Virus.Win32.MABEZAT.DAM

November 13, 2019

PLATFORM:

Windows

OVERALL RISK RATING:

REPORTED INFECTION:

Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

729,967 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

13 Nov 2019

Arrival Details

This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This File infector adds the following registry keys:

HKEY_CURRENT_USER\software\HSTools\
IPMsgEng

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HotKey

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\BroadCast

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\ClickableUrl

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Priority

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HostInfo

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt2

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\lruUser

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt\Crypt2

It adds the following registry entries:

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
(Default) = "3.42"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
lcid = "4294967295"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
NoBeep = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ListGet = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ListGetMSec = "3000"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RetryMSec2 = "1500"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RetryMax = "3"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RecvMaxNT = "100"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
NoErase = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
NoPopup = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
OpenCheck = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
AllowSendList = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
FileTransOpt = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ResolveOpt = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ClipMode = "3"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
CaptureMinimize = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
CaptureClip = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
CaptureSave = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
OpenMsgTime = "3000"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RecvMsgTime = "10000"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
BalloonNoInfo = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
LumpCheck = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
AbsenceSave = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
AbsenceCheck = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
AbsenceMax = "8"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr0 = "absence now."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead0 = "absence"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr1 = "having a meal now."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead1 = "meal"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr2 = "in a meeting now."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead2 = "meeting"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr3 = "visitors now."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead3 = "visitor"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr4 = "out now."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead4 = "out"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr5 = "home now."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead5 = "home"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr6 = "Edo tokorobarai mousi watasu!"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead6 = "Edo"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceStr7 = "I am tired of life.Please don't look for me..."

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\AbsenceStr
AbsenceHead7 = "priest"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
PasswordStr = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
PasswdLogCheck = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
DelayTime = "500"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
QuoteCheck = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
SecretCheck = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
LogonLog = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RecvLogonDisp = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
IPAddrCheck2 = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RecvIPAddrCheck = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
OneClickPopup2 = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
BalloonNotify = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
AbnormalButton = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
DialUpCheck = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
AbsenceNonPopup = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
NickNameStr = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
GroupNameStr = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
Sort = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
UpdateTime = "10"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
KeepHostTime = "15552000"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ExtendEntry = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ExtendBroadcast = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ControlIME2 = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
GlidLine = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ColumnItems = "13"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
QuoteStr = ">"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HotKey
HotKeyCheck = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HotKey
HotKeyModify = "3"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HotKey
HotKeySend = "83"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HotKey
HotKeyRecv = "82"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\HotKey
HotKeyMisc = "68"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
LogCheck = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
LogUTF8 = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
LogFile = "%User Profile%\Documents\ipmsg.log"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
SoundFile = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
Icon = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
RevIcon = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
lastOpen = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
lastSave = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
lruUserMax = "10"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendNickName = "97"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendUserName = "90"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendAbsence = "16"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendPriority = "21"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendGroupName = "88"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendHostName = "58"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendIPAddr = "110"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
0 = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
1 = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
2 = "2"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
3 = "3"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
4 = "4"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
5 = "5"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize\SendOrder
6 = "6"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendXdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendYdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendMidYdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendSavePos = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendXpos = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
SendYpos = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
RecvXdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
RecvYdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
RecvSavePos = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
RecvXpos = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
RecvYpos = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
HistXdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
HistYdiff = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
HistUser = "100"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
HistODate = "90"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
HistSDate2 = "10"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\WindowSize
HistId2 = "10"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Height = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Width = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Escapement = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Orientation = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Weight = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Italic = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
UnderLine = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
StrikeOut = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
CharSet = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
OutPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
ClipPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
Quality = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
PitchAndFamily = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendEdit
FaceName = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Height = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Width = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Escapement = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Orientation = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Weight = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Italic = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
UnderLine = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
StrikeOut = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
CharSet = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
OutPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
ClipPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
Quality = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
PitchAndFamily = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\SendListView
FaceName = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Height = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Width = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Escapement = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Orientation = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Weight = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Italic = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
UnderLine = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
StrikeOut = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
CharSet = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
OutPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
ClipPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
Quality = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
PitchAndFamily = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvHead
FaceName = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Height = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Width = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Escapement = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Orientation = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Weight = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Italic = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
UnderLine = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
StrikeOut = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
CharSet = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
OutPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
ClipPrecision = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
Quality = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
PitchAndFamily = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Fonts\RecvEdit
FaceName = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
DefaultUrl = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng
ShellExec = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\ClickableUrl
HTTP = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\ClickableUrl
HTTPS = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\ClickableUrl
FTP = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\ClickableUrl
FILE = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\ClickableUrl
TELNET = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Priority
PriorityMax = "5"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Priority
PriorityReject = "0"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
FindMax2 = "12"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
FindAll = "1"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
0 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
1 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
2 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
3 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
4 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
5 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
6 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
7 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
8 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
9 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
10 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\FindStr
11 = ""

