Adware.Win32.Zoremov.A
Windows
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
3,872,968 bytes
EXE
Yes
15 May 2020
Arrival Details
This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Adware adds the following processes:
- %User Temp%\IXP001.TMP\kernel.exe
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe "%Application Data%\AppDirectory\PDFLeader\params.txt"
- schtasks.exe /create /SC DAILY /TN Update_Zoremov /TR "\"%Application Data%\AppRun\AppRun.exe\" -updatesched
- "%System%\ie4uinit.exe" -show
- ie4uinit.exe -show
- %System%\svchost.exe -k LocalServiceAndNoImpersonation
- %System%\sppsvc.exe
- "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"
- %System%\svchost.exe -k WerSvcGroup
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
It creates the following folders:
- %Application Data%\AppDirectory\PDFLeader
- %Application Data%\AppDirectory
- %Application Data%\AppRun
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
Autostart Technique
This Adware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP001.TMP\""
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AppRun = "%Application Data%\AppRun\AppRun.exe -updatestartup"
Other System Modifications
This Adware modifies the following file(s):
- %Start Menu%\Programs\Internet Explorer.lnk
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It deletes the following files:
- %Windows%\Tasks\Update_Zoremov.job
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It deletes the following folders:
- %User Temp%\IXP001.TMP
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
DisplayName = "PDFLeader"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
ApplicationVersion = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
Publisher = "Zoremov"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
DisplayIcon = "%Application Data%\AppRun\AppRun.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
DisplayVersion = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
InstallDate = "20200115"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
UninstallString = "%Application Data%\AppRun\AppRun.exe -uninstall"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
EstimatedSize = "437"
HKEY_CURRENT_USER\Software\Apprun
Installed = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Capabilities
Hidden = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
FriendlyTypeName = "@%System%\ieframe.dll,-903"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
FriendlyTypeName = "@%System%\ieframe.dll,-904"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
FriendlyTypeName = "@%System%\ieframe.dll,-905"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut
FriendlyTypeName = "@%System%\ieframe.dll,-10046"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website
(Default) = "Pinned Site Shortcut"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website
EditFlags = "131074"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website
FriendlyTypeName = "@%System%\ieframe.dll,-53504"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website\DefaultIcon
(Default) = "%SystemRoot%\system32\ieframe.dll,-211"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile
FriendlyTypeName = "@%System%\ieframe.dll,-912"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile
FriendlyTypeName = "@%System%\ieframe.dll,-913"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile
FriendlyTypeName = "@%System%\ieframe.dll,-914"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile
FriendlyTypeName = "@%System%\ieframe.dll,-915"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm\OpenWithProgIds
htmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html\OpenWithProgIds
htmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.partial
(Default) = "IE.AssocFile.PARTIAL"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.partial\OpenWithProgIds
IE.AssocFile.PARTIAL = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg
(Default) = "svgfile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg
Content Type = "image/svg+xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg\OpenWithProgIds
svgfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml
(Default) = "xhtmlfile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml
Content Type = "application/xhtml+xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml\OpenWithProgIds
xhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht
(Default) = "xhtmlfile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht
Content Type = "application/xhtml+xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht\OpenWithProgIds
xhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell
(Default) = "open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell
(Default) = "open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open
CommandId = "IE.Protocol"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell
(Default) = "open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open
CommandId = "IE.Protocol"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew
CommandId = "IE.Protocol"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht\OpenWithProgIds
mhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml\OpenWithProgIds
mhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell
(Default) = "opennew"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open
(Default) = "Open in S&ame Window"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\print\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\printto\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew
(Default) = "&Open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell
(Default) = "opennew"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open
