ値を追加します。
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
text = "{random values}"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
html = "{random values}"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
weblink = "{random values}"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
pub = "{random values}"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
start = "1"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
DF87C3DE = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
4664571E = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
866419F6 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
1207A18F = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
A9D246E4 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
6E10B272 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
B6B67ED9 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
180F43DB = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
716A4C5A = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7675AEDA = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C0E2793C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C4B6F6F6 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
2F213C6C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
2BF0D7B6 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
8E9E31AA = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
DEEE5852 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C2696AAC = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
303CBF3D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C03E4E3B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
205181D1 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
821B00E6 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CBB30CFC = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E95DEA19 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
BC82B119 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
88AAB850 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CE5340B9 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E1964A59 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
AC86A324 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
ECE59176 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
38E0E841 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
6E4AF06 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
67B018CB = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
1FB0E720 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
21690AB6 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
B6E7C0D9 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
9344454A = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E6B01D60 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
3014CA4C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
9478294F = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
F948B772 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
F742ACE = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
5BED2262 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E7953DBF = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D62E300F = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
AA2817CD = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7119E9E3 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Internet Explorer\brndlog.txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
FDD4E4A4 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
48E704D7 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
A77F3530 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E0629E55 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E4EFE2E7 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
A36C0861 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
828EA9F0 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
3A050C0C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
AC9807D5 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
80C57583 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
36F19BFB = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CEFDA0BD = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E2EDBB9 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%Application Data%\Microsoft\Windows Media\9.0\WMSDKNS.DTD = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
5A9064DD = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
6F9F90B5 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
37A2BE97 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7CA9FC1 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
F0999EDB = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
B4656924 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D274A7D3 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
1B2FE48 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
38BD2FA7 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E76A2115 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
48FBD5D8 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
4A4787A0 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CD98C648 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
9DCF1BF1 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7D6C68D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
627A96C3 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
30DDA2CF = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
41137D2D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\excel.xls = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\excel4.xls = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\powerpnt.ppt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\quattro.wb2 = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\winword.doc = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\winword2.doc = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Templates\wordpfct.wpd = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
45BCBDC6 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
4C853E72 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D1674F40 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
8AC53A20 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
86DDB95E = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E2E68DA4 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
595DFA08 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D9E48997 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
DD69F525 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
38C650BC = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