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt
PrivBlob = "{random characters}"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt
PrivEncryptSeed = "{random characters}"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt
PrivEncryptType = "2"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt2
PrivBlob = "{random characters}"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt2
PrivEncryptSeed = "{random characters}"

HKEY_CURRENT_USER\Software\HSTools\
IPMsgEng\Crypt2
PrivEncryptType = "2"

This report is generated via an automated analysis system.

SOLUTION

Minimum Scan Engine:

9.850

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\software\HSTools
- IPMsgEng

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AbsenceStr

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- FindStr

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- HotKey

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- WindowSize

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendOrder

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- Fonts

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts
- SendEdit

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts
- SendListView

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts
- RecvHead

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts
- RecvEdit

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- BroadCast

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ClickableUrl

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- Priority

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- HostInfo

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- Crypt

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- Crypt2

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- lruUser

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt
- Crypt2

To delete the registry key this malware/grayware created:

Open Registry Editor.
» For Windows 7 and Windows Server 2008 (R2) users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2) users, right-click on the lower left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>software>HSTools
Still in the left panel, locate and delete the key:
IPMsgEng
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng
Still in the left panel, locate and delete the key:
AbsenceStr
Again Still in the left panel, locate and delete the key:
FindStr
Again Still in the left panel, locate and delete the key:
HotKey
Again Still in the left panel, locate and delete the key:
WindowSize
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>WindowSize
Still in the left panel, locate and delete the key:
SendOrder
Again Still in the left panel, locate and delete the key:
Fonts
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Fonts
Still in the left panel, locate and delete the key:
SendEdit
Again Still in the left panel, locate and delete the key:
SendListView
Again Still in the left panel, locate and delete the key:
RecvHead
Again Still in the left panel, locate and delete the key:
RecvEdit
Again Still in the left panel, locate and delete the key:
BroadCast
Again Still in the left panel, locate and delete the key:
ClickableUrl
Again Still in the left panel, locate and delete the key:
Priority
Again Still in the left panel, locate and delete the key:
HostInfo
Again Still in the left panel, locate and delete the key:
Crypt
Again Still in the left panel, locate and delete the key:
Crypt2
Again Still in the left panel, locate and delete the key:
lruUser
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Crypt
Still in the left panel, locate and delete the key:
Crypt2
Close Registry Editor.