(Default) = "Open in S&ame Window"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\print\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\printto\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew
(Default) = "&Open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.website
(Default) = "Microsoft.Website"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.website\OpenWithProgIds
Microsoft.Website = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website\Shell
(Default) = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website\Shell\Open
(Default) = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.URL\OpenWithProgIds
InternetShortcut = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\iexplore.exe\shell\
open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = "41"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
telnet
FriendlyTypeName = "@%System%\ieframe.dll,-907"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rlogin
FriendlyTypeName = "@%System%\ieframe.dll,-908"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tn3270
FriendlyTypeName = "@%System%\ieframe.dll,-909"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mailto
FriendlyTypeName = "@%System%\ieframe.dll,-910"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = "42"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
IsInstalled = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\InstallInfo
IconsVisible = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Setup\
OC Manager\Subcomponents
IEAccess = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
(Default) = "URL:HyperText Transfer Protocol"
(Note: The default value data of the said registry entry is URL:HyperText Transfer Protocol.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
URL Protocol = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,0"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
(Default) = "URL:HyperText Transfer Protocol with Privacy"
(Note: The default value data of the said registry entry is URL:HyperText Transfer Protocol with Privacy.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
URL Protocol = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,0"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
(Default) = "URL:File Transfer Protocol"
(Note: The default value data of the said registry entry is URL:File Transfer Protocol.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
URL Protocol = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,0"
(Note: The default value data of the said registry entry is %Windows%\system32\msieftp.dll,0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut
(Default) = "Internet Shortcut"
(Note: The default value data of the said registry entry is Internet Shortcut.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,5"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
(Note: The default value data of the said registry entry is "%1".)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-32554"
(Note: The default value data of the said registry entry is "%1".)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm
(Default) = "htmlfile"
(Note: The default value data of the said registry entry is htmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm
Content Type = "text/html"
(Note: The default value data of the said registry entry is text/html.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html
(Default) = "htmlfile"
(Note: The default value data of the said registry entry is htmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html
Content Type = "text/html"
(Note: The default value data of the said registry entry is text/html.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell
(Default) = "opennew"
(Note: The default value data of the said registry entry is opennew.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open
(Default) = "Open in S&ame Window"
(Note: The default value data of the said registry entry is Open in S&ame Window.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\Print\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
(Note: The default value data of the said registry entry is "%Program Files%\Microsoft Office\OFFICE11\msohtmed.exe" /p %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\printto\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell
(Default) = "opennew"
(Note: The default value data of the said registry entry is opennew.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew
(Default) = "&Open"
(Note: The default value data of the said registry entry is &Open.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht
(Default) = "mhtmlfile"
(Note: The default value data of the said registry entry is mhtmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht
Content Type = "message/rfc822"
(Note: The default value data of the said registry entry is message/rfc822.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml
(Default) = "mhtmlfile"
(Note: The default value data of the said registry entry is mhtmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml
Content Type = "message/rfc822"
(Note: The default value data of the said registry entry is message/rfc822.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open
(Default) = "Open in S&ame Window"
(Note: The default value data of the said registry entry is Open in S&ame Window.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew
(Default) = "&Open"
(Note: The default value data of the said registry entry is &Open.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.URL
(Default) = "InternetShortcut"
(Note: The default value data of the said registry entry is InternetShortcut.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Attributes = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Locale = "*"
(Note: The default value data of the said registry entry is en.)
HKEY_CURRENT_USER\Software\Microsoft\
Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Version = "11,0,9600,0"
(Note: The default value data of the said registry entry is 6,0,2900,2180.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce\
wextract_cleanup0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
RemoveAccess\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm\OpenWithProgIds\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html\OpenWithProgIds\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht\OpenWithProgIds\mhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml\OpenWithProgIds\mhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg\OpenWithProgIds\svgfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht\OpenWithProgIds\xhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml\OpenWithProgIds\xhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.partial\OpenWithProgIds\IE.AssocFile.PARTIAL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.website\OpenWithProgIds\Microsoft.Website
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.URL\OpenWithProgIds\InternetShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellExecuteHooks\{FBF23B40-E3F0-101B-8488-00AA003E56F8}
Dropping Routine
This Adware drops the following files:
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %Application Data%\AppRun\api-ms-win-core-processthreads-l1-1-1.dll
- %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
- %Application Data%\AppRun\api-ms-win-core-localization-l1-2-0.dll
- %User Temp%\u1bc.4
- %Application Data%\AppRun\api-ms-win-crt-string-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l2-1-0.dll
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Application Data%\AppRun\api-ms-win-crt-math-l1-1-0.dll
- %User Temp%\u1bc.1
- %Application Data%\AppRun\api-ms-win-crt-runtime-l1-1-0.dll
- %Application Data%\AppRun\mfc140u.dll
- %Application Data%\AppRun\api-ms-win-crt-time-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-filesystem-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
- %AppDataLocal%\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- %Application Data%\AppRun\vcruntime140.dll
- %Application Data%\AppDirectory\PDFLeader\PDFLeader.ico
- %Application Data%\AppRun\ucrtbase.dll
- %Application Data%\AppRun\api-ms-win-core-timezone-l1-1-0.dll
- %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\service.tst.pdfleaderapp[1].xml
- %Application Data%\AppRun\libcurl.dll
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
- %Application Data%\AppRun\api-ms-win-crt-utility-l1-1-0.dll
- %Application Data%\AppRun\AppRun.exe
- %Application Data%\AppRun\api-ms-win-crt-stdio-l1-1-0.dll
- %Application Data%\AppDirectory\PDFLeader\SharpCompress.dll
- %Application Data%\AppDirectory\PDFLeader\params.txt
- %Application Data%\AppRun\api-ms-win-crt-locale-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-synch-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
- %Application Data%\AppRun\api-ms-win-crt-convert-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-multibyte-l1-1-0.dll
- %User Temp%\u1bc.3
- %Application Data%\AppRun\api-ms-win-crt-heap-l1-1-0.dll
- %User Temp%\u1bc.0
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe.config
- %Application Data%\AppRun\msvcp140.dll
- %Application Data%\AppRun\api-ms-win-crt-environment-l1-1-0.dll
- %Desktop%\PDFLeader.lnk
- %User Temp%\u1bc.2
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
This report is generated via an automated analysis system.
SOLUTION
9.850
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Identify and terminate files detected as Adware.Win32.Zoremov.A
- Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP001.TMP\""
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- AppRun = "%Application Data%\AppRun\AppRun.exe -updatestartup"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- DisplayName = "PDFLeader"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- ApplicationVersion = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- Publisher = "Zoremov"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- DisplayIcon = "%Application Data%\AppRun\AppRun.exe"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- DisplayVersion = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- InstallDate = "20200115"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- UninstallString = "%Application Data%\AppRun\AppRun.exe -uninstall"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- EstimatedSize = "437"
- In HKEY_CURRENT_USER\Software\Apprun
- Installed = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities
- Hidden = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- FriendlyTypeName = "@%System%\ieframe.dll,-903"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- FriendlyTypeName = "@%System%\ieframe.dll,-904"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- FriendlyTypeName = "@%System%\ieframe.dll,-905"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
- FriendlyTypeName = "@%System%\ieframe.dll,-10046"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website
- (Default) = "Pinned Site Shortcut"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website
- EditFlags = "131074"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website
- FriendlyTypeName = "@%System%\ieframe.dll,-53504"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon
- (Default) = "%SystemRoot%\system32\ieframe.dll,-211"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
- FriendlyTypeName = "@%System%\ieframe.dll,-912"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile
- FriendlyTypeName = "@%System%\ieframe.dll,-913"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile
- FriendlyTypeName = "@%System%\ieframe.dll,-914"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon
- (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile
- FriendlyTypeName = "@%System%\ieframe.dll,-915"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\DefaultIcon
- (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds
- htmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds
- htmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.partial
- (Default) = "IE.AssocFile.PARTIAL"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds
- IE.AssocFile.PARTIAL = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg
- (Default) = "svgfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg
- Content Type = "image/svg+xml"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds
- svgfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml
- (Default) = "xhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml
- Content Type = "application/xhtml+xml"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds
- xhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht
- (Default) = "xhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht
- Content Type = "application/xhtml+xml"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds
- xhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell
- (Default) = "open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell
- (Default) = "open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open
- CommandId = "IE.Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell
- (Default) = "open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open
- CommandId = "IE.Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- CommandId = "IE.Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds
- mhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds
- mhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell
- (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\print\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell
- (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.website
- (Default) = "Microsoft.Website"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds
- Microsoft.Website = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell
- (Default) = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\Open
- (Default) = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\OpenWithProgIds
- InternetShortcut = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- GlobalAssocChangedCounter = "41"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet
- FriendlyTypeName = "@%System%\ieframe.dll,-907"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rlogin
- FriendlyTypeName = "@%System%\ieframe.dll,-908"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tn3270
- FriendlyTypeName = "@%System%\ieframe.dll,-909"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mailto
- FriendlyTypeName = "@%System%\ieframe.dll,-910"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- GlobalAssocChangedCounter = "42"
Step 5
Restore these modified registry values
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- From: IsInstalled = "1"
To: IsInstalled = ""1""
- From: IsInstalled = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo
- From: IconsVisible = "1"
To: IconsVisible = ""1""
- From: IconsVisible = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents
- From: IEAccess = "1"
To: IEAccess = ""1""
- From: IEAccess = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- From: (Default) = "URL:HyperText Transfer Protocol"
To: (Default) = ""URL:HyperText Transfer Protocol""
- From: (Default) = "URL:HyperText Transfer Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- URL Protocol = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
To: (Default) = ""{random values}""
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- From: (Default) = "URL:HyperText Transfer Protocol with Privacy"
To: (Default) = ""URL:HyperText Transfer Protocol with Privacy""
- From: (Default) = "URL:HyperText Transfer Protocol with Privacy"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- URL Protocol = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
To: (Default) = ""{random values}""
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- From: (Default) = "URL:File Transfer Protocol"
To: (Default) = ""URL:File Transfer Protocol""
- From: (Default) = "URL:File Transfer Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- URL Protocol = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
To: (Default) = ""%Windows%\system32\msieftp.dll,0""
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
- From: (Default) = "Internet Shortcut"
To: (Default) = ""Internet Shortcut""
- From: (Default) = "Internet Shortcut"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,5"
To: (Default) = ""{random values}""
- From: (Default) = "%SystemRoot%\system32\url.dll,5"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
To: (Default) = """%1"""
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-32554"
To: (Default) = """%1"""
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-32554"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm
- From: (Default) = "htmlfile"
To: (Default) = ""htmlfile""
- From: (Default) = "htmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm
- From: Content Type = "text/html"
To: Content Type = ""text/html""
- From: Content Type = "text/html"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html
- From: (Default) = "htmlfile"
To: (Default) = ""htmlfile""
- From: (Default) = "htmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html
- From: Content Type = "text/html"
To: Content Type = ""text/html""
- From: Content Type = "text/html"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" %1""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell
- From: (Default) = "opennew"
To: (Default) = ""opennew""
- From: (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- From: (Default) = "Open in S&ame Window"
To: (Default) = ""Open in S&ame Window""
- From: (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
To: (Default) = """%Program Files%\Microsoft Office\OFFICE11\msohtmed.exe" /p %1""
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
To: (Default) = ""{random values}""
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell
- From: (Default) = "opennew"
To: (Default) = ""opennew""
- From: (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- From: (Default) = "&Open"
To: (Default) = ""&Open""
- From: (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" %1""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht
- From: (Default) = "mhtmlfile"
To: (Default) = ""mhtmlfile""
- From: (Default) = "mhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht
- From: Content Type = "message/rfc822"
To: Content Type = ""message/rfc822""
- From: Content Type = "message/rfc822"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml
- From: (Default) = "mhtmlfile"
To: (Default) = ""mhtmlfile""
- From: (Default) = "mhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml
- From: Content Type = "message/rfc822"
To: Content Type = ""message/rfc822""
- From: Content Type = "message/rfc822"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open
- From: (Default) = "Open in S&ame Window"
To: (Default) = ""Open in S&ame Window""
- From: (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- From: (Default) = "&Open"
To: (Default) = ""&Open""
- From: (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" %1""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL
- From: (Default) = "InternetShortcut"
To: (Default) = ""InternetShortcut""
- From: (Default) = "InternetShortcut"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
- Attributes = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- From: Locale = "*"
To: Locale = ""en""
- From: Locale = "*"
- In HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- From: Version = "11,0,9600,0"
To: Version = ""6,0,2900,2180""
- From: Version = "11,0,9600,0"
Step 6
Search and delete these components
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %Application Data%\AppRun\api-ms-win-core-processthreads-l1-1-1.dll
- %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
- %Application Data%\AppRun\api-ms-win-core-localization-l1-2-0.dll
- %User Temp%\u1bc.4
- %Application Data%\AppRun\api-ms-win-crt-string-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l2-1-0.dll
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Application Data%\AppRun\api-ms-win-crt-math-l1-1-0.dll
- %User Temp%\u1bc.1
- %Application Data%\AppRun\api-ms-win-crt-runtime-l1-1-0.dll
- %Application Data%\AppRun\mfc140u.dll
- %Application Data%\AppRun\api-ms-win-crt-time-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-filesystem-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
- %AppDataLocal%\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- %Application Data%\AppRun\vcruntime140.dll
- %Application Data%\AppDirectory\PDFLeader\PDFLeader.ico
- %Application Data%\AppRun\ucrtbase.dll
- %Application Data%\AppRun\api-ms-win-core-timezone-l1-1-0.dll
- %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\service.tst.pdfleaderapp[1].xml
- %Application Data%\AppRun\libcurl.dll
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
- %Application Data%\AppRun\api-ms-win-crt-utility-l1-1-0.dll
- %Application Data%\AppRun\AppRun.exe
- %Application Data%\AppRun\api-ms-win-crt-stdio-l1-1-0.dll
- %Application Data%\AppDirectory\PDFLeader\SharpCompress.dll
- %Application Data%\AppDirectory\PDFLeader\params.txt
- %Application Data%\AppRun\api-ms-win-crt-locale-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-synch-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
- %Application Data%\AppRun\api-ms-win-crt-convert-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-multibyte-l1-1-0.dll
- %User Temp%\u1bc.3
- %Application Data%\AppRun\api-ms-win-crt-heap-l1-1-0.dll
- %User Temp%\u1bc.0
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe.config
- %Application Data%\AppRun\msvcp140.dll
- %Application Data%\AppRun\api-ms-win-crt-environment-l1-1-0.dll
- %Desktop%\PDFLeader.lnk
- %User Temp%\u1bc.2
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe
Step 7
Search and delete these folders
- %Application Data%\AppDirectory\PDFLeader
- %Application Data%\AppDirectory
- %Application Data%\AppRun
Step 8
Restart in normal mode and scan your computer with your Trend Micro product for files detected as Adware.Win32.Zoremov.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 9
Restore deleted/modified files and/or registry entries from backup
*Note: Only Microsoft-related files/keys/values will be restored. If this malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- %Start Menu%\Programs\Internet Explorer.lnk
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Step 10
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %Windows%\Tasks\Update_Zoremov.job
Step 11
Restore these deleted registry keys/values from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- wextract_cleanup0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess
- iexplore.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- URL Protocol
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- URL Protocol
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- URL Protocol
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds
- htmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds
- htmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds
- mhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds
- mhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds
- svgfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds
- xhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds
- xhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds
- IE.AssocFile.PARTIAL
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds
- Microsoft.Website
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\OpenWithProgIds
- InternetShortcut
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- {FBF23B40-E3F0-101B-8488-00AA003E56F8}
Did this description help? Tell us how we did.