DF9DBBAF = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C783AA01 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7D0E88B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C354FB50 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
4EBF9B61 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
18E71623 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
A7D40527 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D3F0E56B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
37AA0E77 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
A3E892FE = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
92232D0 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E0B9FBF7 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
DBC22CFD = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
817BB52E = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7E992925 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
5551E2C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
287BAF84 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CD17AA70 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C99AD6C2 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
5E983FFE = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
18B2578B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
3A1C3E4D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
5868ADDB = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
80ABAF5A = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
F8319958 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C1435C4 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
3D883229 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
2B8C46ED = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
E8BBB80 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
805342C8 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
79881720 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
15AF95C2 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
65B4BB0D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
99C264C7 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7BB39A2C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
7832A2B0 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
9C17C390 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
4DEC104 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
60710059 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
BF2B6B01 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D73C4A6C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
121BE978 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
223C63A3 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
31EB1464 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
10183795 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
11866F0C = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CAC2049B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CE4F7829 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
8E6F0ED0 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
171B0BDC = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C0BDDF95 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
114A3E1 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@atdmt[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@bing[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@c.atdmt[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@c.msn[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@doubleclick[1].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@microsoft[1].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@msn[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@scorecardresearch[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@www.bing[2].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%User Profile%\Cookies\wilbert@www.msn[1].txt = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
AB5D0C5B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
1D69E223 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
F4CA74D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
AEC50DAA = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
4171B676 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
3B924B39 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
BC19B2F = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
55595B4D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
72D89494 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
PROTECTED
%Application Data%\Microsoft\Wallpaper1.bmp = "68adfd"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
9275FE9B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
2A3C3A8F = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C086DA88 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CA236A48 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
A8200A50 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
AE60F13D = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
D806D279 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
F030F216 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
DA9ECC20 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
981331D8 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
2B7031E7 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
1325567F = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
87528C02 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
64D89F62 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
6664CD1A = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
580D6464 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
85AB9DD = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
CA3F3304 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
FFDC253B = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
EB5305F0 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
3DDA59C8 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
C2A0C047 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
258410D1 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
64051A82 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
17FB8455 = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
8BB1D29A = "0"
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
finish = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
B1BC968BD4F49D622AA89A81F2150152A41D829C
Blob = "{random values}"
マルウェアは、以下のレジストリ値を変更します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
2F173F7DE99667AFA57AF80AA2D1B12FAC830338
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4C95A9902ABE0777CED18D6ACCC3372D2748381E
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4BA7B9DDD68788E12FF852E1A024204BF286A8F6
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