Step 3

Delete this registry value

[ Learn More ]

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- (Default) = "3.42"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- lcid = "4294967295"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- NoBeep = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ListGet = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ListGetMSec = "3000"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RetryMSec2 = "1500"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RetryMax = "3"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RecvMaxNT = "100"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- NoErase = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- NoPopup = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- OpenCheck = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AllowSendList = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- FileTransOpt = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ResolveOpt = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ClipMode = "3"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- CaptureMinimize = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- CaptureClip = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- CaptureSave = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- OpenMsgTime = "3000"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RecvMsgTime = "10000"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- BalloonNoInfo = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- LumpCheck = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AbsenceSave = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AbsenceCheck = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AbsenceMax = "8"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr0 = "absence now."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead0 = "absence"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr1 = "having a meal now."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead1 = "meal"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr2 = "in a meeting now."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead2 = "meeting"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr3 = "visitors now."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead3 = "visitor"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr4 = "out now."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead4 = "out"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr5 = "home now."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead5 = "home"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr6 = "Edo tokorobarai mousi watasu!"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead6 = "Edo"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceStr7 = "I am tired of life.Please don't look for me..."

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\AbsenceStr
- AbsenceHead7 = "priest"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- PasswordStr = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- PasswdLogCheck = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- DelayTime = "500"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- QuoteCheck = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- SecretCheck = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- LogonLog = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RecvLogonDisp = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- IPAddrCheck2 = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RecvIPAddrCheck = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- OneClickPopup2 = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- BalloonNotify = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AbnormalButton = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- DialUpCheck = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- AbsenceNonPopup = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- NickNameStr = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- GroupNameStr = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- Sort = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- UpdateTime = "10"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- KeepHostTime = "15552000"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ExtendEntry = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ExtendBroadcast = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ControlIME2 = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- GlidLine = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ColumnItems = "13"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- QuoteStr = ">"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\HotKey
- HotKeyCheck = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\HotKey
- HotKeyModify = "3"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\HotKey
- HotKeySend = "83"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\HotKey
- HotKeyRecv = "82"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\HotKey
- HotKeyMisc = "68"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- LogCheck = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- LogUTF8 = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- LogFile = "%User Profile%\Documents\ipmsg.log"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- SoundFile = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- Icon = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- RevIcon = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- lastOpen = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- lastSave = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- lruUserMax = "10"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendNickName = "97"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendUserName = "90"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendAbsence = "16"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendPriority = "21"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendGroupName = "88"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendHostName = "58"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendIPAddr = "110"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 0 = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 1 = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 2 = "2"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 3 = "3"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 4 = "4"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 5 = "5"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize\SendOrder
- 6 = "6"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendXdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendYdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendMidYdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendSavePos = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendXpos = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- SendYpos = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- RecvXdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- RecvYdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- RecvSavePos = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- RecvXpos = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- RecvYpos = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- HistXdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- HistYdiff = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- HistUser = "100"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- HistODate = "90"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- HistSDate2 = "10"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\WindowSize
- HistId2 = "10"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Height = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Width = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Escapement = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Orientation = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Weight = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Italic = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- UnderLine = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- StrikeOut = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- CharSet = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- OutPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- ClipPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- Quality = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- PitchAndFamily = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendEdit
- FaceName = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Height = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Width = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Escapement = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Orientation = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Weight = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Italic = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- UnderLine = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- StrikeOut = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- CharSet = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- OutPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- ClipPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- Quality = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- PitchAndFamily = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\SendListView
- FaceName = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Height = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Width = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Escapement = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Orientation = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Weight = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Italic = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- UnderLine = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- StrikeOut = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- CharSet = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- OutPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- ClipPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- Quality = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- PitchAndFamily = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvHead
- FaceName = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Height = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Width = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Escapement = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Orientation = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Weight = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Italic = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- UnderLine = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- StrikeOut = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- CharSet = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- OutPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- ClipPrecision = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- Quality = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- PitchAndFamily = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Fonts\RecvEdit
- FaceName = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- DefaultUrl = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng
- ShellExec = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\ClickableUrl
- HTTP = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\ClickableUrl
- HTTPS = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\ClickableUrl
- FTP = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\ClickableUrl
- FILE = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\ClickableUrl
- TELNET = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Priority
- PriorityMax = "5"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Priority
- PriorityReject = "0"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- FindMax2 = "12"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- FindAll = "1"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 0 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 1 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 2 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 3 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 4 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 5 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 6 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 7 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 8 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 9 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 10 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\FindStr
- 11 = ""

