PUA.Win32.Montiera.AB

January 07, 2020

ALIASES:

HEUR:AdWare.Win32.DelBar.gen (Kaspersky)

PLATFORM:

Windows

OVERALL RISK RATING:

REPORTED INFECTION:

SYSTEM IMPACT RATING:

INFORMATION EXPOSURE:

Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

2,285,768 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

22 Nov 2019

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following processes:

%User Temp%\tuvaro\tuvaro\1.8.12.7\tuvaro4ie.exe
%User Temp%\tuvaro\tuvaro\1.8.12.7\tuvaro4ffx.exe
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe /RegServer
"" tuvaro.xpi

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

%Application Data%\Mozilla\Firefox\Profiles
%Program Files%\tuvaro\tuvaro\1.8.12.7\bh
%User Temp%\tuvaro\tuvaro
%User Temp%\mt_ffx
%User Temp%\mt_ffx\tuvaro\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\extensions
%User Temp%\mt_ffx\tuvaro\tuvaro\1.8.12.7
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default
%User Temp%\mt_ffx\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\searchplugins
%System Root%\Users
%Application Data%\Mozilla\Firefox
%Application Data%\Mozilla
%User Temp%\tuvaro
%Program Files%\tuvaro\tuvaro
%Program Files%\tuvaro
%Application Data%\tuvaro
%Program Files%\tuvaro\tuvaro\1.8.12.7
%User Temp%\tuvaro\tuvaro\1.8.12.7
%User Profile%\AppData

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Potentially Unwanted Application deletes the following files:

%User Temp%\nsuC5AF.tmp
%User Temp%\nsuC5FD.tmp
%User Temp%\nspBE02.tmp

It deletes the following folders:

%User Temp%\nsuC5AF.tmp
%User Temp%\nsuC5FD.tmp
%User Temp%\nspBE02.tmp

It adds the following registry keys:

HKEY_CLASSES_ROOT\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\
instl\data

HKEY_CURRENT_USER\SOFTWARE\tuvaro\
tuvaro

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escorTlbr.DLL

HKEY_CLASSES_ROOT\tuvaro.tuvarodskBnd.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd.1\CLSID

HKEY_CLASSES_ROOT\tuvaro.tuvarodskBnd

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
TypeLib

HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Low Rights\ElevationPolicy\
{E40E840E-5A15-4A29-9C51-9A060EEB192B}

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer\Browser Helper Objects\{5CB02877-EFBC-4317-B608-9E24B11BAB40}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escort.DLL

HKEY_CLASSES_ROOT\escort.escortIEPane.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane.1\CLSID

HKEY_CLASSES_ROOT\escort.escortIEPane

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
TypeLib

HKEY_CLASSES_ROOT\tuvaro.tuvaroHlpr.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr.1\CLSID

HKEY_CLASSES_ROOT\tuvaro.tuvaroHlpr

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortApp.DLL

HKEY_CLASSES_ROOT\tuvaro.tuvaroappCore.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore.1\CLSID

HKEY_CLASSES_ROOT\tuvaro.tuvaroappCore

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\
ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\
TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortEng.DLL

HKEY_CLASSES_ROOT\t

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
t\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
t\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
TypeLib

HKEY_CLASSES_ROOT\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\
instl\dfltLng

HKEY_LOCAL_MACHINE\SOFTWARE\Google\
chrome\Extensions\omgjkafaoidbgamjoklhaiiciahohkbh

HKEY_LOCAL_MACHINE\SOFTWARE\tuvaro\
tuvaro\Instl

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
tuvaro

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2792F312-417E-4517-A824-7F55A2F18BE5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\esrv.EXE

HKEY_CLASSES_ROOT\esrv.tuvaroESrvc.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc.1\CLSID

HKEY_CLASSES_ROOT\esrv.tuvaroESrvc

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
LocalServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
TypeLib

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
trace = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
cam = ""

