ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 21 September 2012, 03:06:28
Processing time: 11 min 21 sec
Submitted sample:

File MD5: 0xFC95C8C861840D6A6998B85BE8D45CE6
File SHA-1: 0x284A115B5789075E0813F418C1E92024197E0DCE
Filesize: 1,861,499 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonDesktopDir%\uTorrent Ultra Accelerator.lnk	898 bytes	MD5: 0x78497F44DFBED18F4CC0E522B8FDEB4B SHA-1: 0xBA87DC8CD8FBE390B20996340D982CBAC18F25D0
2	%CommonPrograms%\uTorrent Ultra Accelerator\Uninstall.lnk	647 bytes	MD5: 0xFCB056D2CC547C95B9D6E3B10E686869 SHA-1: 0x4AB968EE2FD0E6F31C206F3EC9C45211C65EBB93
3	%CommonPrograms%\uTorrent Ultra Accelerator\uTorrent Ultra Accelerator.lnk	910 bytes	MD5: 0x1946CA48E7218B0ED0808453A69F05D3 SHA-1: 0xECAAC45FD5405FF7FD4C53F61E9A3484FCE0B251
4	%AppData%\Complitly\64\Complitly64.dll	169,688 bytes	MD5: 0xB2F63CBF4C1F4EBDD6F24EE03524F38F SHA-1: 0x124D2DB8310706C1102EB05FD35013EE01B28FC3
5	%AppData%\Complitly\64\KeepMeUpdated.exe %AppData%\Complitly\KeepMeUpdated.exe	92,888 bytes	MD5: 0xF05F841FBC1472CA402109E792ED85AC SHA-1: 0x154B5B1384246942A81D2EACA90E36A49FCEAC21
6	%AppData%\Complitly\Complitly.dll	142,040 bytes	MD5: 0xE6034CB32DBABC3AAA7CB5D3851F5D13 SHA-1: 0x05C3D3349BEA6B6DDD293DB9F60B492CFC90112C
7	%Temp%\conduitStatistics.csf	808 bytes	MD5: 0xD690387E83A145EA5DED88B6D47816BE SHA-1: 0xEDCC745B7A52ABD6D20BB5C7DA13D001FBAAC6F3
8	%Temp%\ct1605787\conduitStatistics.csf	1,132 bytes	MD5: 0xDFDFED50E465DD6C6EB3FF3234C3C123 SHA-1: 0x5A7D2D2FE9CDB703D855480BF349B3B8B46EDBE9
9	%Temp%\ct1605787\ieLogic.exe %Temp%\ct1605787\statisticsStub.exe %Temp%\nsv3.tmp\temp.txt	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
10	%Temp%\nsd1C.tmp\ConduitInetc.dll %Temp%\nsgB.tmp\ConduitInetc.dll	482,816 bytes	MD5: 0x70E3B20D184751B642B06C5A7855C455 SHA-1: 0x89B00DC942E9C4965765ACDB08B3E4A392F2AF66
11	%Temp%\nsd1C.tmp\System.dll %Temp%\nsgB.tmp\System.dll %Temp%\nsv3.tmp\System.dll	11,264 bytes	MD5: 0xC17103AE9072A06DA581DEC998343FC1 SHA-1: 0xB72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
12	%Temp%\nsf2.tmp	3,069,247 bytes	MD5: 0x7976F4325978530DE8F3764707BFF8F2 SHA-1: 0x7392033E0052F048E7D4F5E1661071348FECD7CA
13	%Temp%\nsgB.tmp\ns10.tmp	6,656 bytes	MD5: 0xF132FDBBC0A040F07E10EA944FF57FEF SHA-1: 0xC37F8C714F2D3BD899E67CAF85C02953F419F255
14	%Temp%\nsgB.tmp\nsExec.dll	6,656 bytes	MD5: 0xACC2B699EDFEA5BF5AAE45ABA3A41E96 SHA-1: 0xD2ACCF4D494E43CEB2CFF69ABE4DD17147D29CC2
15	%Temp%\nsv3.tmp\BtmImg.bmp	82,934 bytes	MD5: 0xD8FC20976CD727DEC767884C02E79618 SHA-1: 0x99EEAB7A4DF9F785E915F6A8DC4441F5063F7AA1