47AFB915CDA26D82467B97FA42914468726138DD
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4463C531D7CCC1006794612BB656D3BF8257846F
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43F9B110D5BAFD48225231B0D0082B372FEF9A54
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43DDB1FFF3B49B73831407F6BC8B975023D07C50
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4072BA31FEC351438480F62E6CB95508461EAB2F
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
394FF6850B06BE52E51856CC10E180E882B385CC
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
36863563FD5128C7BEA6F005CFE9B43668086CCE
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\CA\Certificates\
E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
284F55C41A1A7A3F8328D4C262FB376ED6096F24
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
273EE12457FDC4F90C55E82B56167F62F532E547
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
23E594945195F2414803B4D564D2A3A3F5D88B8C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
216B2A29E62A00CE820146D8244141B92511B279
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
209900B63D955728140CD13622D8C687A4EB0085
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
1F55E8839BAC30728BE7108EDE7B0BB0D3298224
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
049811056AFE9FD0F5BE01685AACE6A5D1C4454C
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0483ED3399AC3608058722EDBC5E4600E3BEF9D7
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0048F8D37B153F6EA2798C323EF4F318A5624A9E
Blob = "{random values}"
(註:変更前の上記レジストリ値は、「{random values}」となります。)
マルウェアは、以下のレジストリキーを削除します。
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS
HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\
DISKS\68AD0FD0
作成活動
マルウェアは、以下のファイルを作成します。
- %System Root%\bbbfeac\bbbfeac.exe
- %User Profile%\Application Data\bbbfeac.exe
- %User Startup%\bbbfeac.exe
- %User Profile%\Microsoft\Crypto
- %User Profile%\Crypto\RSA
- %User Profile%\RSA\S-1-5-21-1645522239-1292428093-682003330-1003
- %User Profile%\Internet Explorer\brndlog.txt.cry
- %User Profile%\Internet Explorer\brndlog.txt
- %User Profile%\Internet Explorer\HOW_DECRYPT.TXT
- %User Profile%\Internet Explorer\HOW_DECRYPT.HTML
- %User Profile%\Internet Explorer\HOW_DECRYPT.URL
- %User Profile%\Microsoft\HOW_DECRYPT.TXT
- %User Profile%\Microsoft\HOW_DECRYPT.HTML
- %User Profile%\Microsoft\HOW_DECRYPT.URL
- %User Profile%\Application Data\HOW_DECRYPT.TXT
- %User Profile%\Application Data\HOW_DECRYPT.HTML
- %User Profile%\Application Data\HOW_DECRYPT.URL
- %Application Data%\Microsoft\Windows Media\9.0\WMSDKNS.DTD.cry
- %Application Data%\Microsoft\Windows Media\9.0\HOW_DECRYPT.TXT
- %Application Data%\Microsoft\Windows Media\9.0\HOW_DECRYPT.HTML
- %Application Data%\Microsoft\Windows Media\9.0\HOW_DECRYPT.URL
- %Application Data%\Microsoft\Windows Media\HOW_DECRYPT.TXT
- %Application Data%\Microsoft\Windows Media\HOW_DECRYPT.HTML
- %Application Data%\Microsoft\Windows Media\HOW_DECRYPT.URL
- %Application Data%\Microsoft\HOW_DECRYPT.TXT
- %Application Data%\Microsoft\HOW_DECRYPT.HTML
- %Application Data%\Microsoft\HOW_DECRYPT.URL
- %Application Data%\HOW_DECRYPT.TXT
- %Application Data%\HOW_DECRYPT.HTML
- %Application Data%\HOW_DECRYPT.URL
- %User Profile%\Local Settings\HOW_DECRYPT.TXT
- %User Profile%\Local Settings\HOW_DECRYPT.HTML
- %User Profile%\Local Settings\HOW_DECRYPT.URL
- %User Profile%\Templates\excel.xls.cry
- %User Profile%\Templates\excel4.xls.cry
- %User Profile%\Templates\powerpnt.ppt.cry
- %User Profile%\Templates\quattro.wb2.cry
- %User Profile%\Templates\winword.doc.cry
- %User Profile%\Templates\winword2.doc.cry
- %User Profile%\Templates\wordpfct.wpd.cry
- %User Profile%\Templates\HOW_DECRYPT.TXT
- %User Profile%\Templates\HOW_DECRYPT.HTML
- %User Profile%\Templates\HOW_DECRYPT.URL
- %User Profile%\HOW_DECRYPT.TXT
- %User Profile%\HOW_DECRYPT.HTML
- %User Profile%\HOW_DECRYPT.URL
- %User Profile%\Cookies\wilbert@atdmt[2].txt.cry
- %User Profile%\Cookies\wilbert@atdmt[2].txt
- %User Profile%\Cookies\wilbert@bing[2].txt.cry
- %User Profile%\Cookies\wilbert@bing[2].txt
- %User Profile%\Cookies\wilbert@c.atdmt[2].txt.cry
- %User Profile%\Cookies\wilbert@c.atdmt[2].txt
- %User Profile%\Cookies\wilbert@c.msn[2].txt.cry
- %User Profile%\Cookies\wilbert@c.msn[2].txt
- %User Profile%\Cookies\wilbert@doubleclick[1].txt.cry
- %User Profile%\Cookies\wilbert@doubleclick[1].txt
- %User Profile%\Cookies\wilbert@microsoft[1].txt.cry
- %User Profile%\Cookies\wilbert@microsoft[1].txt
- %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt.cry
- %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt
- %User Profile%\Cookies\wilbert@msn[2].txt.cry
- %User Profile%\Cookies\wilbert@msn[2].txt
- %User Profile%\Cookies\wilbert@scorecardresearch[2].txt.cry
- %User Profile%\Cookies\wilbert@scorecardresearch[2].txt
- %User Profile%\Cookies\wilbert@www.bing[2].txt.cry
- %User Profile%\Cookies\wilbert@www.bing[2].txt
- %User Profile%\Cookies\wilbert@www.msn[1].txt.cry
- %User Profile%\Cookies\wilbert@www.msn[1].txt
- %User Profile%\Cookies\HOW_DECRYPT.TXT
- %User Profile%\Cookies\HOW_DECRYPT.HTML
- %User Profile%\Cookies\HOW_DECRYPT.URL
- %Application Data%\Microsoft\Wallpaper1.bmp.cry
- %Application Data%\Microsoft\Wallpaper1.bmp
- %System Root%\Documents and Settings\HOW_DECRYPT.TXT
- %System Root%\Documents and Settings\HOW_DECRYPT.HTML
- %System Root%\Documents and Settings\HOW_DECRYPT.URL
- %Desktop%\HOW_DECRYPT.TXT
- %Desktop%\HOW_DECRYPT.HTML
- %Desktop%\HOW_DECRYPT.URL
- %User Startup%\HOW_DECRYPT.TXT
- %User Startup%\HOW_DECRYPT.HTML
- %User Startup%\HOW_DECRYPT.URL
- %User Profile%\MetaData\2BF68F4714092295550497DD56F57004
- %User Profile%\Content\2BF68F4714092295550497DD56F57004
- %User Profile%\MetaData\94308059B57B3142E455B38A6EB92015
- %User Profile%\Content\94308059B57B3142E455B38A6EB92015
- %User Temp%\Cab9C.tmp
- %User Temp%\Tar9E.tmp
その他
マルウェアは、以下の不正なWebサイトにアクセスします。
- http://{BLOCKED}esraka.com/p1750yvl1t4jl2s
- http://{BLOCKED}esraka.com/kpp0p1nt7jkkrg
- http://{BLOCKED}esraka.com/yfdqecs8ag
- http://{BLOCKED}esraka.com/ft89sq79ua
マルウェアは、実行後、自身を削除します。
このウイルス情報は、自動解析システムにより作成されました。
対応方法
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
Windowsをセーフモードで再起動します。
手順 3
不明なレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\software
- BBBFEACF8539FC947B9028B6EE760345
- In HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345
- DISKS
- In HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345
- PROTECTED
- In HKEY_CURRENT_USER\software\BBBFEACF8539FC947B9028B6EE760345\DISKS
- 68AD0FD0
手順 4
このレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- bbbfea = "%System Root%\bbbfeac\bbbfeac.exe"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- bbbfeac = "%User Profile%\Application Data\bbbfeac.exe"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- text = "{random values}"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- html = "{random values}"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- weblink = "{random values}"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- pub = "{random values}"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- start = "1"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- DF87C3DE = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 4664571E = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 866419F6 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 1207A18F = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- A9D246E4 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 6E10B272 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- B6B67ED9 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 180F43DB = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 716A4C5A = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7675AEDA = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C0E2793C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C4B6F6F6 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 2F213C6C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 2BF0D7B6 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 8E9E31AA = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- DEEE5852 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C2696AAC = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 303CBF3D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C03E4E3B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 205181D1 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 821B00E6 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CBB30CFC = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E95DEA19 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- BC82B119 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 88AAB850 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CE5340B9 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E1964A59 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- AC86A324 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- ECE59176 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 38E0E841 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 6E4AF06 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 67B018CB = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 1FB0E720 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 21690AB6 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- B6E7C0D9 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 9344454A = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E6B01D60 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 3014CA4C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 9478294F = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- F948B772 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- F742ACE = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 5BED2262 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E7953DBF = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D62E300F = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- AA2817CD = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7119E9E3 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Internet Explorer\brndlog.txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- FDD4E4A4 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 48E704D7 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- A77F3530 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E0629E55 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E4EFE2E7 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- A36C0861 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 828EA9F0 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 3A050C0C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- AC9807D5 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 80C57583 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 36F19BFB = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CEFDA0BD = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E2EDBB9 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %Application Data%\Microsoft\Windows Media\9.0\WMSDKNS.DTD = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 5A9064DD = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 6F9F90B5 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 37A2BE97 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7CA9FC1 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- F0999EDB = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- B4656924 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D274A7D3 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 1B2FE48 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 38BD2FA7 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E76A2115 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 48FBD5D8 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 4A4787A0 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CD98C648 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 9DCF1BF1 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7D6C68D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 627A96C3 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 30DDA2CF = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 41137D2D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\excel.xls = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\excel4.xls = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\powerpnt.ppt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\quattro.wb2 = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\winword.doc = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\winword2.doc = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Templates\wordpfct.wpd = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 45BCBDC6 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 4C853E72 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D1674F40 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 8AC53A20 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 86DDB95E = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E2E68DA4 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 595DFA08 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D9E48997 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- DD69F525 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 