HKEY_CURRENT_USER\Software\tuvaro\
tuvaro
tlbrSrchUrl = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
(Default) = "escorTlbr"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escorTlbr.DLL
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd.1
(Default) = "CDskBnd Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd.1\CLSID
(Default) = "{6F001652-AF51-45C6-B029-86E0265A1851}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd
(Default) = "CDskBnd Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd\CLSID
(Default) = "{6F001652-AF51-45C6-B029-86E0265A1851}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvarodskBnd\CurVer
(Default) = "tuvaro.tuvarodskBnd.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
(Default) = "CDskBnd Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
ProgID
(Default) = "tuvaro.tuvarodskBnd.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
VersionIndependentProgID
(Default) = "tuvaro.tuvarodskBnd"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
InprocServer32
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroTlbr.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
InprocServer32
ThreadingModel = "apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\
TypeLib
(Default) = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Internet Explorer\Toolbar
{6F001652-AF51-45C6-B029-86E0265A1851} = "Tuvaro Toolbar"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
(Default) = "Tuvaro Toolbar"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Internet Explorer\Low Rights\
ElevationPolicy\{E40E840E-5A15-4A29-9C51-9A060EEB192B}
Policy = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Internet Explorer\Low Rights\
ElevationPolicy\{E40E840E-5A15-4A29-9C51-9A060EEB192B}
AppName = "tuvarosrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Internet Explorer\Low Rights\
ElevationPolicy\{E40E840E-5A15-4A29-9C51-9A060EEB192B}
AppPath = "%Program Files%\tuvaro\tuvaro\1.8.12.7"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer\Browser Helper Objects\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
(Default) = "tuvaro Helper Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
explorer\Browser Helper Objects\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
NoExplorer = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
(Default) = "escort"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escort.DLL
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane.1
(Default) = "escortIEPane Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane.1\CLSID
(Default) = "{2A3FF0D3-4417-492B-8929-11AB24EA0A90}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane
(Default) = "escortIEPane Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane\CLSID
(Default) = "{2A3FF0D3-4417-492B-8929-11AB24EA0A90}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
escort.escortIEPane\CurVer
(Default) = "escort.escortIEPane.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
(Default) = "escortIEPane Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
ProgID
(Default) = "escort.escortIEPane.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
VersionIndependentProgID
(Default) = "escort.escortIEPane"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
InprocServer32
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
InprocServer32
ThreadingModel = "apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\
TypeLib
(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr.1
(Default) = "CescrtHlpr Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr.1\CLSID
(Default) = "{5CB02877-EFBC-4317-B608-9E24B11BAB40}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr
(Default) = "CescrtHlpr Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr\CLSID
(Default) = "{5CB02877-EFBC-4317-B608-9E24B11BAB40}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroHlpr\CurVer
(Default) = "tuvaro.tuvaroHlpr.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
(Default) = "CescrtHlpr Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
ProgID
(Default) = "tuvaro.tuvaroHlpr.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
VersionIndependentProgID
(Default) = "tuvaro.tuvaroHlpr"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
InprocServer32
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
InprocServer32
ThreadingModel = "apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\
TypeLib
(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
(Default) = "tuvaro Helper Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
(Default) = "escortApp"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortApp.DLL
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore.1
(Default) = "appCore Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore.1\CLSID
(Default) = "{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore
(Default) = "appCore Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore\CLSID
(Default) = "{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tuvaro.tuvaroappCore\CurVer
(Default) = "tuvaro.tuvaroappCore.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
(Default) = "appCore Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
ProgID
(Default) = "tuvaro.tuvaroappCore.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
VersionIndependentProgID
(Default) = "tuvaro.tuvaroappCore"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
InprocServer32
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroApp.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
InprocServer32
ThreadingModel = "apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\
TypeLib
(Default) = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
hrdId = "1cca0df5000000000000005056bc6dd2"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
instlDay = "18098"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
(Default) = "Ixtrnlmain"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}
(Default) = "IappCore"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}
(Default) = "IXtrnlBsc"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}
(Default) = "IEHostWnd"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
(Default) = "IXmlCnfg"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}
(Default) = "IRegmapDisp"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
(Default) = "IIEWndFct"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}
(Default) = "IxpEmphszr"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
(Default) = "IwebAtrbts"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}
(Default) = "IEvntCntr"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}
(Default) = "IesrvXtrnl"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
(Default) = "IEscortFctry"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
(Default) = "IescrtSrvc"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\
TypeLib
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\
TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
(Default) = "escortEng"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\escortEng.DLL
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
t
(Default) = "escrtAx Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
t\CLSID
(Default) = "{4CBF0FC8-4222-435B-9E57-0DE807350D39}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
t\CurVer
(Default) = "t"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
(Default) = "escrtAx Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
ProgID
(Default) = "t"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
VersionIndependentProgID
(Default) = "t"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
InprocServer32
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroEng.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
InprocServer32
ThreadingModel = "apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\
TypeLib
(Default) = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
vrsni = "1.8.12.7"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
afltId = "orgnl"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
aflt = "orgnl"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
smplGrp = "none"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
tlbrId = "base"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
instlRef = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
dfltLng
dfltLng = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
vrsnTs = "1.8.12.77:29:30"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
tlbrSrchUrl = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
uninstallAll = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
autoRvrt = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
rvrt = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
admin = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
postUninstall = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
newTab = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
dpblck = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
ds_url = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
excTlbr = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
ffxUnstlRst = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
chrInstl = "all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
ffxInstl = "all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
ieInstl = "all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
uninstExt = "false"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
hp_url = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
hp_chrm = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
hp_ffx = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
nt_url = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
dsIE = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
dsFFX = "Tuvaro"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
dpk = "a3f0955cbf5582a1c1e9b51b717c3b0f"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google
(Default) = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Chrome
(Default) = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Chrome\Extensions
(Default) = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Chrome\Extensions\
omgjkafaoidbgamjoklhaiiciahohkbh
path = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaro.crx"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Chrome\Extensions\
omgjkafaoidbgamjoklhaiiciahohkbh
version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
tuvaro\tuvaro\Instl
InstallDir = "%Program Files%\tuvaro\tuvaro\1.8.12.7"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
DisplayName = "Tuvaro toolbar on IE and Chrome"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
UninstallString = "%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
DisplayIcon = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
DisplayVersion = "1.8.12.7"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
Comments = "Tuvaro toolbar "

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
Publisher = "tuvaro"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Uninstall\tuvaro
EstimatedSize = "2500"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\
data
uninstaller = "%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{2792F312-417E-4517-A824-7F55A2F18BE5}
(Default) = "esrv"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\esrv.EXE
AppID = "{2792F312-417E-4517-A824-7F55A2F18BE5}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc.1
(Default) = "escrtSrvc Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc.1\CLSID
(Default) = "{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc
(Default) = "escrtSrvc Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc\CLSID
(Default) = "{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
esrv.tuvaroESrvc\CurVer
(Default) = "esrv.tuvaroESrvc.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
(Default) = "escrtSrvc Object"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
ProgID
(Default) = "esrv.tuvaroESrvc.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
VersionIndependentProgID
(Default) = "esrv.tuvaroESrvc"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
LocalServer32
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
LocalServer32
ThreadingModel = "apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
AppID = "{2792F312-417E-4517-A824-7F55A2F18BE5}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\
TypeLib
(Default) = "{2792F312-417E-4517-A824-7F55A2F18BE5}"

Dropping Routine

This Potentially Unwanted Application drops the following files:

%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\user.js
%User Temp%\tuvaro\tuvaro\1.8.12.7\tuvaro4ie.exe
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroTlbr.dll
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaro.crx
%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe
%User Temp%\tuvaro\tuvaro\1.8.12.7\nsis.js
%User Temp%\mt_ffx\tuvaro\tuvaro\1.8.12.7\tuvaro.xpi
%Program Files%\tuvaro\tuvaro\1.8.12.7\escortShld.dll
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\searchplugins\tuvaro.xml
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroApp.dll
%User Temp%\tuvaro\tuvaro\1.8.12.7\C\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\lj5mikyj.default\user.js
%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe
%System Root%\user.js
%Application Data%\tuvaro\sqlite3.dll
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroEng.dll
%User Temp%\tuvaro\tuvaro\1.8.12.7\tuvaro4ffx.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

http://{BLOCKED}o.com/a/toolbar?{random characters}
http://ww7.{BLOCKED}o.com
http://reports.{BLOCKED}ra.com

This report is generated via an automated analysis system.

SOLUTION

Minimum Scan Engine:

9.850

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and terminate files detected as PUA.Win32.Montiera.AB

[ Learn More ]

Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CLASSES_ROOT\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl
- data

In HKEY_CURRENT_USER\SOFTWARE
- tuvaro

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- {4E1E9D45-8BF9-4139-915C-9F83CC3D5921}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- escorTlbr.DLL

In HKEY_CLASSES_ROOT
- tuvaro.tuvarodskBnd.1

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd.1
- CLSID

In HKEY_CLASSES_ROOT
- tuvaro.tuvarodskBnd

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd
- CLSID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd
- CurVer

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
- {6F001652-AF51-45C6-B029-86E0265A1851}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- ProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- VersionIndependentProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- Programmable

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- InprocServer32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- TypeLib

In HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
- Toolbar

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
- {E40E840E-5A15-4A29-9C51-9A060EEB192B}

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
- {5CB02877-EFBC-4317-B608-9E24B11BAB40}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- {09C554C3-109B-483C-A06B-F14172F1A947}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- escort.DLL

