ALIASES:

Spyware:Win32/CnsMin, Spyware:Win32/CnsMin, Spyware:Win32/CnsMin, Spyware:Win32/CnsMin, Spyware:Win3 (Microsoft); [8.nsis]:CnsMin., [9.nsis]:Generic PUP.z., [10.nsis]:CnsMin., [13.nsis]:Generic PUP.z., [14.nsis]:Cn (McAfee); PAK:UPX, ARC:NSIS, [CNS1.exe]:Trojan.Win32.DNSChanger.gpg, ARC:[$R10]:CAB, ARC:[$R10]:CAB, PAK:[$R10 (Kaspersky); Trojan.Win32.Generic!BT, 3721 Chinese Keywords (CNSMin), 3721 Chinese Keywords (CNSMin), 3721 Chines (Sunbelt); Adware.CDN (FSecure)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 2,064,088 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 28 Apr 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan creates the following folders:

  • %User Temp%\nsj3.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other System Modifications

This Trojan deletes the following files:

  • %User Temp%\nst1.tmp
  • %User Temp%\nsj3.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It adds the following registry keys:

HKEY_CURRENT_USER\Software\3721\
CnsMin

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBS\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBS Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript.Encode\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript.RegExp\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LiveScript\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.1\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.2\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.3\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ECMAScript\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LiveScript Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.1 Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.2 Author\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript.Encode\OLEScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript

It adds the following registry entries:

HKEY_CURRENT_USER\Software\3721\
CnsMin
IIS = "&fb=0&fc=0&fd=0&fe=0&fg=0&fh=0&fi=0&fj=0&fa=0&fu="

HKEY_CLASSES_ROOT
VBScript = "VB Script Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript
CLSID = "{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"

HKEY_CLASSES_ROOT
VBS = "VB Script Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBS
CLSID = "{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{B54F3741-5B07-11cf-A4B0-00AA004A55E8} = "VB Script Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
ProgID = "VBScript"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
InprocServer32 = "%System%\vbscript.dll"

HKEY_CLASSES_ROOT
VBScript Author = "VB Script Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript Author
CLSID = "{B54F3742-5B07-11cf-A4B0-00AA004A55E8}"

HKEY_CLASSES_ROOT
VBS Author = "VB Script Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBS Author
CLSID = "{B54F3742-5B07-11cf-A4B0-00AA004A55E8}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{B54F3742-5B07-11cf-A4B0-00AA004A55E8} = "VB Script Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
ProgID = "VBScript Author"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
InprocServer32 = "%System%\vbscript.dll"

HKEY_CLASSES_ROOT
VBScript.Encode = "VBScript Language Encoding"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript.Encode
CLSID = "{B54F3743-5B07-11cf-A4B0-00AA004A55E8}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{B54F3743-5B07-11cf-A4B0-00AA004A55E8} = "VBScript Language Encoding"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
ProgID = "VBScript.Encode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
InprocServer32 = "%System%\vbscript.dll"

HKEY_CLASSES_ROOT
VBScript.RegExp = "VBScript Regular Expression"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript.RegExp
CLSID = "{3F4DACA4-160D-11D2-A8E9-00104B365C9F}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{3F4DACA4-160D-11D2-A8E9-00104B365C9F} = "VBScript Regular Expression"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
ProgID = "VBScript.RegExp"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
InprocServer32 = "%System%\vbscript.dll"

HKEY_CLASSES_ROOT
JScript = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
LiveScript = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LiveScript
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript1.1 = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.1
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript1.2 = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.2
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript1.3 = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.3
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
ECMAScript = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ECMAScript
CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{f414c260-6ac0-11cf-b6d1-00aa00bbbb58} = "JScript Language"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
ProgID = "JScript"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
InprocServer32 = "%System%\jscript.dll"

HKEY_CLASSES_ROOT
JScript Author = "JScript Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript Author
CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
LiveScript Author = "JScript Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LiveScript Author
CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript Author = "JScript Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript Author
CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript1.1 Author = "JScript Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.1 Author
CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_CLASSES_ROOT
JavaScript1.2 Author = "JScript Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.2 Author
CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{f414c261-6ac0-11cf-b6d1-00aa00bbbb58} = "JScript Language Authoring"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
ProgID = "JScript Author"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
InprocServer32 = "%System%\jscript.dll"

HKEY_CLASSES_ROOT
JScript.Encode = "JScript Language Encoding"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript.Encode
CLSID = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID
{f414c262-6ac0-11cf-b6d1-00aa00bbbb58} = "JScript Language Encoding"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
ProgID = "JScript.Encode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
InprocServer32 = "%System%\jscript.dll"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
ThreadingModel = "Both"

(Note: The default value data of the said registry entry is Both.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
ThreadingModel = "Both"

(Note: The default value data of the said registry entry is Both.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
ThreadingModel = "Both"

(Note: The default value data of the said registry entry is Both.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32
ThreadingModel = "Apartment"

(Note: The default value data of the said registry entry is Apartment.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\TypeLib
Version = "1.0"

(Note: The default value data of the said registry entry is 5.5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}\TypeLib
Version = "1.0"