38C650BC = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- DF9DBBAF = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C783AA01 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7D0E88B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C354FB50 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 4EBF9B61 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 18E71623 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- A7D40527 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D3F0E56B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 37AA0E77 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- A3E892FE = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 92232D0 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E0B9FBF7 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- DBC22CFD = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 817BB52E = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7E992925 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 5551E2C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 287BAF84 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CD17AA70 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C99AD6C2 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 5E983FFE = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 18B2578B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 3A1C3E4D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 5868ADDB = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 80ABAF5A = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- F8319958 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C1435C4 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 3D883229 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 2B8C46ED = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- E8BBB80 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 805342C8 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 79881720 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 15AF95C2 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 65B4BB0D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 99C264C7 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7BB39A2C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 7832A2B0 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 9C17C390 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 4DEC104 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 60710059 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- BF2B6B01 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D73C4A6C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 121BE978 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 223C63A3 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 31EB1464 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 10183795 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 11866F0C = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CAC2049B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CE4F7829 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 8E6F0ED0 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 171B0BDC = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C0BDDF95 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 114A3E1 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@atdmt[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@bing[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@c.atdmt[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@c.msn[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@doubleclick[1].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@microsoft[1].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@msn[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@scorecardresearch[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@www.bing[2].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %User Profile%\Cookies\wilbert@www.msn[1].txt = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- AB5D0C5B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 1D69E223 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- F4CA74D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- AEC50DAA = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 4171B676 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 3B924B39 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- BC19B2F = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 55595B4D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 72D89494 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\PROTECTED
- %Application Data%\Microsoft\Wallpaper1.bmp = "68adfd"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 9275FE9B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 2A3C3A8F = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C086DA88 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CA236A48 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- A8200A50 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- AE60F13D = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- D806D279 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- F030F216 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- DA9ECC20 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 981331D8 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 2B7031E7 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 1325567F = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 87528C02 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 64D89F62 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 6664CD1A = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 580D6464 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 85AB9DD = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- CA3F3304 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- FFDC253B = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- EB5305F0 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 3DDA59C8 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- C2A0C047 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 258410D1 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 64051A82 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 17FB8455 = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS\68AD0FD0
- 8BB1D29A = "0"
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- finish = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
- Blob = "{random values}"
手順 5
変更されたレジストリ値を修正します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
事前に意図的に対象の設定を変更していた場合は、意図するオリジナルの設定に戻してください。変更する値が分からない場合は、システム管理者にお尋ねいただき、レジストリの編集はお客様の責任として行なって頂くようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