In HKEY_CLASSES_ROOT
- escort.escortIEPane.1

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
- CLSID

In HKEY_CLASSES_ROOT
- escort.escortIEPane

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
- CLSID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
- CurVer

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
- {2A3FF0D3-4417-492B-8929-11AB24EA0A90}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- ProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- VersionIndependentProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- Programmable

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- InprocServer32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- TypeLib

In HKEY_CLASSES_ROOT
- tuvaro.tuvaroHlpr.1

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr.1
- CLSID

In HKEY_CLASSES_ROOT
- tuvaro.tuvaroHlpr

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr
- CLSID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr
- CurVer

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
- {5CB02877-EFBC-4317-B608-9E24B11BAB40}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- ProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- VersionIndependentProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- Programmable

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- InprocServer32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- {D7EE8177-D51E-4F89-92B6-83EA2EC40800}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- escortApp.DLL

In HKEY_CLASSES_ROOT
- tuvaro.tuvaroappCore.1

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore.1
- CLSID

In HKEY_CLASSES_ROOT
- tuvaro.tuvaroappCore

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore
- CLSID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore
- CurVer

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
- {9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- ProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- VersionIndependentProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- Programmable

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- InprocServer32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {240A6AD4-4868-4513-A8DD-3ABF47E1F146}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {DD973375-0904-4886-8F63-6FC3A2BE6544}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {C6712CEF-79A8-440E-A7AC-4EF00C856922}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {23D1685B-A018-430F-B3AB-F517B471569E}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {033998B0-0745-472D-8F2B-EB55EBA42F58}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {B98D2F59-0329-4A5A-B112-B989B4D4BACA}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {4F3868C3-C08B-490E-93AD-834413F7FD22}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {4C694E60-4549-466D-83FB-C4C162FB53E2}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {A88A4515-66BC-413B-9526-3FF53B5F21C8}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {6BE4B879-4E7D-4AE8-A356-DCBD7029612E}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface
- {33278AD4-8305-49E1-A58B-E5A9057BFDC3}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
- ProxyStubClsid32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
- TypeLib

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- {B12E99ED-69BD-437C-86BE-C862B9E5444D}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- escortEng.DLL

In HKEY_CLASSES_ROOT
- t

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\t
- CLSID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\t
- CurVer

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
- {4CBF0FC8-4222-435B-9E57-0DE807350D39}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- ProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- VersionIndependentProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- Programmable

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- InprocServer32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- TypeLib

In HKEY_CLASSES_ROOT\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl
- dfltLng

In HKEY_LOCAL_MACHINE\SOFTWARE\Google\chrome\Extensions
- omgjkafaoidbgamjoklhaiiciahohkbh

In HKEY_LOCAL_MACHINE\SOFTWARE\tuvaro\tuvaro
- Instl

In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
- tuvaro

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- {2792F312-417E-4517-A824-7F55A2F18BE5}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- esrv.EXE

In HKEY_CLASSES_ROOT
- esrv.tuvaroESrvc.1

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc.1
- CLSID

In HKEY_CLASSES_ROOT
- esrv.tuvaroESrvc

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc
- CLSID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc
- CurVer

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
- {1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- ProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- VersionIndependentProgID

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- Programmable

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- LocalServer32

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- TypeLib

To delete the registry key this malware/grayware created:

Open Registry Editor.
» For Windows 7 and Windows Server 2008 (R2) users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2) users, right-click on the lower left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>AppID>{2768469C-717B-401F-8532-C6D88BAE0339}>instl
Still in the left panel, locate and delete the key:
data
In the left panel, double-click the following:
HKEY_CURRENT_USER>SOFTWARE
Still in the left panel, locate and delete the key:
tuvaro
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID
Still in the left panel, locate and delete the key:
{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Again Still in the left panel, locate and delete the key:
escorTlbr.DLL
In the left panel, double-click the following:
HKEY_CLASSES_ROOT
Still in the left panel, locate and delete the key:
tuvaro.tuvarodskBnd.1
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd.1
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
tuvaro.tuvarodskBnd
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
CurVer
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID
Still in the left panel, locate and delete the key:
{6F001652-AF51-45C6-B029-86E0265A1851}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{6F001652-AF51-45C6-B029-86E0265A1851}
Still in the left panel, locate and delete the key:
ProgID
Again Still in the left panel, locate and delete the key:
VersionIndependentProgID
Again Still in the left panel, locate and delete the key:
Programmable
Again Still in the left panel, locate and delete the key:
InprocServer32
Again Still in the left panel, locate and delete the key:
TypeLib
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer
Still in the left panel, locate and delete the key:
Toolbar
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Internet Explorer>Low Rights>ElevationPolicy
Still in the left panel, locate and delete the key:
{E40E840E-5A15-4A29-9C51-9A060EEB192B}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Windows>CurrentVersion>explorer>Browser Helper Objects
Still in the left panel, locate and delete the key:
{5CB02877-EFBC-4317-B608-9E24B11BAB40}
Again Still in the left panel, locate and delete the key:
{09C554C3-109B-483C-A06B-F14172F1A947}
Again Still in the left panel, locate and delete the key:
escort.DLL
Again Still in the left panel, locate and delete the key:
escort.escortIEPane.1
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane.1
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
escort.escortIEPane
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
CurVer
Again Still in the left panel, locate and delete the key:
{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
Still in the left panel, locate and delete the key:
ProgID
Again Still in the left panel, locate and delete the key:
VersionIndependentProgID
Again Still in the left panel, locate and delete the key:
Programmable
Again Still in the left panel, locate and delete the key:
InprocServer32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
tuvaro.tuvaroHlpr.1
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr.1
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
tuvaro.tuvaroHlpr
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
CurVer
Again Still in the left panel, locate and delete the key:
{5CB02877-EFBC-4317-B608-9E24B11BAB40}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{5CB02877-EFBC-4317-B608-9E24B11BAB40}
Still in the left panel, locate and delete the key:
ProgID
Again Still in the left panel, locate and delete the key:
VersionIndependentProgID
Again Still in the left panel, locate and delete the key:
Programmable
Again Still in the left panel, locate and delete the key:
InprocServer32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Again Still in the left panel, locate and delete the key:
escortApp.DLL
Again Still in the left panel, locate and delete the key:
tuvaro.tuvaroappCore.1
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore.1
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
tuvaro.tuvaroappCore
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
CurVer
Again Still in the left panel, locate and delete the key:
{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
Still in the left panel, locate and delete the key:
ProgID
Again Still in the left panel, locate and delete the key:
VersionIndependentProgID
Again Still in the left panel, locate and delete the key:
Programmable
Again Still in the left panel, locate and delete the key:
InprocServer32
Again Still in the left panel, locate and delete the key:
TypeLib
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface
Still in the left panel, locate and delete the key:
{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{DD973375-0904-4886-8F63-6FC3A2BE6544}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DD973375-0904-4886-8F63-6FC3A2BE6544}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{C6712CEF-79A8-440E-A7AC-4EF00C856922}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C6712CEF-79A8-440E-A7AC-4EF00C856922}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{23D1685B-A018-430F-B3AB-F517B471569E}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{23D1685B-A018-430F-B3AB-F517B471569E}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{033998B0-0745-472D-8F2B-EB55EBA42F58}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{033998B0-0745-472D-8F2B-EB55EBA42F58}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{4F3868C3-C08B-490E-93AD-834413F7FD22}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4F3868C3-C08B-490E-93AD-834413F7FD22}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{4C694E60-4549-466D-83FB-C4C162FB53E2}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C694E60-4549-466D-83FB-C4C162FB53E2}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{A88A4515-66BC-413B-9526-3FF53B5F21C8}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A88A4515-66BC-413B-9526-3FF53B5F21C8}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
Still in the left panel, locate and delete the key:
ProxyStubClsid32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Again Still in the left panel, locate and delete the key:
escortEng.DLL
Again Still in the left panel, locate and delete the key:
t
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>t
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
CurVer
Again Still in the left panel, locate and delete the key:
{4CBF0FC8-4222-435B-9E57-0DE807350D39}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4CBF0FC8-4222-435B-9E57-0DE807350D39}
Still in the left panel, locate and delete the key:
ProgID
Again Still in the left panel, locate and delete the key:
VersionIndependentProgID
Again Still in the left panel, locate and delete the key:
Programmable
Again Still in the left panel, locate and delete the key:
InprocServer32
Again Still in the left panel, locate and delete the key:
TypeLib
Again Still in the left panel, locate and delete the key:
dfltLng
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Google>chrome>Extensions
Still in the left panel, locate and delete the key:
omgjkafaoidbgamjoklhaiiciahohkbh
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>tuvaro>tuvaro
Still in the left panel, locate and delete the key:
Instl
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Uninstall
Still in the left panel, locate and delete the key:
tuvaro
Again Still in the left panel, locate and delete the key:
{2792F312-417E-4517-A824-7F55A2F18BE5}
Again Still in the left panel, locate and delete the key:
esrv.EXE
Again Still in the left panel, locate and delete the key:
esrv.tuvaroESrvc.1
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc.1
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
esrv.tuvaroESrvc
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc
Still in the left panel, locate and delete the key:
CLSID
Again Still in the left panel, locate and delete the key:
CurVer
Again Still in the left panel, locate and delete the key:
{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
Still in the left panel, locate and delete the key:
ProgID
Again Still in the left panel, locate and delete the key:
VersionIndependentProgID
Again Still in the left panel, locate and delete the key:
Programmable
Again Still in the left panel, locate and delete the key:
LocalServer32
Again Still in the left panel, locate and delete the key:
TypeLib
Close Registry Editor.