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt
- PrivBlob = "{random characters}"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt
- PrivEncryptSeed = "{random characters}"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt
- PrivEncryptType = "2"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt2
- PrivBlob = "{random characters}"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt2
- PrivEncryptSeed = "{random characters}"

In HKEY_CURRENT_USER\Software\HSTools\IPMsgEng\Crypt2
- PrivEncryptType = "2"

To delete the registry value this malware/grayware created:

Open Registry Editor.
» For Windows 7 and Windows Server 2008 (R2) users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2) users, right-click on the lower-left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng
In the right panel, locate and delete the entry:
(Default) = "3.42"
Again In the right panel, locate and delete the entry:
lcid = "4294967295"
Again In the right panel, locate and delete the entry:
NoBeep = "0"
Again In the right panel, locate and delete the entry:
ListGet = "0"
Again In the right panel, locate and delete the entry:
ListGetMSec = "3000"
Again In the right panel, locate and delete the entry:
RetryMSec2 = "1500"
Again In the right panel, locate and delete the entry:
RetryMax = "3"
Again In the right panel, locate and delete the entry:
RecvMaxNT = "100"
Again In the right panel, locate and delete the entry:
NoErase = "0"
Again In the right panel, locate and delete the entry:
NoPopup = "1"
Again In the right panel, locate and delete the entry:
OpenCheck = "1"
Again In the right panel, locate and delete the entry:
AllowSendList = "1"
Again In the right panel, locate and delete the entry:
FileTransOpt = "0"
Again In the right panel, locate and delete the entry:
ResolveOpt = "0"
Again In the right panel, locate and delete the entry:
ClipMode = "3"
Again In the right panel, locate and delete the entry:
CaptureMinimize = "1"
Again In the right panel, locate and delete the entry:
CaptureClip = "1"
Again In the right panel, locate and delete the entry:
CaptureSave = "0"
Again In the right panel, locate and delete the entry:
OpenMsgTime = "3000"
Again In the right panel, locate and delete the entry:
RecvMsgTime = "10000"
Again In the right panel, locate and delete the entry:
BalloonNoInfo = "0"
Again In the right panel, locate and delete the entry:
LumpCheck = "0"
Again In the right panel, locate and delete the entry:
AbsenceSave = "0"
Again In the right panel, locate and delete the entry:
AbsenceCheck = "0"
Again In the right panel, locate and delete the entry:
AbsenceMax = "8"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>AbsenceStr
In the right panel, locate and delete the entry:
AbsenceStr0 = "absence now."
Again In the right panel, locate and delete the entry:
AbsenceHead0 = "absence"
Again In the right panel, locate and delete the entry:
AbsenceStr1 = "having a meal now."
Again In the right panel, locate and delete the entry:
AbsenceHead1 = "meal"
Again In the right panel, locate and delete the entry:
AbsenceStr2 = "in a meeting now."
Again In the right panel, locate and delete the entry:
AbsenceHead2 = "meeting"
Again In the right panel, locate and delete the entry:
AbsenceStr3 = "visitors now."
Again In the right panel, locate and delete the entry:
AbsenceHead3 = "visitor"
Again In the right panel, locate and delete the entry:
AbsenceStr4 = "out now."
Again In the right panel, locate and delete the entry:
AbsenceHead4 = "out"
Again In the right panel, locate and delete the entry:
AbsenceStr5 = "home now."
Again In the right panel, locate and delete the entry:
AbsenceHead5 = "home"
Again In the right panel, locate and delete the entry:
AbsenceStr6 = "Edo tokorobarai mousi watasu!"
Again In the right panel, locate and delete the entry:
AbsenceHead6 = "Edo"
Again In the right panel, locate and delete the entry:
AbsenceStr7 = "I am tired of life.Please don't look for me..."
Again In the right panel, locate and delete the entry:
AbsenceHead7 = "priest"