16	%Temp%\nsv3.tmp\ButtonImg.bmp	6,534 bytes	MD5: 0x9821B6BFA5ED18031DBEB1ADB47FDECD SHA-1: 0x53B53710AC11968AF70743F17598FD2D06AB49B7
17	%Temp%\nsv3.tmp\conduitinstaller.exe	210,816 bytes	MD5: 0x34E4DA7E4D32B4DC5153D1CEDB6E5F08 SHA-1: 0xC222504FFFB49640198DBF15252D8E7186A4E781
18	%Temp%\nsv3.tmp\Header.bmp	122,302 bytes	MD5: 0x020E430459028C2EA105530B717D575B SHA-1: 0xC4F858E98C14E3E79E09BD9BD6D0707C4135B95D
19	%Temp%\nsv3.tmp\inetc.dll	20,992 bytes	MD5: 0xE541458CFE66EF95FFBEA40EAAA07289 SHA-1: 0xCAEC1233F841EE72004231A3027B13CDEB13274C
20	%Temp%\nsv3.tmp\InstallOptions.dll	14,848 bytes	MD5: 0x325B008AEC81E5AAA57096F05D4212B5 SHA-1: 0x27A2D89747A20305B6518438EFF5B9F57F7DF5C3
21	%Temp%\nsv3.tmp\ioSpecial.ini	621 bytes	MD5: 0xDD325504760CF59BB88F0E914BBC35C4 SHA-1: 0xC2843B2599889EF465743E043CE97FABC5C19FB8
22	%Temp%\nsv3.tmp\LeftImg.bmp	197,682 bytes	MD5: 0x62F3B46B8686102BF2D2AF4A96DA7E1C SHA-1: 0x67E1733BF065018C775FACD76414BDBE17F3EFB5
23	%Temp%\nsv3.tmp\MobilewitchAcPro.exe	893,240 bytes	MD5: 0xC65D705535646D4F995003324B0032E2 SHA-1: 0xAA15AF4067613B0AE24C5B7B6CDD250350DE6A0B
24	%Temp%\nsv3.tmp\p2p-toolbar-screenshot.bmp	22,712 bytes	MD5: 0xAD1812BBD943CD19DF36B07B82848618 SHA-1: 0xF89F8BE2418D688E57762E263103E791D34E8F10
25	%Temp%\nsv3.tmp\ScrollBarImg.bmp	14,198 bytes	MD5: 0xF9DB084A424900C1780AB7E2C26FF797 SHA-1: 0x9AF4F14406DD181631FD643DD9D64268742B432D
26	%Temp%\nsv3.tmp\setup_mo.ini	5,250 bytes	MD5: 0x0182EE33091CB604E80188EA8E843FFB SHA-1: 0x518FA1DDB81F994A24B7A0EF1B4F2E23FDADCE92
27	%Temp%\nsv3.tmp\SkinnedControls.dll	70,144 bytes	MD5: 0xC3E5D1A39E1F4DC8317A9E71CE93D141 SHA-1: 0x7F1E4BCFB2A6B58B5E337D58713EB27DFB2AFEF4
28	%Temp%\RarSFX0\ReadMe.url	75 bytes	MD5: 0x926A6C1B2AE78FFC81A76677AF266BAB SHA-1: 0xB9294E4774BD95952EA65F73BADDA10835D870A4
29	%Temp%\RarSFX0\utorrent_ultra_accelerator_free.exe	1,753,592 bytes	MD5: 0x4B2F3397A55D25632EE835E98BC3C56D SHA-1: 0x7EFE45710DA9A5B3002BFA13FF8D6E00195E880C
30	%ProgramFiles%\Complitly\chrome\ComplitlyChrome.crx	10,758 bytes	MD5: 0xB326DDECEFCC4A59351CA373B3B48B8A SHA-1: 0xD7A623303355DAE875D60948E22D51ACCCF9F9A4
31	%ProgramFiles%\Complitly\FireFoxExtensionWithFF8Fix.exe	10,240 bytes	MD5: 0x2D52F0EE90EFF39D4A1A0B99DC4C8251 SHA-1: 0xB467CC91B9ED827A891D42333073FBA4B869DECA
32	%ProgramFiles%\Complitly\FireFoxUninstaller.exe	7,680 bytes	MD5: 0x53961C179D28C075C5202FFEA1A1CA27 SHA-1: 0x4641C065B0A8ECC73763D6D3772FC7544996E931
33	%ProgramFiles%\Complitly\InstTracker.exe	10,752 bytes	MD5: 0xE364D4AC3137D0C11254A57F31B62F0C SHA-1: 0x460B5FA686046B3F3E72DB22CD2EF10BFC8F360B