Step 4

Delete this registry value

[ Learn More ]

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- trace = "0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- cam = ""

In HKEY_CURRENT_USER\Software\tuvaro\tuvaro
- tlbrSrchUrl = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
- (Default) = "escorTlbr"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL
- AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd.1
- (Default) = "CDskBnd Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd.1\CLSID
- (Default) = "{6F001652-AF51-45C6-B029-86E0265A1851}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd
- (Default) = "CDskBnd Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd\CLSID
- (Default) = "{6F001652-AF51-45C6-B029-86E0265A1851}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvarodskBnd\CurVer
- (Default) = "tuvaro.tuvarodskBnd.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- (Default) = "CDskBnd Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\ProgID
- (Default) = "tuvaro.tuvarodskBnd.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\VersionIndependentProgID
- (Default) = "tuvaro.tuvarodskBnd"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\InprocServer32
- (Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroTlbr.dll"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\InprocServer32
- ThreadingModel = "apartment"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}\TypeLib
- (Default) = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar
- {6F001652-AF51-45C6-B029-86E0265A1851} = "Tuvaro Toolbar"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F001652-AF51-45C6-B029-86E0265A1851}
- (Default) = "Tuvaro Toolbar"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E40E840E-5A15-4A29-9C51-9A060EEB192B}
- Policy = "3"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E40E840E-5A15-4A29-9C51-9A060EEB192B}
- AppName = "tuvarosrv.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E40E840E-5A15-4A29-9C51-9A060EEB192B}
- AppPath = "%Program Files%\tuvaro\tuvaro\1.8.12.7"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- (Default) = "tuvaro Helper Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- NoExplorer = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
- (Default) = "escort"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL
- AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1
- (Default) = "escortIEPane Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1\CLSID
- (Default) = "{2A3FF0D3-4417-492B-8929-11AB24EA0A90}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane
- (Default) = "escortIEPane Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID
- (Default) = "{2A3FF0D3-4417-492B-8929-11AB24EA0A90}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer
- (Default) = "escort.escortIEPane.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- (Default) = "escortIEPane Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\ProgID
- (Default) = "escort.escortIEPane.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\VersionIndependentProgID
- (Default) = "escort.escortIEPane"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\InprocServer32
- (Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\InprocServer32
- ThreadingModel = "apartment"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
- AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A3FF0D3-4417-492B-8929-11AB24EA0A90}\TypeLib
- (Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr.1
- (Default) = "CescrtHlpr Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr.1\CLSID
- (Default) = "{5CB02877-EFBC-4317-B608-9E24B11BAB40}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr
- (Default) = "CescrtHlpr Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr\CLSID
- (Default) = "{5CB02877-EFBC-4317-B608-9E24B11BAB40}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroHlpr\CurVer
- (Default) = "tuvaro.tuvaroHlpr.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- (Default) = "CescrtHlpr Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\ProgID
- (Default) = "tuvaro.tuvaroHlpr.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\VersionIndependentProgID
- (Default) = "tuvaro.tuvaroHlpr"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\InprocServer32
- (Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\InprocServer32
- ThreadingModel = "apartment"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}\TypeLib
- (Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CB02877-EFBC-4317-B608-9E24B11BAB40}
- (Default) = "tuvaro Helper Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
- (Default) = "escortApp"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL
- AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore.1
- (Default) = "appCore Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore.1\CLSID
- (Default) = "{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore
- (Default) = "appCore Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore\CLSID
- (Default) = "{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tuvaro.tuvaroappCore\CurVer
- (Default) = "tuvaro.tuvaroappCore.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- (Default) = "appCore Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\ProgID
- (Default) = "tuvaro.tuvaroappCore.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\VersionIndependentProgID
- (Default) = "tuvaro.tuvaroappCore"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\InprocServer32
- (Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroApp.dll"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\InprocServer32
- ThreadingModel = "apartment"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
- AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}\TypeLib
- (Default) = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- hrdId = "1cca0df5000000000000005056bc6dd2"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- instlDay = "18098"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
- (Default) = "Ixtrnlmain"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A6AD4-4868-4513-A8DD-3ABF47E1F146}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}
- (Default) = "IappCore"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD973375-0904-4886-8F63-6FC3A2BE6544}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}
- (Default) = "IXtrnlBsc"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6712CEF-79A8-440E-A7AC-4EF00C856922}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}
- (Default) = "IEHostWnd"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D1685B-A018-430F-B3AB-F517B471569E}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
- (Default) = "IXmlCnfg"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}
- (Default) = "IRegmapDisp"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{033998B0-0745-472D-8F2B-EB55EBA42F58}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
- (Default) = "IIEWndFct"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B98D2F59-0329-4A5A-B112-B989B4D4BACA}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}
- (Default) = "IxpEmphszr"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F3868C3-C08B-490E-93AD-834413F7FD22}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
- (Default) = "IwebAtrbts"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}
- (Default) = "IEvntCntr"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C694E60-4549-466D-83FB-C4C162FB53E2}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}
- (Default) = "IesrvXtrnl"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A88A4515-66BC-413B-9526-3FF53B5F21C8}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
- (Default) = "IEscortFctry"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
- (Default) = "IescrtSrvc"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\TypeLib
- (Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33278AD4-8305-49E1-A58B-E5A9057BFDC3}\TypeLib
- Version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
- (Default) = "escortEng"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL
- AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\t
- (Default) = "escrtAx Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\t\CLSID
- (Default) = "{4CBF0FC8-4222-435B-9E57-0DE807350D39}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\t\CurVer
- (Default) = "t"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- (Default) = "escrtAx Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\ProgID
- (Default) = "t"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\VersionIndependentProgID
- (Default) = "t"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\InprocServer32
- (Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroEng.dll"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\InprocServer32
- ThreadingModel = "apartment"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}
- AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CBF0FC8-4222-435B-9E57-0DE807350D39}\TypeLib
- (Default) = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- vrsni = "1.8.12.7"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- afltId = "orgnl"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- aflt = "orgnl"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- smplGrp = "none"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- tlbrId = "base"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- instlRef = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\dfltLng
- dfltLng = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- vrsnTs = "1.8.12.77:29:30"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- tlbrSrchUrl = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- uninstallAll = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- autoRvrt = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- rvrt = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- admin = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- postUninstall = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- newTab = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- dpblck = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- ds_url = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- excTlbr = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- ffxUnstlRst = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- chrInstl = "all"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- ffxInstl = "all"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- ieInstl = "all"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- uninstExt = "false"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- hp_url = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- hp_chrm = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- hp_ffx = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- nt_url = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- dsIE = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- dsFFX = "Tuvaro"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- dpk = "a3f0955cbf5582a1c1e9b51b717c3b0f"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google
- (Default) = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome
- (Default) = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions
- (Default) = ""