Again In the right panel, locate and delete the entry:
PasswordStr = ""
Again In the right panel, locate and delete the entry:
PasswdLogCheck = "0"
Again In the right panel, locate and delete the entry:
DelayTime = "500"
Again In the right panel, locate and delete the entry:
QuoteCheck = "1"
Again In the right panel, locate and delete the entry:
SecretCheck = "1"
Again In the right panel, locate and delete the entry:
LogonLog = "1"
Again In the right panel, locate and delete the entry:
RecvLogonDisp = "0"
Again In the right panel, locate and delete the entry:
IPAddrCheck2 = "1"
Again In the right panel, locate and delete the entry:
RecvIPAddrCheck = "1"
Again In the right panel, locate and delete the entry:
OneClickPopup2 = "1"
Again In the right panel, locate and delete the entry:
BalloonNotify = "1"
Again In the right panel, locate and delete the entry:
AbnormalButton = "0"
Again In the right panel, locate and delete the entry:
DialUpCheck = "0"
Again In the right panel, locate and delete the entry:
AbsenceNonPopup = "1"
Again In the right panel, locate and delete the entry:
NickNameStr = ""
Again In the right panel, locate and delete the entry:
GroupNameStr = ""
Again In the right panel, locate and delete the entry:
Sort = "0"
Again In the right panel, locate and delete the entry:
UpdateTime = "10"
Again In the right panel, locate and delete the entry:
KeepHostTime = "15552000"
Again In the right panel, locate and delete the entry:
ExtendEntry = "1"
Again In the right panel, locate and delete the entry:
ExtendBroadcast = "1"
Again In the right panel, locate and delete the entry:
ControlIME2 = "1"
Again In the right panel, locate and delete the entry:
GlidLine = "1"
Again In the right panel, locate and delete the entry:
ColumnItems = "13"
Again In the right panel, locate and delete the entry:
QuoteStr = ">"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>HotKey
In the right panel, locate and delete the entry:
HotKeyCheck = "0"
Again In the right panel, locate and delete the entry:
HotKeyModify = "3"
Again In the right panel, locate and delete the entry:
HotKeySend = "83"
Again In the right panel, locate and delete the entry:
HotKeyRecv = "82"
Again In the right panel, locate and delete the entry:
HotKeyMisc = "68"
Again In the right panel, locate and delete the entry:
LogCheck = "0"
Again In the right panel, locate and delete the entry:
LogUTF8 = "1"
Again In the right panel, locate and delete the entry:
LogFile = "%User Profile%\Documents\ipmsg.log"
Again In the right panel, locate and delete the entry:
SoundFile = ""
Again In the right panel, locate and delete the entry:
Icon = ""
Again In the right panel, locate and delete the entry:
RevIcon = ""
Again In the right panel, locate and delete the entry:
lastOpen = ""
Again In the right panel, locate and delete the entry:
lastSave = ""
Again In the right panel, locate and delete the entry:
lruUserMax = "10"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>WindowSize
In the right panel, locate and delete the entry:
SendNickName = "97"
Again In the right panel, locate and delete the entry:
SendUserName = "90"
Again In the right panel, locate and delete the entry:
SendAbsence = "16"
Again In the right panel, locate and delete the entry:
SendPriority = "21"
Again In the right panel, locate and delete the entry:
SendGroupName = "88"
Again In the right panel, locate and delete the entry:
SendHostName = "58"
Again In the right panel, locate and delete the entry:
SendIPAddr = "110"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>WindowSize>SendOrder
In the right panel, locate and delete the entry:
0 = "0"
Again In the right panel, locate and delete the entry:
1 = "1"
Again In the right panel, locate and delete the entry:
2 = "2"
Again In the right panel, locate and delete the entry:
3 = "3"
Again In the right panel, locate and delete the entry:
4 = "4"
Again In the right panel, locate and delete the entry:
5 = "5"
Again In the right panel, locate and delete the entry:
6 = "6"
Again In the right panel, locate and delete the entry:
SendXdiff = "0"
Again In the right panel, locate and delete the entry:
SendYdiff = "0"
Again In the right panel, locate and delete the entry:
SendMidYdiff = "0"
Again In the right panel, locate and delete the entry:
SendSavePos = "0"
Again In the right panel, locate and delete the entry:
SendXpos = "0"
Again In the right panel, locate and delete the entry:
SendYpos = "0"
Again In the right panel, locate and delete the entry:
RecvXdiff = "0"
Again In the right panel, locate and delete the entry:
RecvYdiff = "0"
Again In the right panel, locate and delete the entry:
RecvSavePos = "0"
Again In the right panel, locate and delete the entry:
RecvXpos = "0"
Again In the right panel, locate and delete the entry:
RecvYpos = "0"
Again In the right panel, locate and delete the entry:
HistXdiff = "0"
Again In the right panel, locate and delete the entry:
HistYdiff = "0"
Again In the right panel, locate and delete the entry:
HistUser = "100"
Again In the right panel, locate and delete the entry:
HistODate = "90"
Again In the right panel, locate and delete the entry:
HistSDate2 = "10"
Again In the right panel, locate and delete the entry:
HistId2 = "10"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Fonts>SendEdit
In the right panel, locate and delete the entry:
Height = "0"
Again In the right panel, locate and delete the entry:
Width = "0"
Again In the right panel, locate and delete the entry:
Escapement = "0"
Again In the right panel, locate and delete the entry:
Orientation = "0"
Again In the right panel, locate and delete the entry:
Weight = "0"
Again In the right panel, locate and delete the entry:
Italic = "0"
Again In the right panel, locate and delete the entry:
UnderLine = "0"
Again In the right panel, locate and delete the entry:
StrikeOut = "0"
Again In the right panel, locate and delete the entry:
CharSet = "0"
Again In the right panel, locate and delete the entry:
OutPrecision = "0"
Again In the right panel, locate and delete the entry:
ClipPrecision = "0"
Again In the right panel, locate and delete the entry:
Quality = "0"
Again In the right panel, locate and delete the entry:
PitchAndFamily = "0"
Again In the right panel, locate and delete the entry:
FaceName = ""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Fonts>SendListView
In the right panel, locate and delete the entry:
Height = "0"
Again In the right panel, locate and delete the entry:
Width = "0"
Again In the right panel, locate and delete the entry:
Escapement = "0"
Again In the right panel, locate and delete the entry:
Orientation = "0"
Again In the right panel, locate and delete the entry:
Weight = "0"
Again In the right panel, locate and delete the entry:
Italic = "0"
Again In the right panel, locate and delete the entry:
UnderLine = "0"
Again In the right panel, locate and delete the entry:
StrikeOut = "0"
Again In the right panel, locate and delete the entry:
CharSet = "0"
Again In the right panel, locate and delete the entry:
OutPrecision = "0"
Again In the right panel, locate and delete the entry:
ClipPrecision = "0"
Again In the right panel, locate and delete the entry:
Quality = "0"
Again In the right panel, locate and delete the entry:
PitchAndFamily = "0"
Again In the right panel, locate and delete the entry:
FaceName = ""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Fonts>RecvHead
In the right panel, locate and delete the entry:
Height = "0"
Again In the right panel, locate and delete the entry:
Width = "0"
Again In the right panel, locate and delete the entry:
Escapement = "0"
Again In the right panel, locate and delete the entry:
Orientation = "0"
Again In the right panel, locate and delete the entry:
Weight = "0"
Again In the right panel, locate and delete the entry:
Italic = "0"
Again In the right panel, locate and delete the entry:
UnderLine = "0"
Again In the right panel, locate and delete the entry:
StrikeOut = "0"
Again In the right panel, locate and delete the entry:
CharSet = "0"
Again In the right panel, locate and delete the entry:
OutPrecision = "0"
Again In the right panel, locate and delete the entry:
ClipPrecision = "0"
Again In the right panel, locate and delete the entry:
Quality = "0"
Again In the right panel, locate and delete the entry:
PitchAndFamily = "0"
Again In the right panel, locate and delete the entry:
FaceName = ""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Fonts>RecvEdit
In the right panel, locate and delete the entry:
Height = "0"
Again In the right panel, locate and delete the entry:
Width = "0"
Again In the right panel, locate and delete the entry:
Escapement = "0"
Again In the right panel, locate and delete the entry:
Orientation = "0"
Again In the right panel, locate and delete the entry:
Weight = "0"
Again In the right panel, locate and delete the entry:
Italic = "0"
Again In the right panel, locate and delete the entry:
UnderLine = "0"
Again In the right panel, locate and delete the entry:
StrikeOut = "0"
Again In the right panel, locate and delete the entry:
CharSet = "0"
Again In the right panel, locate and delete the entry:
OutPrecision = "0"
Again In the right panel, locate and delete the entry:
ClipPrecision = "0"
Again In the right panel, locate and delete the entry:
Quality = "0"
Again In the right panel, locate and delete the entry:
PitchAndFamily = "0"
Again In the right panel, locate and delete the entry:
FaceName = ""
Again In the right panel, locate and delete the entry:
DefaultUrl = "1"
Again In the right panel, locate and delete the entry:
ShellExec = "0"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>ClickableUrl
In the right panel, locate and delete the entry:
HTTP = ""
Again In the right panel, locate and delete the entry:
HTTPS = ""
Again In the right panel, locate and delete the entry:
FTP = ""
Again In the right panel, locate and delete the entry:
FILE = ""
Again In the right panel, locate and delete the entry:
TELNET = ""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Priority
In the right panel, locate and delete the entry:
PriorityMax = "5"
Again In the right panel, locate and delete the entry:
PriorityReject = "0"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>FindStr
In the right panel, locate and delete the entry:
FindMax2 = "12"
Again In the right panel, locate and delete the entry:
FindAll = "1"
Again In the right panel, locate and delete the entry:
0 = ""
Again In the right panel, locate and delete the entry:
1 = ""
Again In the right panel, locate and delete the entry:
2 = ""
Again In the right panel, locate and delete the entry:
3 = ""
Again In the right panel, locate and delete the entry:
4 = ""
Again In the right panel, locate and delete the entry:
5 = ""
Again In the right panel, locate and delete the entry:
6 = ""
Again In the right panel, locate and delete the entry:
7 = ""
Again In the right panel, locate and delete the entry:
8 = ""
Again In the right panel, locate and delete the entry:
9 = ""
Again In the right panel, locate and delete the entry:
10 = ""
Again In the right panel, locate and delete the entry:
11 = ""
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Crypt
In the right panel, locate and delete the entry:
PrivBlob = "{random characters}"
Again In the right panel, locate and delete the entry:
PrivEncryptSeed = "{random characters}"
Again In the right panel, locate and delete the entry:
PrivEncryptType = "2"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>HSTools>IPMsgEng>Crypt2
In the right panel, locate and delete the entry:
PrivBlob = "{random characters}"
Again In the right panel, locate and delete the entry:
PrivEncryptSeed = "{random characters}"
Again In the right panel, locate and delete the entry:
PrivEncryptType = "2"
Close Registry Editor.

Step 4

Scan your computer with your Trend Micro product to clean files detected as Virus.Win32.MABEZAT.DAM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.

Virus.Win32.MABEZAT.DAM

OVERVIEW

TECHNICAL DETAILS

SOLUTION

리소스

지원

트렌드마이크로 정보

Virus.Win32.MABEZAT.DAM

OVERVIEW

TECHNICAL DETAILS

SOLUTION

리소스

지원

트렌드마이크로 정보

아메리카

중동 & 아프리카

유럽

아시아 & 태평양