34	%ProgramFiles%\Complitly\support@Complitly.com\chrome\content\appIcon.png	529 bytes	MD5: 0x1A112A3F2CAE78A073DAE308F4B70266 SHA-1: 0xECE8779C099A7F761CA2EB9C824A08BCCC37318A
35	%ProgramFiles%\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul	5,726 bytes	MD5: 0xB2ADBA589E41F0FE129C8BBB657BBF99 SHA-1: 0xD43223202661262D207DFF010DC67A69E5D878B6
36	%ProgramFiles%\Complitly\support@Complitly.com\chrome\content\options.js	32 bytes	MD5: 0xC29DF68B8BC24772AC61504FA1677AFE SHA-1: 0xE72BE81AC24E18ABBA88D1ACD0BADF93B6BBDE60
37	%ProgramFiles%\Complitly\support@Complitly.com\chrome\content\options.xul	496 bytes	MD5: 0x4216DAE17FC46779596B35E4F14B36FA SHA-1: 0xE6954094D1AA235CAC709DD0A9240522A8086628
38	%ProgramFiles%\Complitly\support@Complitly.com\chrome\content\utils.js %Windir%\Temp\scs14.tmp %Windir%\Temp\scs15.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
39	%ProgramFiles%\Complitly\support@Complitly.com\chrome.manifest	181 bytes	MD5: 0x30B517A5E741041C33F6FD887D4C4057 SHA-1: 0x9E2415008CD94B8F220CB63AAD9B3EB5FECDF647
40	%ProgramFiles%\Complitly\support@Complitly.com\defaults\preferences\predictad.js	373 bytes	MD5: 0xAAFCE2CF73CB7BC60C7621893001BA6C SHA-1: 0x740BD0206C5BECCC3F8F727FEDF483B51EDECDFC
41	%ProgramFiles%\Complitly\support@Complitly.com\install.rdf	2,013 bytes	MD5: 0x847BC1F98CE75ADECD6E36AA9090B72B SHA-1: 0x7566924271F6543EE3E57CB3F2A3B5A6F75C6239
42	%ProgramFiles%\Complitly\System.Data.SQLite.dll	904,704 bytes	MD5: 0x80725A732ABA27911402F9CA09FEDE23 SHA-1: 0x1051744F654A6D20590970F9335E1EF246F0FA67
43	%ProgramFiles%\Complitly\unins000.dat	10,052 bytes	MD5: 0x70F74B00F9B4E88A0413858C934717F9 SHA-1: 0x3E5586DBEA9690C3EC9B9F55E4B238CFCF51EE21
44	%ProgramFiles%\Complitly\unins000.exe	714,526 bytes	MD5: 0x27646B03BD2AFE21C34F05CF342D915A SHA-1: 0xD105C81CD7A285B127539C66F6C1B9EC0A65D75D
45	%ProgramFiles%\uTorrent Ultra Accelerator\packet.dll	61,440 bytes	MD5: 0xC123EB3439AE8AB13A971BB6F0515411 SHA-1: 0x3FFA02B544B90433E816136E3BBFFAD0CA19735C
46	%ProgramFiles%\uTorrent Ultra Accelerator\SkinMagic.dll	487,479 bytes	MD5: 0x59E53588F0A12D54BF1B0B24182D098F SHA-1: 0x857F40508D08DFBEB26AFC46601CAD32FE1414B7
47	%ProgramFiles%\uTorrent Ultra Accelerator\UpdateApp.exe	334,336 bytes	MD5: 0x656DB181DE0A89379AF136DE3D651229 SHA-1: 0x83E57F44281F437E383445EDCD5617A6BC17E2C8
48	%ProgramFiles%\uTorrent Ultra Accelerator\uTorrent Ultra Accelerator.exe	424,960 bytes	MD5: 0xE62CFE9B26F0FA0798E8EABD44B608E6 SHA-1: 0x4DA50013E5AE3EDC29601D8DB7B60D08CE0E49FB
49	[file and pathname of the sample #1]	1,861,499 bytes	MD5: 0xFC95C8C861840D6A6998B85BE8D45CE6 SHA-1: 0x284A115B5789075E0813F418C1E92024197E0DCE

Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Temp%\nsd1C.tmp
%CommonPrograms%\uTorrent Ultra Accelerator
%AppData%\Complitly
%AppData%\Complitly\64
%Temp%\ct1605787
%Temp%\nsgB.tmp
%Temp%\nsv3.tmp
%Temp%\RarSFX0
%ProgramFiles%\Complitly
%ProgramFiles%\Complitly\chrome
%ProgramFiles%\Complitly\support@Complitly.com
%ProgramFiles%\Complitly\support@Complitly.com\chrome
%ProgramFiles%\Complitly\support@Complitly.com\chrome\content
%ProgramFiles%\Complitly\support@Complitly.com\defaults
%ProgramFiles%\Complitly\support@Complitly.com\defaults\preferences
%ProgramFiles%\uTorrent Ultra Accelerator

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	208,896 bytes
keepmeupdated.exe	%AppData%\complitly\64\keepmeupdated.exe	106,496 bytes
nsE.tmp	%Temp%\nsgB.tmp\nsE.tmp	20,480 bytes
MobilewitchAcPro.exe	%Temp%\nsv3.tmp\MobilewitchAcPro.exe	81,920 bytes
MobilewitchAcPro.tmp	%Temp%\is-P5MOU.tmp\MobilewitchAcPro.tmp	770,048 bytes
[generic host process]	[generic host process filename]	20,480 bytes
keepmeupdated.exe	%AppData%\complitly\keepmeupdated.exe	106,496 bytes
nsC.tmp	%Temp%\nsgB.tmp\nsC.tmp	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Complitly.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FFBB818-B13C-11E0-931D-B2664824019B}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Google
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dlfienamagdnkekbbbocojppncdambda
HKEY_LOCAL_MACHINE\SOFTWARE\SimplyGen
HKEY_LOCAL_MACHINE\SOFTWARE\SimplyGen\Marker
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dlfienamagdnkekbbbocojppncdambda
HKEY_CURRENT_USER\Software\Complitly

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Complitly.DLL]

AppID = "{442F13BC-2031-42D5-9520-437F65271153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}]

(Default) = "Complitly"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID]

(Default) = "SuggestMeYes.SuggestMeYesBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib]

(Default) = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID]

(Default) = "SuggestMeYes.SuggestMeYesBHO.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32]

(Default) = "%AppData%\Complitly\Complitly.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}]

(Default) = "Complitly"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib]

(Default) = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}]

(Default) = "ISuggestMeYesBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32]

(Default) = "%AppData%\Complitly\Complitly.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\HELPDIR]

(Default) = "%AppData%\Complitly"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0]

(Default) = "Complitly 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer]

(Default) = "SuggestMeYes.SuggestMeYesBHO.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID]

(Default) = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO]

(Default) = "Complitly Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID]

(Default) = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1]

(Default) = "Complitly"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}]

(Default) = "Complitly"
NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FFBB818-B13C-11E0-931D-B2664824019B}_is1]

Inno Setup: Setup Version = "5.4.2 (a)"
Inno Setup: App Path = "%ProgramFiles%\Complitly"
InstallLocation = "%ProgramFiles%\Complitly\"
Inno Setup: Icon Group = "Complitly"
Inno Setup: User = "%UserName%"
Inno Setup: Language = "default"
DisplayName = "Complitly"
UninstallString = ""%ProgramFiles%\Complitly\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Complitly\unins000.exe" /SILENT"
Publisher = "Complitly"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120921"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\dlfienamagdnkekbbbocojppncdambda]

path = "%ProgramFiles%\Complitly\chrome\ComplitlyChrome.crx"
version = "1.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\SimplyGen\Marker]

marker = "1.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dlfienamagdnkekbbbocojppncdambda]

path = "%ProgramFiles%\Complitly\chrome\ComplitlyChrome.crx"
version = "1.1"