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\omgjkafaoidbgamjoklhaiiciahohkbh
- path = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaro.crx"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\omgjkafaoidbgamjoklhaiiciahohkbh
- version = "1.0"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\tuvaro\tuvaro\Instl
- InstallDir = "%Program Files%\tuvaro\tuvaro\1.8.12.7"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- DisplayName = "Tuvaro toolbar on IE and Chrome"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- UninstallString = "%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- DisplayIcon = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- DisplayVersion = "1.8.12.7"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- Comments = "Tuvaro toolbar "

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- Publisher = "tuvaro"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- NoModify = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- NoRepair = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tuvaro
- EstimatedSize = "2500"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2768469C-717B-401F-8532-C6D88BAE0339}\instl\data
- uninstaller = "%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2792F312-417E-4517-A824-7F55A2F18BE5}
- (Default) = "esrv"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE
- AppID = "{2792F312-417E-4517-A824-7F55A2F18BE5}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc.1
- (Default) = "escrtSrvc Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc.1\CLSID
- (Default) = "{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc
- (Default) = "escrtSrvc Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc\CLSID
- (Default) = "{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.tuvaroESrvc\CurVer
- (Default) = "esrv.tuvaroESrvc.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- (Default) = "escrtSrvc Object"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\ProgID
- (Default) = "esrv.tuvaroESrvc.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\VersionIndependentProgID
- (Default) = "esrv.tuvaroESrvc"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\LocalServer32
- (Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\LocalServer32
- ThreadingModel = "apartment"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
- AppID = "{2792F312-417E-4517-A824-7F55A2F18BE5}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}\TypeLib
- (Default) = "{2792F312-417E-4517-A824-7F55A2F18BE5}"

To delete the registry value this malware/grayware created:

Open Registry Editor.
» For Windows 7 and Windows Server 2008 (R2) users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2) users, right-click on the lower-left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{2768469C-717B-401F-8532-C6D88BAE0339}>instl>data
In the right panel, locate and delete the entry:
trace = "0"
Again In the right panel, locate and delete the entry:
cam = ""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>tuvaro>tuvaro
In the right panel, locate and delete the entry:
tlbrSrchUrl = "{random characters}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
In the right panel, locate and delete the entry:
(Default) = "escorTlbr"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>escorTlbr.DLL
In the right panel, locate and delete the entry:
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd.1
In the right panel, locate and delete the entry:
(Default) = "CDskBnd Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd.1>CLSID
In the right panel, locate and delete the entry:
(Default) = "{6F001652-AF51-45C6-B029-86E0265A1851}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd
In the right panel, locate and delete the entry:
(Default) = "CDskBnd Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd>CLSID
In the right panel, locate and delete the entry:
(Default) = "{6F001652-AF51-45C6-B029-86E0265A1851}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvarodskBnd>CurVer
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvarodskBnd.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{6F001652-AF51-45C6-B029-86E0265A1851}
In the right panel, locate and delete the entry:
(Default) = "CDskBnd Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{6F001652-AF51-45C6-B029-86E0265A1851}>ProgID
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvarodskBnd.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{6F001652-AF51-45C6-B029-86E0265A1851}>VersionIndependentProgID
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvarodskBnd"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{6F001652-AF51-45C6-B029-86E0265A1851}>InprocServer32
In the right panel, locate and delete the entry:
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroTlbr.dll"
Again In the right panel, locate and delete the entry:
ThreadingModel = "apartment"
Again In the right panel, locate and delete the entry:
AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{6F001652-AF51-45C6-B029-86E0265A1851}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Internet Explorer>Toolbar
In the right panel, locate and delete the entry:
{6F001652-AF51-45C6-B029-86E0265A1851} = "Tuvaro Toolbar"
Again In the right panel, locate and delete the entry:
(Default) = "Tuvaro Toolbar"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Internet Explorer>Low Rights>ElevationPolicy>{E40E840E-5A15-4A29-9C51-9A060EEB192B}
In the right panel, locate and delete the entry:
Policy = "3"
Again In the right panel, locate and delete the entry:
AppName = "tuvarosrv.exe"
Again In the right panel, locate and delete the entry:
AppPath = "%Program Files%\tuvaro\tuvaro\1.8.12.7"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Windows>CurrentVersion>explorer>Browser Helper Objects>{5CB02877-EFBC-4317-B608-9E24B11BAB40}
In the right panel, locate and delete the entry:
(Default) = "tuvaro Helper Object"
Again In the right panel, locate and delete the entry:
NoExplorer = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{09C554C3-109B-483C-A06B-F14172F1A947}
In the right panel, locate and delete the entry:
(Default) = "escort"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>escort.DLL
In the right panel, locate and delete the entry:
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane.1
In the right panel, locate and delete the entry:
(Default) = "escortIEPane Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane.1>CLSID
In the right panel, locate and delete the entry:
(Default) = "{2A3FF0D3-4417-492B-8929-11AB24EA0A90}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane
In the right panel, locate and delete the entry:
(Default) = "escortIEPane Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane>CLSID
In the right panel, locate and delete the entry:
(Default) = "{2A3FF0D3-4417-492B-8929-11AB24EA0A90}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>escort.escortIEPane>CurVer
In the right panel, locate and delete the entry:
(Default) = "escort.escortIEPane.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{2A3FF0D3-4417-492B-8929-11AB24EA0A90}
In the right panel, locate and delete the entry:
(Default) = "escortIEPane Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{2A3FF0D3-4417-492B-8929-11AB24EA0A90}>ProgID
In the right panel, locate and delete the entry:
(Default) = "escort.escortIEPane.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{2A3FF0D3-4417-492B-8929-11AB24EA0A90}>VersionIndependentProgID
In the right panel, locate and delete the entry:
(Default) = "escort.escortIEPane"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{2A3FF0D3-4417-492B-8929-11AB24EA0A90}>InprocServer32
In the right panel, locate and delete the entry:
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll"
Again In the right panel, locate and delete the entry:
ThreadingModel = "apartment"
Again In the right panel, locate and delete the entry:
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{2A3FF0D3-4417-492B-8929-11AB24EA0A90}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr.1
In the right panel, locate and delete the entry:
(Default) = "CescrtHlpr Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr.1>CLSID
In the right panel, locate and delete the entry:
(Default) = "{5CB02877-EFBC-4317-B608-9E24B11BAB40}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr
In the right panel, locate and delete the entry:
(Default) = "CescrtHlpr Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr>CLSID
In the right panel, locate and delete the entry:
(Default) = "{5CB02877-EFBC-4317-B608-9E24B11BAB40}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroHlpr>CurVer
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvaroHlpr.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{5CB02877-EFBC-4317-B608-9E24B11BAB40}
In the right panel, locate and delete the entry:
(Default) = "CescrtHlpr Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{5CB02877-EFBC-4317-B608-9E24B11BAB40}>ProgID
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvaroHlpr.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{5CB02877-EFBC-4317-B608-9E24B11BAB40}>VersionIndependentProgID
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvaroHlpr"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{5CB02877-EFBC-4317-B608-9E24B11BAB40}>InprocServer32
In the right panel, locate and delete the entry:
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll"
Again In the right panel, locate and delete the entry:
ThreadingModel = "apartment"
Again In the right panel, locate and delete the entry:
AppID = "{09C554C3-109B-483C-A06B-F14172F1A947}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{5CB02877-EFBC-4317-B608-9E24B11BAB40}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"
Again In the right panel, locate and delete the entry:
(Default) = "tuvaro Helper Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
In the right panel, locate and delete the entry:
(Default) = "escortApp"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>escortApp.DLL
In the right panel, locate and delete the entry:
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore.1
In the right panel, locate and delete the entry:
(Default) = "appCore Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore.1>CLSID
In the right panel, locate and delete the entry:
(Default) = "{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore
In the right panel, locate and delete the entry:
(Default) = "appCore Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore>CLSID
In the right panel, locate and delete the entry:
(Default) = "{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>tuvaro.tuvaroappCore>CurVer
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvaroappCore.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}
In the right panel, locate and delete the entry:
(Default) = "appCore Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}>ProgID
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvaroappCore.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}>VersionIndependentProgID
In the right panel, locate and delete the entry:
(Default) = "tuvaro.tuvaroappCore"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}>InprocServer32
In the right panel, locate and delete the entry:
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroApp.dll"
Again In the right panel, locate and delete the entry:
ThreadingModel = "apartment"
Again In the right panel, locate and delete the entry:
AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9389BE07-565A-45A0-B1A3-3DE01AA1C5CA}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"
Again In the right panel, locate and delete the entry:
hrdId = "1cca0df5000000000000005056bc6dd2"
Again In the right panel, locate and delete the entry:
instlDay = "18098"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{240A6AD4-4868-4513-A8DD-3ABF47E1F146}
In the right panel, locate and delete the entry:
(Default) = "Ixtrnlmain"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{240A6AD4-4868-4513-A8DD-3ABF47E1F146}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{240A6AD4-4868-4513-A8DD-3ABF47E1F146}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DD973375-0904-4886-8F63-6FC3A2BE6544}
In the right panel, locate and delete the entry:
(Default) = "IappCore"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DD973375-0904-4886-8F63-6FC3A2BE6544}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DD973375-0904-4886-8F63-6FC3A2BE6544}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C6712CEF-79A8-440E-A7AC-4EF00C856922}
In the right panel, locate and delete the entry:
(Default) = "IXtrnlBsc"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C6712CEF-79A8-440E-A7AC-4EF00C856922}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C6712CEF-79A8-440E-A7AC-4EF00C856922}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{23D1685B-A018-430F-B3AB-F517B471569E}
In the right panel, locate and delete the entry:
(Default) = "IEHostWnd"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{23D1685B-A018-430F-B3AB-F517B471569E}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{23D1685B-A018-430F-B3AB-F517B471569E}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}