(Note: The default value data of the said registry entry is 5.5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}\TypeLib
Version = "1.0"

(Note: The default value data of the said registry entry is 5.5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\TypeLib
Version = "5.5"

(Note: The default value data of the said registry entry is 5.5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}\TypeLib
Version = "5.5"

(Note: The default value data of the said registry entry is 5.5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}\TypeLib
Version = "5.5"

(Note: The default value data of the said registry entry is 5.5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
IsInstalled = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
Version = "5,6,0,8820"

(Note: The default value data of the said registry entry is 5,6,0,8820.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
Locale = "EN"

(Note: The default value data of the said registry entry is EN.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
ComponentID = "MSVBScript"

(Note: The default value data of the said registry entry is MSVBScript.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
ThreadingModel = "Both"

(Note: The default value data of the said registry entry is Both.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
ThreadingModel = "Both"

(Note: The default value data of the said registry entry is Both.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
ThreadingModel = "Both"

(Note: The default value data of the said registry entry is Both.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript\CLSID

HKEY_CLASSES_ROOT\VBScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBS\CLSID

HKEY_CLASSES_ROOT\VBS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript Author\CLSID

HKEY_CLASSES_ROOT\VBScript Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBS Author\CLSID

HKEY_CLASSES_ROOT\VBS Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript.Encode\CLSID

HKEY_CLASSES_ROOT\VBScript.Encode

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBScript.RegExp\CLSID

HKEY_CLASSES_ROOT\VBScript.RegExp

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript\CLSID

HKEY_CLASSES_ROOT\JScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LiveScript\CLSID

HKEY_CLASSES_ROOT\LiveScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript\CLSID

HKEY_CLASSES_ROOT\JavaScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.1\CLSID

HKEY_CLASSES_ROOT\JavaScript1.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.2\CLSID

HKEY_CLASSES_ROOT\JavaScript1.2

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.3\CLSID

HKEY_CLASSES_ROOT\JavaScript1.3

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ECMAScript\CLSID

HKEY_CLASSES_ROOT\ECMAScript

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript Author\CLSID

HKEY_CLASSES_ROOT\JScript Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
LiveScript Author\CLSID

HKEY_CLASSES_ROOT\LiveScript Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript Author\CLSID

HKEY_CLASSES_ROOT\JavaScript Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.1 Author\CLSID

HKEY_CLASSES_ROOT\JavaScript1.1 Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JavaScript1.2 Author\CLSID

HKEY_CLASSES_ROOT\JavaScript1.2 Author

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
JScript.Encode\CLSID

HKEY_CLASSES_ROOT\JScript.Encode

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}

Dropping Routine

This Trojan drops the following files:

  • %User Temp%\nsj2.tmp
  • %User Temp%\nsj3.tmp\wmpns.dll
  • %User Temp%\nsj3.tmp\System.dll
  • %User Temp%\nsj3.tmp\ioSpecial.ini
  • %User Temp%\nsj3.tmp\modern-wizard.bmp
  • %User Temp%\nsj3.tmp\modern-header.bmp
  • %User Temp%\nsj3.tmp\InstallOptions.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

This report is generated via an automated analysis system.

  SOLUTION

Minimum Scan Engine: 9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\3721
    • CnsMin
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript.Encode
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript.RegExp
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveScript
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.3
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ECMAScript
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveScript Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1 Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2 Author
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript.Encode
    • OLEScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
    • OLEScript

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\3721\CnsMin
    • IIS = "&fb=0&fc=0&fd=0&fe=0&fg=0&fh=0&fi=0&fj=0&fa=0&fu="
  • In HKEY_CLASSES_ROOT
    • VBScript = "VB Script Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript
    • CLSID = "{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"
  • In HKEY_CLASSES_ROOT
    • VBS = "VB Script Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS
    • CLSID = "{B54F3741-5B07-11cf-A4B0-00AA004A55E8}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {B54F3741-5B07-11cf-A4B0-00AA004A55E8} = "VB Script Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
    • ProgID = "VBScript"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
    • InprocServer32 = "%System%\vbscript.dll"
  • In HKEY_CLASSES_ROOT
    • VBScript Author = "VB Script Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript Author
    • CLSID = "{B54F3742-5B07-11cf-A4B0-00AA004A55E8}"
  • In HKEY_CLASSES_ROOT
    • VBS Author = "VB Script Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS Author
    • CLSID = "{B54F3742-5B07-11cf-A4B0-00AA004A55E8}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {B54F3742-5B07-11cf-A4B0-00AA004A55E8} = "VB Script Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    • ProgID = "VBScript Author"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    • InprocServer32 = "%System%\vbscript.dll"
  • In HKEY_CLASSES_ROOT
    • VBScript.Encode = "VBScript Language Encoding"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript.Encode
    • CLSID = "{B54F3743-5B07-11cf-A4B0-00AA004A55E8}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {B54F3743-5B07-11cf-A4B0-00AA004A55E8} = "VBScript Language Encoding"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    • ProgID = "VBScript.Encode"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    • InprocServer32 = "%System%\vbscript.dll"
  • In HKEY_CLASSES_ROOT
    • VBScript.RegExp = "VBScript Regular Expression"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript.RegExp
    • CLSID = "{3F4DACA4-160D-11D2-A8E9-00104B365C9F}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {3F4DACA4-160D-11D2-A8E9-00104B365C9F} = "VBScript Regular Expression"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • ProgID = "VBScript.RegExp"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • InprocServer32 = "%System%\vbscript.dll"
  • In HKEY_CLASSES_ROOT
    • JScript = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • LiveScript = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveScript
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript1.1 = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript1.2 = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript1.3 = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.3
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • ECMAScript = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ECMAScript
    • CLSID = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} = "JScript Language"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
    • ProgID = "JScript"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
    • InprocServer32 = "%System%\jscript.dll"
  • In HKEY_CLASSES_ROOT
    • JScript Author = "JScript Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript Author
    • CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • LiveScript Author = "JScript Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveScript Author
    • CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript Author = "JScript Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript Author
    • CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript1.1 Author = "JScript Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1 Author
    • CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_CLASSES_ROOT
    • JavaScript1.2 Author = "JScript Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2 Author
    • CLSID = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} = "JScript Language Authoring"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
    • ProgID = "JScript Author"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
    • InprocServer32 = "%System%\jscript.dll"
  • In HKEY_CLASSES_ROOT
    • JScript.Encode = "JScript Language Encoding"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript.Encode
    • CLSID = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {f414c262-6ac0-11cf-b6d1-00aa00bbbb58} = "JScript Language Encoding"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
    • ProgID = "JScript.Encode"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
    • InprocServer32 = "%System%\jscript.dll"