[HKEY_CURRENT_USER\Software\Complitly]

iid = "36988961380444"
si = "9580"
cs = "True"
ver = "1.1"
dir = "%ProgramFiles%\complitly"
lidate = "21/9/2012_3:6:53"
sd = "2012-9-21"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Italy

To mark the presence in the system, the following Mutex object was created:

_SHuassist.mtx

The following Host Names were requested from a host database:

wpad.mrc.pctools.com.
install.complitly.com

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
dailyads.org	80	(null)	(null)
ct1605787.ourtoolbar.com	80	(null)	(null)
storage.conduit.com	80	(null)	(null)

The following GET requests were made:

version/version.php?id=131
ie?RequesterId=ConduitStubInstaller&ForBrowserVersion=6.0.2900.2180&StubVersion=5.5.0.13
ps/conduitinstaller/statisticsstub.exe
wpad.dat

The following HTTP URL was started reading:

http://install.complitly.com/installHandler/?action=install&ver=1.1&si=9580

The data identified by the following URLs was then requested from the remote web server:

http://update.predictad.com/update/ie/?si=9580&
localhost

Downloaded File Summary:

Download details:

Download retrieved: 21 September 2012 03:17:50
Processing time: 10 min 17 sec
Downloaded sample #1:

File MD5: 0x7D8C585C34BA4229C819062DEAA87587
File SHA-1: 0x5371D54C6D7ED5F7E18F0FF0EC6886E4B660489B
Filesize: 2,158,640 bytes

Downloaded sample #2:

File MD5: 0x38D13DFC123FA0A5DDA3ED8D33AFAA89
File SHA-1: 0x4ED6E8313BB5164C001B08FDED409AE8C72530C6
Filesize: 203,656 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\Conduit\CT1605787\MobileScoopAutoUpdateHelper.exe %ProgramFiles%\MobileScoop\MobileScoopToolbarHelper.exe	65,832 bytes	MD5: 0xDA11D78D765E4B8FA4CFA5A37E8A94FF SHA-1: 0xE5AD99CE7C7362CA566156033ECB0F04F9437CA7
2	%AppData%\MobileScoop\ldrtbMobi.dll %ProgramFiles%\MobileScoop\ldrtbMobi.dll	267,592 bytes	MD5: 0xCE49528C9B0B3B3018EE2F70E76B362A SHA-1: 0xA1280B1F085B8284DC157EC359BD1ADA091CFE7E
3	%AppData%\MobileScoop\tbMobi.dll %Temp%\tbedrs.dll %ProgramFiles%\MobileScoop\tbMobi.dll	4,451,144 bytes	MD5: 0x73406FA9287B36CA4163797C73A2CD04 SHA-1: 0x92E84D2216A7763D580E42FA2493CCF67D0D0560
4	%AppData%\MobileScoop\toolbar.cfg %ProgramFiles%\MobileScoop\toolbar.cfg	23 bytes	MD5: 0x97B781236452F911773E2A46AD464CB5 SHA-1: 0x093EC2B9C9DC806339C5153DF91BBEA177F26EEE
5	%Temp%\nsr6.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
6	%ProgramFiles%\Conduit\Community Alerts\Alert.dll	638,560 bytes	MD5: 0x6796F6E449F90A543DC3345538ACC46F SHA-1: 0x97BCCD25561F44E9B13F05F6EEF083C9CE9BA529
7	%ProgramFiles%\MobileScoop\GottenAppsContextMenu.xml	7,044 bytes	MD5: 0xCE0449AC66B68DD896965167D460B135 SHA-1: 0xAB7C13818BE707B1599690FB84D4FFDBCAB821DD
8	%ProgramFiles%\MobileScoop\OtherAppsContextMenu.xml	5,738 bytes	MD5: 0xA9CAA49F5C0DDD88168E857E3670EBDF SHA-1: 0x8500953B2600EFDB42EFFFC03FB9D7CC03F22CCC
9	%ProgramFiles%\MobileScoop\prxtbMobi.dll	176,936 bytes	MD5: 0x4C163BD2A5905D18893EE311608E8C54 SHA-1: 0xA2D929A9864513C0E8ED84AAD622EF6ADCC9B950
10	[pathname with a string SHARE]\SharedAppsContextMenu.xml	6,588 bytes	MD5: 0x6816D08A668E0D9A3A79831400177C04 SHA-1: 0xA90B7303F688679A4065879E1E50B0F865D0AB05
11	%ProgramFiles%\MobileScoop\ToolbarContextMenu.xml	5,737 bytes	MD5: 0x815C07C40CEC4CF53861DA7A7C6EC639 SHA-1: 0xD48FA137FD2D543B555470BDFC46D2D5D637B877
12	%ProgramFiles%\MobileScoop\uninstall.exe	97,576 bytes	MD5: 0x5CA98C5E81E5EA890CC8D96D81013203 SHA-1: 0x28AA609FEAC1520EEDC7FF84332CD4F4C56585E5
13	[file and pathname of the sample #1]	2,158,640 bytes	MD5: 0x7D8C585C34BA4229C819062DEAA87587 SHA-1: 0x5371D54C6D7ED5F7E18F0FF0EC6886E4B660489B
14	[file and pathname of the sample #2]	203,656 bytes	MD5: 0x38D13DFC123FA0A5DDA3ED8D33AFAA89 SHA-1: 0x4ED6E8313BB5164C001B08FDED409AE8C72530C6

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%AppData%\Conduit
%AppData%\Conduit\Community Alerts
%AppData%\Conduit\Community Alerts\LanguagePacks
%AppData%\Conduit\Community Alerts\Log
%AppData%\Conduit\CT1605787
%AppData%\MobileScoop
%AppData%\MobileScoop\Logs
%AppData%\MobileScoop\MyStuffApps
%AppData%\Temp
%AppData%\Temp\Logs
%Temp%\nsu4.tmp
%ProgramFiles%\Conduit
%ProgramFiles%\Conduit\Community Alerts
%ProgramFiles%\MobileScoop

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
MobileScoopToolbarHelper.exe	%ProgramFiles%\MobileScoop\MobileScoopToolbarHelper.exe	77,824 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	3,813,376 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	905,216 bytes
[generic host process]	[generic host process filename]	45,056 bytes
mobilescoopautoupdatehelper.exe	%AppData%\conduit\ct1605787\mobilescoopautoupdatehelper.exe	77,824 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CF96AC2-D260-4047-8321-33FBBF5655A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CF96AC2-D260-4047-8321-33FBBF5655A4}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CF96AC2-D260-4047-8321-33FBBF5655A4}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CF96AC2-D260-4047-8321-33FBBF5655A4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBF663E-8530-46F8-A880-AC5ABE9D2B23}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBF663E-8530-46F8-A880-AC5ABE9D2B23}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT1605787
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT1605787\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2633F94C-8B64-420E-BA11-AD714282E24F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6333CD91-95DA-487A-B0C2-243852612960}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileScoop Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9e3e54fd-9e6a-43c6-a3b3-3d9fe3744411}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Community Alerts
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{8cf96ac2-d260-4047-8321-33fbbf5655a4}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{9e3e54fd-9e6a-43c6-a3b3-3d9fe3744411}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Toolbars
HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop
HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop\Communicator
HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop\toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop\toolbar\InstalledApps
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
HKEY_CURRENT_USER\Software\Conduit
HKEY_CURRENT_USER\Software\Conduit\Community Alerts
HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Data
HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Data\Channels
HKEY_CURRENT_USER\Software\Conduit\Community Alerts\RegisteredSources
HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
HKEY_CURRENT_USER\Software\Conduit\RevertSettings
HKEY_CURRENT_USER\Software\Conduit\Settings
HKEY_CURRENT_USER\Software\ConduitSearchScopes
HKEY_CURRENT_USER\Software\MobileScoop
HKEY_CURRENT_USER\Software\MobileScoop\toolbar
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\IE5
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Log
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Monitored
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\conduit_CT1605787
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\conduit_CT1605787\Coordinator
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\IndexTable
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\IndexTable\CT1605787_CT1605787
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData\1227099219
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData\1848868897
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData\1875285881
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData\4060169832
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData\4098276328
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Repository\MetaData\534896553
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\FeatureProtector
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\FeatureProtector\BrowserSearch
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\FeatureProtector\HomePage
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\MyStuff
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\PostParamsNewTabNavigate
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\RadioPlayer
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\SearchInNewTab
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\Tips
HKEY_CURRENT_USER\Software\MobileScoop\toolbar\Settings\Update
HKEY_CURRENT_USER\Software\Smartbar
HKEY_CURRENT_USER\Toolbar
HKEY_CURRENT_USER\Toolbar\RegisteredSources