- DisableSR = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F173F7DE99667AFA57AF80AA2D1B12FAC830338
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47AFB915CDA26D82467B97FA42914468726138DD
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4463C531D7CCC1006794612BB656D3BF8257846F
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43F9B110D5BAFD48225231B0D0082B372FEF9A54
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43DDB1FFF3B49B73831407F6BC8B975023D07C50
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4072BA31FEC351438480F62E6CB95508461EAB2F
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\284F55C41A1A7A3F8328D4C262FB376ED6096F24
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\273EE12457FDC4F90C55E82B56167F62F532E547
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\216B2A29E62A00CE820146D8244141B92511B279
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\209900B63D955728140CD13622D8C687A4EB0085
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F55E8839BAC30728BE7108EDE7B0BB0D3298224
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0048F8D37B153F6EA2798C323EF4F318A5624A9E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
手順 6
以下のファイルを検索し削除します。
- %System Root%\bbbfeac\bbbfeac.exe
- %User Profile%\Application Data\bbbfeac.exe
- %User Startup%\bbbfeac.exe
- %User Profile%\Microsoft\Crypto
- %User Profile%\Crypto\RSA
- %User Profile%\RSA\S-1-5-21-1645522239-1292428093-682003330-1003
- %User Profile%\Internet Explorer\brndlog.txt.cry
- %User Profile%\Internet Explorer\brndlog.txt
- %User Profile%\Internet Explorer\HOW_DECRYPT.TXT
- %User Profile%\Internet Explorer\HOW_DECRYPT.HTML
- %User Profile%\Internet Explorer\HOW_DECRYPT.URL
- %User Profile%\Microsoft\HOW_DECRYPT.TXT
- %User Profile%\Microsoft\HOW_DECRYPT.HTML
- %User Profile%\Microsoft\HOW_DECRYPT.URL
- %User Profile%\Application Data\HOW_DECRYPT.TXT
- %User Profile%\Application Data\HOW_DECRYPT.HTML
- %User Profile%\Application Data\HOW_DECRYPT.URL
- %Application Data%\Microsoft\Windows Media\9.0\WMSDKNS.DTD.cry
- %Application Data%\Microsoft\Windows Media\9.0\HOW_DECRYPT.TXT
- %Application Data%\Microsoft\Windows Media\9.0\HOW_DECRYPT.HTML
- %Application Data%\Microsoft\Windows Media\9.0\HOW_DECRYPT.URL
- %Application Data%\Microsoft\Windows Media\HOW_DECRYPT.TXT
- %Application Data%\Microsoft\Windows Media\HOW_DECRYPT.HTML
- %Application Data%\Microsoft\Windows Media\HOW_DECRYPT.URL
- %Application Data%\Microsoft\HOW_DECRYPT.TXT
- %Application Data%\Microsoft\HOW_DECRYPT.HTML
- %Application Data%\Microsoft\HOW_DECRYPT.URL
- %Application Data%\HOW_DECRYPT.TXT
- %Application Data%\HOW_DECRYPT.HTML
- %Application Data%\HOW_DECRYPT.URL
- %User Profile%\Local Settings\HOW_DECRYPT.TXT
- %User Profile%\Local Settings\HOW_DECRYPT.HTML
- %User Profile%\Local Settings\HOW_DECRYPT.URL
- %User Profile%\Templates\excel.xls.cry
- %User Profile%\Templates\excel4.xls.cry
- %User Profile%\Templates\powerpnt.ppt.cry
- %User Profile%\Templates\quattro.wb2.cry
- %User Profile%\Templates\winword.doc.cry
- %User Profile%\Templates\winword2.doc.cry
- %User Profile%\Templates\wordpfct.wpd.cry
- %User Profile%\Templates\HOW_DECRYPT.TXT
- %User Profile%\Templates\HOW_DECRYPT.HTML
- %User Profile%\Templates\HOW_DECRYPT.URL
- %User Profile%\HOW_DECRYPT.TXT
- %User Profile%\HOW_DECRYPT.HTML
- %User Profile%\HOW_DECRYPT.URL
- %User Profile%\Cookies\wilbert@atdmt[2].txt.cry
- %User Profile%\Cookies\wilbert@atdmt[2].txt
- %User Profile%\Cookies\wilbert@bing[2].txt.cry
- %User Profile%\Cookies\wilbert@bing[2].txt
- %User Profile%\Cookies\wilbert@c.atdmt[2].txt.cry
- %User Profile%\Cookies\wilbert@c.atdmt[2].txt
- %User Profile%\Cookies\wilbert@c.msn[2].txt.cry
- %User Profile%\Cookies\wilbert@c.msn[2].txt
- %User Profile%\Cookies\wilbert@doubleclick[1].txt.cry
- %User Profile%\Cookies\wilbert@doubleclick[1].txt
- %User Profile%\Cookies\wilbert@microsoft[1].txt.cry
- %User Profile%\Cookies\wilbert@microsoft[1].txt
- %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt.cry
- %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt
- %User Profile%\Cookies\wilbert@msn[2].txt.cry
- %User Profile%\Cookies\wilbert@msn[2].txt
- %User Profile%\Cookies\wilbert@scorecardresearch[2].txt.cry
- %User Profile%\Cookies\wilbert@scorecardresearch[2].txt
- %User Profile%\Cookies\wilbert@www.bing[2].txt.cry
- %User Profile%\Cookies\wilbert@www.bing[2].txt
- %User Profile%\Cookies\wilbert@www.msn[1].txt.cry
- %User Profile%\Cookies\wilbert@www.msn[1].txt
- %User Profile%\Cookies\HOW_DECRYPT.TXT
- %User Profile%\Cookies\HOW_DECRYPT.HTML
- %User Profile%\Cookies\HOW_DECRYPT.URL
- %Application Data%\Microsoft\Wallpaper1.bmp.cry
- %Application Data%\Microsoft\Wallpaper1.bmp
- %System Root%\Documents and Settings\HOW_DECRYPT.TXT
- %System Root%\Documents and Settings\HOW_DECRYPT.HTML
- %System Root%\Documents and Settings\HOW_DECRYPT.URL
- %Desktop%\HOW_DECRYPT.TXT
- %Desktop%\HOW_DECRYPT.HTML
- %Desktop%\HOW_DECRYPT.URL
- %User Startup%\HOW_DECRYPT.TXT
- %User Startup%\HOW_DECRYPT.HTML
- %User Startup%\HOW_DECRYPT.URL
- %User Profile%\MetaData\2BF68F4714092295550497DD56F57004
- %User Profile%\Content\2BF68F4714092295550497DD56F57004
- %User Profile%\MetaData\94308059B57B3142E455B38A6EB92015
- %User Profile%\Content\94308059B57B3142E455B38A6EB92015
- %User Temp%\Cab9C.tmp
- %User Temp%\Tar9E.tmp
手順 7
以下のフォルダを検索し削除します。
- %User Profile%\CryptnetUrlCache\MetaData
- %User Profile%\Microsoft\CryptnetUrlCache
- %User Profile%\CryptnetUrlCache\Content
手順 8
コンピュータを通常モードで再起動し、最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、「TROJ_RANSOM.YMIH」と検出したファイルの検索を実行してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 9
以下のファイルをバックアップを用いて修復します。マイクロソフト製品に関連したファイルのみに修復されます。このマルウェアが同社製品以外のプログラムをも削除した場合には、該当プログラムを再度インストールする必要があります。
- %User Profile%\Application Data\Microsoft
- %Application Data%\Microsoft\Windows Media\9.0\WMSDKNS.DTD
- %User Profile%\Templates\excel.xls
- %User Profile%\Templates\excel4.xls
- %User Profile%\Templates\powerpnt.ppt
- %User Profile%\Templates\quattro.wb2
- %User Profile%\Templates\winword.doc
- %User Profile%\Templates\winword2.doc
- %User Profile%\Templates\wordpfct.wpd
手順 10
以下のファイルをバックアップを用いて修復します。なお、マイクロソフト製品に関連したファイルのみ修復されます。このマルウェア/グレイウェア/スパイウェアが同社製品以外のプログラムをも削除した場合には、該当プログラムを再度インストールする必要があります。
- %System Root%\bbbfeac
手順 11
以下の削除されたレジストリキーまたはレジストリ値をバックアップを用いて修復します。
※註:マイクロソフト製品に関連したレジストリキーおよびレジストリ値のみが修復されます。このマルウェアもしくはアドウェア等が同社製品以外のプログラムも削除した場合には、該当プログラムを再度インストールする必要があります。
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345
- DISKS
- In HKEY_CURRENT_USER\Software\BBBFEACF8539FC947B9028B6EE760345\DISKS
- 68AD0FD0
ご利用はいかがでしたか? アンケートにご協力ください