Step 4

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    • From: ThreadingModel = "Both"
      To: ThreadingModel = ""Both""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    • From: ThreadingModel = "Both"
      To: ThreadingModel = ""Both""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    • From: ThreadingModel = "Both"
      To: ThreadingModel = ""Both""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32
    • From: ThreadingModel = "Apartment"
      To: ThreadingModel = ""Apartment""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\TypeLib
    • From: Version = "1.0"
      To: Version = ""5.5""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}\TypeLib
    • From: Version = "1.0"
      To: Version = ""5.5""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}\TypeLib
    • From: Version = "1.0"
      To: Version = ""5.5""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\TypeLib
    • From: Version = "5.5"
      To: Version = ""5.5""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}\TypeLib
    • From: Version = "5.5"
      To: Version = ""5.5""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}\TypeLib
    • From: Version = "5.5"
      To: Version = ""5.5""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
    • From: IsInstalled = "1"
      To: IsInstalled = ""1""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
    • From: Version = "5,6,0,8820"
      To: Version = ""5,6,0,8820""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
    • From: Locale = "EN"
      To: Locale = ""EN""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
    • From: ComponentID = "MSVBScript"
      To: ComponentID = ""MSVBScript""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
    • From: ThreadingModel = "Both"
      To: ThreadingModel = ""Both""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
    • From: ThreadingModel = "Both"
      To: ThreadingModel = ""Both""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
    • From: ThreadingModel = "Both"
      To: ThreadingModel = ""Both""

Step 5

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\nsj2.tmp
  • %User Temp%\nsj3.tmp\wmpns.dll
  • %User Temp%\nsj3.tmp\System.dll
  • %User Temp%\nsj3.tmp\ioSpecial.ini
  • %User Temp%\nsj3.tmp\modern-wizard.bmp
  • %User Temp%\nsj3.tmp\modern-header.bmp
  • %User Temp%\nsj3.tmp\InstallOptions.dll

Step 6

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Temp%\nsj3.tmp

Step 7

Scan your computer with your Trend Micro product to delete files detected as TROJ_DNSCHANGER.USAV0109. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %User Temp%\nst1.tmp
  • %User Temp%\nsj3.tmp

Step 9

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript
    • CLSID
  • In HKEY_CLASSES_ROOT
    • VBScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS
    • CLSID
  • In HKEY_CLASSES_ROOT
    • VBS
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {B54F3741-5B07-11cf-A4B0-00AA004A55E8}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • VBScript Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBS Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • VBS Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {B54F3742-5B07-11cf-A4B0-00AA004A55E8}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript.Encode
    • CLSID
  • In HKEY_CLASSES_ROOT
    • VBScript.Encode
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {B54F3743-5B07-11cf-A4B0-00AA004A55E8}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript.RegExp
    • CLSID
  • In HKEY_CLASSES_ROOT
    • VBScript.RegExp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • TypeLib
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • Version
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {3F4DACA4-160D-11D2-A8E9-00104B365C9F}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveScript
    • CLSID
  • In HKEY_CLASSES_ROOT
    • LiveScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript1.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript1.2
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.3
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript1.3
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ECMAScript
    • CLSID
  • In HKEY_CLASSES_ROOT
    • ECMAScript
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JScript Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveScript Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • LiveScript Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.1 Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript1.1 Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript1.2 Author
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JavaScript1.2 Author
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript.Encode
    • CLSID
  • In HKEY_CLASSES_ROOT
    • JScript.Encode
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {f414c262-6ac0-11cf-b6d1-00aa00bbbb58}


Did this description help? Tell us how we did.