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]

(Default) = "%ProgramFiles%\Conduit\Community Alerts\Alert.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]

(Default) = "Conduit Community Alerts"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CF96AC2-D260-4047-8321-33FBBF5655A4}\InprocServer32]

(Default) = "%ProgramFiles%\MobileScoop\prxtbMobi.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CF96AC2-D260-4047-8321-33FBBF5655A4}]

(Default) = "MobileScoop Findbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}\VersionIndependentProgID]

(Default) = "Toolbar.CT1605787"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}\ProgID]

(Default) = "Toolbar.CT1605787"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}\InprocServer32]

(Default) = "%ProgramFiles%\MobileScoop\prxtbMobi.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E3E54FD-9E6A-43C6-A3B3-3D9FE3744411}]

(Default) = "MobileScoop API Server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBF663E-8530-46F8-A880-AC5ABE9D2B23}\InprocServer32]

(Default) = "%ProgramFiles%\MobileScoop\prxtbMobi.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBF663E-8530-46F8-A880-AC5ABE9D2B23}]

(Default) = "MobileScoop Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT1605787\CLSID]

(Default) = "{9e3e54fd-9e6a-43c6-a3b3-3d9fe3744411}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{fcbf663e-8530-46f8-a880-ac5abe9d2b23} = "MobileScoop Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6333CD91-95DA-487A-B0C2-243852612960}]

AppPath = "%AppData%\Conduit\CT1605787"
AppName = "MobileScoopAutoUpdateHelper.exe"
Policy = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2633F94C-8B64-420E-BA11-AD714282E24F}]

AppPath = "%ProgramFiles%\MobileScoop"
AppName = "MobileScoopToolbarHelper.exe"
Policy = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}]

(Default) = "MobileScoop"
NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileScoop Toolbar]

Comments = ""
Contact = ""
DisplayName = "MobileScoop Toolbar"
DisplayVersion = "6.9.0.16"
HelpLink = "http://MobileScoop.OurToolbar.com/help"
Publisher = "MobileScoop"
URLInfoAbout = "http://MobileScoop.OurToolbar.com/"
DisplayIcon = "%ProgramFiles%\MobileScoop\uninstall.exe"
UninstallString = "%ProgramFiles%\MobileScoop\uninstall.exe toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{fcbf663e-8530-46f8-a880-ac5abe9d2b23}]

Name = "MobileScoop"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{9e3e54fd-9e6a-43c6-a3b3-3d9fe3744411}]

HostID = "{fcbf663e-8530-46f8-a880-ac5abe9d2b23}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{8cf96ac2-d260-4047-8321-33fbbf5655a4}]

HostID = "{fcbf663e-8530-46f8-a880-ac5abe9d2b23}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Toolbars]

MobileScoop Toolbar = "{FCBF663E-8530-46F8-A880-AC5ABE9D2B23}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Community Alerts]

Path = "%ProgramFiles%\Conduit\Community Alerts\Alert.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop\toolbar]

MarkOldApps = "FALSE"
BrowserSearchURL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1605787"
BrowserSearchDisplayName = "MobileScoop Customized Web Search"
ComId = "{fcbf663e-8530-46f8-a880-ac5abe9d2b23}"
ToolbarAPIComId = "{9e3e54fd-9e6a-43c6-a3b3-3d9fe3744411}"
FindBarComId = "{8cf96ac2-d260-4047-8321-33fbbf5655a4}"
DisplayName = "MobileScoop"
DisplayTitle = "MobileScoop Toolbar"
GroupingEnabled = "FALSE"
InstallationId = ""
InstallationType = ""
MultiCommunityEnabled = "FALSE"
Path = "%ProgramFiles%\MobileScoop"
Server = "users.conduit.com"
ShouldPerformGroupByOS = "TRUE"
ShouldShowPersonalComponentDlg = "TRUE"
SponsorId = "CT1605787"
ToolbarHelperFileName = "%ProgramFiles%\MobileScoop\MobileScoopToolbarHelper.exe"
PlatformType = "ConduitToolbarMyStuff"
IsEngineHost = "FALSE"
AllowToUninstallFromEngine = "FALSE"
IphoneUpdateURL = ""
ToolbarDllName = "tbMobi.dll"
LoaderDllName = "ldrtbMobi.dll"
AutoUpdateHelperPath = "%AppData%\Conduit\CT1605787\MobileScoopAutoUpdateHelper.exe"
AllowUntrustedApps = "FALSE"
ProtectHomePage = ""
ProtectBrowserSearch = "TRUE"
PublisherProtectHomePage = "TRUE"
PublisherProtectBrowserSearch = "TRUE"
IsConduitAppsToolbar = "FALSE"
InstallationCookieDomain = ""
ImportMyStuffApps = "FALSE"
EnableAlertsFromInstallation = "TRUE"
NavigateToUrlOnSearch = "FALSE"
ShouldSendToolbarAge = "TRUE"
ForceEngineUninstall = "TRUE"
ProxyDllPath = "%ProgramFiles%\MobileScoop\prxtbMobi.dll"
version = "6.9.0.16"
VistaElevationComId = "{2633F94C-8B64-420E-BA11-AD714282E24F}"
AutoupdateElevationComId = "{6333CD91-95DA-487A-B0C2-243852612960}"
UserID = "UN23094053813198889"
OpenUninstallPage = "TRUE"

[HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop\Communicator]

Url = "http://servicemap.conduit-services.com/Toolbar/?ownerId=EB_ORIGINAL_CTID"
UsageUrl = "http://usage.toolbar.conduit-services.com/ToolbarUsage.ashx"

[HKEY_LOCAL_MACHINE\SOFTWARE\MobileScoop]

(Default) = ""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Enable Browser Extensions = "yes"
Use Search Asst = "no"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

{FCBF663E-8530-46F8-A880-AC5ABE9D2B23} = 3E 66 BF FC 30 85 F8 46 A8 80 AC 5A BE 9D 2B 23

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

{fcbf663e-8530-46f8-a880-ac5abe9d2b23} = ""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

DisplayName = "MobileScoop Customized Web Search"
URL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1605787"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]

DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}"

[HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Data\Channels]

LastCheckTime = 0x505C3EE9

[HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings]

AutoUpdateEnabled = "TRUE"
ALPClientsServerName = "http://alert.client.conduit.com"
ALPServicesServerName = "http://alert.services.conduit.com"
ShowAlerts = "TRUE"
UserID = "EFF194C3-DCA3-4100-97C9-27DA350F49F8"
FirstTimeMessageDisplayed = "FALSE"
SampleAlertWasShown = "FALSE"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

{0E5CBF21-D15F-11D0-8301-00AA005B4383} =
ITBarLayout =

Other details

To mark the presence in the system, the following Mutex objects were created:

CONDUIT_SHARED_MUTEX
AboutTabsIE9Mutex
InitIEMenuHooks_Mutex_1512
CCommunicatorLogicMutex_CT1605787
_SHuassist.mtx
EI_Conduit_Social_Cookie_Mutex_CT16057872
EI_InitFromDefaultDataIfNeeded
_!SHMSFTHISTORY!_
EI_3rdParty_MutexCT1605787
Community Alerts
EI_Toolbar_Update_Mutex_CT1605787_Update
Conduit_Alert_Autoupdate_Mutex
SendClientErrorLogs
CCommunicatorLogicMutex_
InitIEMenuHooks_Mutex_980

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
mobilescoop.ourtoolbar.com	80	(null)	(null)
usage.toolbar.conduit-services.com	80	(null)	(null)
servicemap.conduit-services.com	80	(null)	(null)
users.conduit.com	80	(null)	(null)
services.conduit.com	80	(null)	(null)

The following GET requests were made:

SetupFinish
Toolbar/?ownerId=CT1605787
CommunityRequest.ctp?type=GetCommunity&ct=CT1605787&CommunityPage=CT1605787.ourtoolbar.com

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%AppData%\MobileScoop\tbMobi.dll
%ProgramFiles%\Conduit\Community Alerts\Alert.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.