In the right panel, locate and delete the entry:
(Default) = "IXmlCnfg"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{427F9EE7-35CB-4EC6-ACCA-122AE77C68B8}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{033998B0-0745-472D-8F2B-EB55EBA42F58}
In the right panel, locate and delete the entry:
(Default) = "IRegmapDisp"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{033998B0-0745-472D-8F2B-EB55EBA42F58}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{033998B0-0745-472D-8F2B-EB55EBA42F58}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{B98D2F59-0329-4A5A-B112-B989B4D4BACA}
In the right panel, locate and delete the entry:
(Default) = "IIEWndFct"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{B98D2F59-0329-4A5A-B112-B989B4D4BACA}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{B98D2F59-0329-4A5A-B112-B989B4D4BACA}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4F3868C3-C08B-490E-93AD-834413F7FD22}
In the right panel, locate and delete the entry:
(Default) = "IxpEmphszr"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4F3868C3-C08B-490E-93AD-834413F7FD22}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4F3868C3-C08B-490E-93AD-834413F7FD22}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}
In the right panel, locate and delete the entry:
(Default) = "IwebAtrbts"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{F77B6A63-1EC9-45FB-A7AB-F9930CBBAD32}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C694E60-4549-466D-83FB-C4C162FB53E2}
In the right panel, locate and delete the entry:
(Default) = "IEvntCntr"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C694E60-4549-466D-83FB-C4C162FB53E2}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C694E60-4549-466D-83FB-C4C162FB53E2}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A88A4515-66BC-413B-9526-3FF53B5F21C8}
In the right panel, locate and delete the entry:
(Default) = "IesrvXtrnl"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A88A4515-66BC-413B-9526-3FF53B5F21C8}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A88A4515-66BC-413B-9526-3FF53B5F21C8}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}
In the right panel, locate and delete the entry:
(Default) = "IEscortFctry"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6BE4B879-4E7D-4AE8-A356-DCBD7029612E}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{33278AD4-8305-49E1-A58B-E5A9057BFDC3}
In the right panel, locate and delete the entry:
(Default) = "IescrtSrvc"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{33278AD4-8305-49E1-A58B-E5A9057BFDC3}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{33278AD4-8305-49E1-A58B-E5A9057BFDC3}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{A02005FA-FFF4-4099-9D14-E097378574C4}"
Again In the right panel, locate and delete the entry:
Version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{B12E99ED-69BD-437C-86BE-C862B9E5444D}
In the right panel, locate and delete the entry:
(Default) = "escortEng"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>escortEng.DLL
In the right panel, locate and delete the entry:
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>t
In the right panel, locate and delete the entry:
(Default) = "escrtAx Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>t>CLSID
In the right panel, locate and delete the entry:
(Default) = "{4CBF0FC8-4222-435B-9E57-0DE807350D39}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>t>CurVer
In the right panel, locate and delete the entry:
(Default) = "t"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4CBF0FC8-4222-435B-9E57-0DE807350D39}
In the right panel, locate and delete the entry:
(Default) = "escrtAx Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4CBF0FC8-4222-435B-9E57-0DE807350D39}>ProgID
In the right panel, locate and delete the entry:
(Default) = "t"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4CBF0FC8-4222-435B-9E57-0DE807350D39}>VersionIndependentProgID
In the right panel, locate and delete the entry:
(Default) = "t"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4CBF0FC8-4222-435B-9E57-0DE807350D39}>InprocServer32
In the right panel, locate and delete the entry:
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroEng.dll"
Again In the right panel, locate and delete the entry:
ThreadingModel = "apartment"
Again In the right panel, locate and delete the entry:
AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4CBF0FC8-4222-435B-9E57-0DE807350D39}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"
Again In the right panel, locate and delete the entry:
vrsni = "1.8.12.7"
Again In the right panel, locate and delete the entry:
afltId = "orgnl"
Again In the right panel, locate and delete the entry:
aflt = "orgnl"
Again In the right panel, locate and delete the entry:
smplGrp = "none"
Again In the right panel, locate and delete the entry:
tlbrId = "base"
Again In the right panel, locate and delete the entry:
instlRef = ""
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{2768469C-717B-401F-8532-C6D88BAE0339}>instl>dfltLng
In the right panel, locate and delete the entry:
dfltLng = ""
Again In the right panel, locate and delete the entry:
vrsnTs = "1.8.12.77:29:30"
Again In the right panel, locate and delete the entry:
tlbrSrchUrl = "{random characters}"
Again In the right panel, locate and delete the entry:
uninstallAll = "false"
Again In the right panel, locate and delete the entry:
autoRvrt = "false"
Again In the right panel, locate and delete the entry:
rvrt = "false"
Again In the right panel, locate and delete the entry:
admin = "false"
Again In the right panel, locate and delete the entry:
postUninstall = ""
Again In the right panel, locate and delete the entry:
newTab = "false"
Again In the right panel, locate and delete the entry:
dpblck = ""
Again In the right panel, locate and delete the entry:
ds_url = "{random characters}"
Again In the right panel, locate and delete the entry:
excTlbr = "false"
Again In the right panel, locate and delete the entry:
ffxUnstlRst = "false"
Again In the right panel, locate and delete the entry:
chrInstl = "all"
Again In the right panel, locate and delete the entry:
ffxInstl = "all"
Again In the right panel, locate and delete the entry:
ieInstl = "all"
Again In the right panel, locate and delete the entry:
uninstExt = "false"
Again In the right panel, locate and delete the entry:
hp_url = "{random characters}"
Again In the right panel, locate and delete the entry:
hp_chrm = "{random characters}"
Again In the right panel, locate and delete the entry:
hp_ffx = "{random characters}"
Again In the right panel, locate and delete the entry:
nt_url = "{random characters}"
Again In the right panel, locate and delete the entry:
dsIE = ""
Again In the right panel, locate and delete the entry:
dsFFX = "Tuvaro"
Again In the right panel, locate and delete the entry:
dpk = "a3f0955cbf5582a1c1e9b51b717c3b0f"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Google
In the right panel, locate and delete the entry:
(Default) = ""
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Google>Chrome
In the right panel, locate and delete the entry:
(Default) = ""
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Google>Chrome>Extensions
In the right panel, locate and delete the entry:
(Default) = ""
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Google>Chrome>Extensions>omgjkafaoidbgamjoklhaiiciahohkbh
In the right panel, locate and delete the entry:
path = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaro.crx"
Again In the right panel, locate and delete the entry:
version = "1.0"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>tuvaro>tuvaro>Instl
In the right panel, locate and delete the entry:
InstallDir = "%Program Files%\tuvaro\tuvaro\1.8.12.7"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Windows>CurrentVersion>Uninstall>tuvaro
In the right panel, locate and delete the entry:
DisplayName = "Tuvaro toolbar on IE and Chrome"
Again In the right panel, locate and delete the entry:
UninstallString = "%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe"
Again In the right panel, locate and delete the entry:
DisplayIcon = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe"
Again In the right panel, locate and delete the entry:
DisplayVersion = "1.8.12.7"
Again In the right panel, locate and delete the entry:
Comments = "Tuvaro toolbar "
Again In the right panel, locate and delete the entry:
Publisher = "tuvaro"
Again In the right panel, locate and delete the entry:
NoModify = "1"
Again In the right panel, locate and delete the entry:
NoRepair = "1"
Again In the right panel, locate and delete the entry:
EstimatedSize = "2500"
Again In the right panel, locate and delete the entry:
uninstaller = "%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>{2792F312-417E-4517-A824-7F55A2F18BE5}
In the right panel, locate and delete the entry:
(Default) = "esrv"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>AppID>esrv.EXE
In the right panel, locate and delete the entry:
AppID = "{2792F312-417E-4517-A824-7F55A2F18BE5}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc.1
In the right panel, locate and delete the entry:
(Default) = "escrtSrvc Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc.1>CLSID
In the right panel, locate and delete the entry:
(Default) = "{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc
In the right panel, locate and delete the entry:
(Default) = "escrtSrvc Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc>CLSID
In the right panel, locate and delete the entry:
(Default) = "{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>esrv.tuvaroESrvc>CurVer
In the right panel, locate and delete the entry:
(Default) = "esrv.tuvaroESrvc.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}
In the right panel, locate and delete the entry:
(Default) = "escrtSrvc Object"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}>ProgID
In the right panel, locate and delete the entry:
(Default) = "esrv.tuvaroESrvc.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}>VersionIndependentProgID
In the right panel, locate and delete the entry:
(Default) = "esrv.tuvaroESrvc"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe"
Again In the right panel, locate and delete the entry:
ThreadingModel = "apartment"
Again In the right panel, locate and delete the entry:
AppID = "{2792F312-417E-4517-A824-7F55A2F18BE5}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{1E8F8EDE-EB73-4CA9-A139-6DA2B576FD69}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{2792F312-417E-4517-A824-7F55A2F18BE5}"
Close Registry Editor.

Step 5

Search and delete these components

[ Learn More ]

There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\user.js
%User Temp%\tuvaro\tuvaro\1.8.12.7\tuvaro4ie.exe
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroTlbr.dll
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaro.crx
%Program Files%\tuvaro\tuvaro\1.8.12.7\bh\tuvaro.dll
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvarosrv.exe
%User Temp%\tuvaro\tuvaro\1.8.12.7\nsis.js
%User Temp%\mt_ffx\tuvaro\tuvaro\1.8.12.7\tuvaro.xpi
%Program Files%\tuvaro\tuvaro\1.8.12.7\escortShld.dll
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\searchplugins\tuvaro.xml
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroApp.dll
%User Temp%\tuvaro\tuvaro\1.8.12.7\C\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\lj5mikyj.default\user.js
%Program Files%\tuvaro\tuvaro\1.8.12.7\uninstall.exe
%System Root%\user.js
%Application Data%\tuvaro\sqlite3.dll
%Program Files%\tuvaro\tuvaro\1.8.12.7\tuvaroEng.dll
%User Temp%\tuvaro\tuvaro\1.8.12.7\tuvaro4ffx.exe

Step 6

Search and delete these folders

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

%Application Data%\Mozilla\Firefox\Profiles
%Program Files%\tuvaro\tuvaro\1.8.12.7\bh
%User Temp%\tuvaro\tuvaro
%User Temp%\mt_ffx
%User Temp%\mt_ffx\tuvaro\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\extensions
%User Temp%\mt_ffx\tuvaro\tuvaro\1.8.12.7
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default
%User Temp%\mt_ffx\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\searchplugins
%System Root%\Users
%Application Data%\Mozilla\Firefox
%Application Data%\Mozilla
%User Temp%\tuvaro
%Program Files%\tuvaro\tuvaro
%Program Files%\tuvaro
%Application Data%\tuvaro
%Program Files%\tuvaro\tuvaro\1.8.12.7
%User Temp%\tuvaro\tuvaro\1.8.12.7
%User Profile%\AppData

To delete malware/grayware/spyware folders:

For Windows 7, Windows Server 2008 (R2), Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2):

Open a Windows Explorer window.
- For Windows 7 and Server 2008 (R2) users, click Start>Computer.
- For Windows 8, 8.1, 10, and Server 2012 (R2) users, right-click on the lower-left corner of the screen,then click File Explorer.
In the Search Computer/This PC input box, type:
%Application Data%\Mozilla\Firefox\Profiles
%Program Files%\tuvaro\tuvaro\1.8.12.7\bh
%User Temp%\tuvaro\tuvaro
%User Temp%\mt_ffx
%User Temp%\mt_ffx\tuvaro\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\extensions
%User Temp%\mt_ffx\tuvaro\tuvaro\1.8.12.7
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default
%User Temp%\mt_ffx\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\searchplugins
%System Root%\Users
%Application Data%\Mozilla\Firefox
%Application Data%\Mozilla
%User Temp%\tuvaro
%Program Files%\tuvaro\tuvaro
%Program Files%\tuvaro
%Application Data%\tuvaro
%Program Files%\tuvaro\tuvaro\1.8.12.7
%User Temp%\tuvaro\tuvaro\1.8.12.7
%User Profile%\AppData
Once located, select the file then press SHIFT+DELETE to permanently delete the folder.
Repeat steps 2-3 for the remaining folders: %Application Data%\Mozilla\Firefox\Profiles
%Program Files%\tuvaro\tuvaro\1.8.12.7\bh
%User Temp%\tuvaro\tuvaro
%User Temp%\mt_ffx
%User Temp%\mt_ffx\tuvaro\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\extensions
%User Temp%\mt_ffx\tuvaro\tuvaro\1.8.12.7
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default
%User Temp%\mt_ffx\tuvaro
%Application Data%\Mozilla\Firefox\Profiles\lj5mikyj.default\searchplugins
%System Root%\Users
%Application Data%\Mozilla\Firefox
%Application Data%\Mozilla
%User Temp%\tuvaro
%Program Files%\tuvaro\tuvaro
%Program Files%\tuvaro
%Application Data%\tuvaro
%Program Files%\tuvaro\tuvaro\1.8.12.7
%User Temp%\tuvaro\tuvaro\1.8.12.7
%User Profile%\AppData

*Note: Read the following Microsoft page if these steps do not work on Windows 7 and Server 2008 (R2).

Step 7

Scan your computer with your Trend Micro product to delete files detected as PUA.Win32.Montiera.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

%User Temp%\nsuC5AF.tmp
%User Temp%\nsuC5FD.tmp
%User Temp%\nspBE02.tmp

Did this description help? Tell us how we did.

PUA.Win32.Montiera.AB

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

PUA.Win32.Montiera.AB

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific