Trojan.Win32.FAREIT.UHBAZCLIG

January 21, 2020

ALIASES:

Trojan.Win32.Generic!BT (Sunbelt)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size: 700,416 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 21 Jan 2020

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}
(Default) = "_ATXmlFormNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}
(Default) = "_ATXmlIndexNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}
(Default) = "_ATXmlParseError"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}
(Default) = "_ATXmlRangeNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}
(Default) = "_ATXmlTabNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}
(Default) = "_ATXmlDataNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}
(Default) = "_ATXmlDOMDocument"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}
(Default) = "_ATXmlReturnNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}
(Default) = "_ATXmlClientNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}
(Default) = "_ATXmlFormSetNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}
(Default) = "_clsATXPrint"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}
(Default) = "_clsEFILE"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}
(Default) = "_clsReturn"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}
(Default) = "_IMain"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\
ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\
TypeLib
Version = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}
(Default) = "ATXml06.clsEFILE"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\
ProgID
(Default) = "ATXml06.clsEFILE"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.clsEFILE
(Default) = "ATXml06.clsEFILE"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.clsEFILE\Clsid
(Default) = "{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}
(Default) = "clsEFILE"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}
(Default) = "ATXml06.clsATXPrint"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\
ProgID
(Default) = "ATXml06.clsATXPrint"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.clsATXPrint
(Default) = "ATXml06.clsATXPrint"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.clsATXPrint\Clsid
(Default) = "{B280B23B-7E53-4577-8FD5-7FC81B1739F0}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}
(Default) = "clsATXPrint"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}
(Default) = "ATXml06.IMain"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\
ProgID
(Default) = "ATXml06.IMain"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.IMain
(Default) = "ATXml06.IMain"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.IMain\Clsid
(Default) = "{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}
(Default) = "IMain"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}
(Default) = "ATXml06.clsReturn"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}\
ProgID
(Default) = "ATXml06.clsReturn"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.clsReturn
(Default) = "ATXml06.clsReturn"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.clsReturn\Clsid
(Default) = "{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}
(Default) = "clsReturn"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}
(Default) = "ATXml06.ATXmlFormSetNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\
ProgID
(Default) = "ATXml06.ATXmlFormSetNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlFormSetNode
(Default) = "ATXml06.ATXmlFormSetNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlFormSetNode\Clsid
(Default) = "{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}
(Default) = "ATXmlFormSetNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}
(Default) = "ATXml06.ATXmlClientNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\
ProgID
(Default) = "ATXml06.ATXmlClientNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlClientNode
(Default) = "ATXml06.ATXmlClientNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlClientNode\Clsid
(Default) = "{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}
(Default) = "ATXmlClientNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}
(Default) = "ATXml06.ATXmlReturnNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\
ProgID
(Default) = "ATXml06.ATXmlReturnNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlReturnNode
(Default) = "ATXml06.ATXmlReturnNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlReturnNode\Clsid
(Default) = "{CA2333E8-3255-4C72-93B1-25463753DD3F}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}
(Default) = "ATXmlReturnNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}
(Default) = "ATXml06.ATXmlDOMDocument"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\
ProgID
(Default) = "ATXml06.ATXmlDOMDocument"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlDOMDocument
(Default) = "ATXml06.ATXmlDOMDocument"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlDOMDocument\Clsid
(Default) = "{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}
(Default) = "ATXmlDOMDocument"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}
(Default) = "ATXml06.ATXmlDataNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\
ProgID
(Default) = "ATXml06.ATXmlDataNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlDataNode
(Default) = "ATXml06.ATXmlDataNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlDataNode\Clsid
(Default) = "{E5742954-02BA-4107-8453-04473C31B49A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}
(Default) = "ATXmlDataNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}
(Default) = "ATXml06.ATXmlTabNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\
ProgID
(Default) = "ATXml06.ATXmlTabNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlTabNode
(Default) = "ATXml06.ATXmlTabNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlTabNode\Clsid
(Default) = "{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}
(Default) = "ATXmlTabNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}
(Default) = "ATXml06.ATXmlRangeNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\
ProgID
(Default) = "ATXml06.ATXmlRangeNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlRangeNode
(Default) = "ATXml06.ATXmlRangeNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlRangeNode\Clsid
(Default) = "{90804A8E-0E10-4780-99E0-600F4273FC7C}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}
(Default) = "ATXmlRangeNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}
(Default) = "ATXml06.ATXmlParseError"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\
ProgID
(Default) = "ATXml06.ATXmlParseError"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlParseError
(Default) = "ATXml06.ATXmlParseError"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlParseError\Clsid
(Default) = "{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}
(Default) = "ATXmlParseError"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}
(Default) = "ATXml06.ATXmlIndexNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\
ProgID
(Default) = "ATXml06.ATXmlIndexNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlIndexNode
(Default) = "ATXml06.ATXmlIndexNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlIndexNode\Clsid
(Default) = "{271BBCFA-A2CA-45F3-816B-23AD8485D43B}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}
(Default) = "ATXmlIndexNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}
(Default) = "ATXml06.ATXmlFormNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\
ProgID
(Default) = "ATXml06.ATXmlFormNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\
LocalServer32
(Default) = "{malware file path and name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\
TypeLib
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\
VERSION
(Default) = "2.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlFormNode
(Default) = "ATXml06.ATXmlFormNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ATXml06.ATXmlFormNode\Clsid
(Default) = "{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}
(Default) = "ATXmlFormNode"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\
ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\
LocalServer32\ThreadingModel

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\
LocalServer32\ThreadingModel

This report is generated via an automated analysis system.

SOLUTION

Minimum Scan Engine: 9.850

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}
- (Default) = "_ATXmlFormNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}
- (Default) = "_ATXmlIndexNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}
- (Default) = "_ATXmlParseError"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}
- (Default) = "_ATXmlRangeNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}
- (Default) = "_ATXmlTabNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}
- (Default) = "_ATXmlDataNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}
- (Default) = "_ATXmlDOMDocument"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}
- (Default) = "_ATXmlReturnNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}
- (Default) = "_ATXmlClientNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}
- (Default) = "_ATXmlFormSetNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}
- (Default) = "_clsATXPrint"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}
- (Default) = "_clsEFILE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}
- (Default) = "_clsReturn"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}
- (Default) = "_IMain"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\ProxyStubClsid32
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\TypeLib
- Version = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}
- (Default) = "ATXml06.clsEFILE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\ProgID
- (Default) = "ATXml06.clsEFILE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.clsEFILE
- (Default) = "ATXml06.clsEFILE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.clsEFILE\Clsid
- (Default) = "{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}
- (Default) = "clsEFILE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}
- (Default) = "ATXml06.clsATXPrint"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\ProgID
- (Default) = "ATXml06.clsATXPrint"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.clsATXPrint
- (Default) = "ATXml06.clsATXPrint"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.clsATXPrint\Clsid
- (Default) = "{B280B23B-7E53-4577-8FD5-7FC81B1739F0}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}
- (Default) = "clsATXPrint"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1476A3D2-6A76-45CF-8A0B-983E4F259098}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}
- (Default) = "ATXml06.IMain"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\ProgID
- (Default) = "ATXml06.IMain"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.IMain
- (Default) = "ATXml06.IMain"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.IMain\Clsid
- (Default) = "{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}
- (Default) = "IMain"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}
- (Default) = "ATXml06.clsReturn"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}\ProgID
- (Default) = "ATXml06.clsReturn"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.clsReturn
- (Default) = "ATXml06.clsReturn"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.clsReturn\Clsid
- (Default) = "{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}
- (Default) = "clsReturn"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{322E61AA-53A2-498D-8644-03B53A2105C9}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}
- (Default) = "ATXml06.ATXmlFormSetNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\ProgID
- (Default) = "ATXml06.ATXmlFormSetNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlFormSetNode
- (Default) = "ATXml06.ATXmlFormSetNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlFormSetNode\Clsid
- (Default) = "{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}
- (Default) = "ATXmlFormSetNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F790079-8315-4F94-B839-0EE7C3819F12}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}
- (Default) = "ATXml06.ATXmlClientNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\ProgID
- (Default) = "ATXml06.ATXmlClientNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlClientNode
- (Default) = "ATXml06.ATXmlClientNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlClientNode\Clsid
- (Default) = "{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}
- (Default) = "ATXmlClientNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C7BCC8D3-B191-4ED4-B46A-B2277861C015}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}
- (Default) = "ATXml06.ATXmlReturnNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\ProgID
- (Default) = "ATXml06.ATXmlReturnNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlReturnNode
- (Default) = "ATXml06.ATXmlReturnNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlReturnNode\Clsid
- (Default) = "{CA2333E8-3255-4C72-93B1-25463753DD3F}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}
- (Default) = "ATXmlReturnNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}
- (Default) = "ATXml06.ATXmlDOMDocument"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\ProgID
- (Default) = "ATXml06.ATXmlDOMDocument"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlDOMDocument
- (Default) = "ATXml06.ATXmlDOMDocument"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlDOMDocument\Clsid
- (Default) = "{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}
- (Default) = "ATXmlDOMDocument"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}
- (Default) = "ATXml06.ATXmlDataNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\ProgID
- (Default) = "ATXml06.ATXmlDataNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlDataNode
- (Default) = "ATXml06.ATXmlDataNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlDataNode\Clsid
- (Default) = "{E5742954-02BA-4107-8453-04473C31B49A}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}
- (Default) = "ATXmlDataNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}
- (Default) = "ATXml06.ATXmlTabNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\ProgID
- (Default) = "ATXml06.ATXmlTabNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlTabNode
- (Default) = "ATXml06.ATXmlTabNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlTabNode\Clsid
- (Default) = "{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}
- (Default) = "ATXmlTabNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{118B1C3F-83C8-466F-9996-8CCB80359E32}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}
- (Default) = "ATXml06.ATXmlRangeNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\ProgID
- (Default) = "ATXml06.ATXmlRangeNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlRangeNode
- (Default) = "ATXml06.ATXmlRangeNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlRangeNode\Clsid
- (Default) = "{90804A8E-0E10-4780-99E0-600F4273FC7C}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}
- (Default) = "ATXmlRangeNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}
- (Default) = "ATXml06.ATXmlParseError"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\ProgID
- (Default) = "ATXml06.ATXmlParseError"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlParseError
- (Default) = "ATXml06.ATXmlParseError"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlParseError\Clsid
- (Default) = "{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}
- (Default) = "ATXmlParseError"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A051CF9E-DE19-4190-961D-C0131CB19D55}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}
- (Default) = "ATXml06.ATXmlIndexNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\ProgID
- (Default) = "ATXml06.ATXmlIndexNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlIndexNode
- (Default) = "ATXml06.ATXmlIndexNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlIndexNode\Clsid
- (Default) = "{271BBCFA-A2CA-45F3-816B-23AD8485D43B}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}
- (Default) = "ATXmlIndexNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CAAD269-40AA-4122-A8DB-860B452D23F7}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}
- (Default) = "ATXml06.ATXmlFormNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\ProgID
- (Default) = "ATXml06.ATXmlFormNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\LocalServer32
- (Default) = "{malware file path and name}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\TypeLib
- (Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\VERSION
- (Default) = "2.1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlFormNode
- (Default) = "ATXml06.ATXmlFormNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATXml06.ATXmlFormNode\Clsid
- (Default) = "{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}
- (Default) = "ATXmlFormNode"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}\ProxyStubClsid
- (Default) = "{00020424-0000-0000-C000-000000000046}"

To delete the registry value this malware/grayware created:

Open Registry Editor.
» For Windows 7 and Windows Server 2008 (R2) users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2) users, right-click on the lower-left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlFormNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6CAAD269-40AA-4122-A8DB-860B452D23F7}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlIndexNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6CAAD269-40AA-4122-A8DB-860B452D23F7}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6CAAD269-40AA-4122-A8DB-860B452D23F7}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A051CF9E-DE19-4190-961D-C0131CB19D55}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlParseError"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A051CF9E-DE19-4190-961D-C0131CB19D55}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A051CF9E-DE19-4190-961D-C0131CB19D55}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlRangeNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{118B1C3F-83C8-466F-9996-8CCB80359E32}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlTabNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{118B1C3F-83C8-466F-9996-8CCB80359E32}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{118B1C3F-83C8-466F-9996-8CCB80359E32}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlDataNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlDOMDocument"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlReturnNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C7BCC8D3-B191-4ED4-B46A-B2277861C015}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlClientNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C7BCC8D3-B191-4ED4-B46A-B2277861C015}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C7BCC8D3-B191-4ED4-B46A-B2277861C015}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{9F790079-8315-4F94-B839-0EE7C3819F12}
In the right panel, locate and delete the entry:
(Default) = "_ATXmlFormSetNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{9F790079-8315-4F94-B839-0EE7C3819F12}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{9F790079-8315-4F94-B839-0EE7C3819F12}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{1476A3D2-6A76-45CF-8A0B-983E4F259098}
In the right panel, locate and delete the entry:
(Default) = "_clsATXPrint"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{1476A3D2-6A76-45CF-8A0B-983E4F259098}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{1476A3D2-6A76-45CF-8A0B-983E4F259098}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}
In the right panel, locate and delete the entry:
(Default) = "_clsEFILE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{322E61AA-53A2-498D-8644-03B53A2105C9}
In the right panel, locate and delete the entry:
(Default) = "_clsReturn"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{322E61AA-53A2-498D-8644-03B53A2105C9}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{322E61AA-53A2-498D-8644-03B53A2105C9}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}
In the right panel, locate and delete the entry:
(Default) = "_IMain"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}>ProxyStubClsid32
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
Again In the right panel, locate and delete the entry:
Version = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsEFILE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsEFILE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.clsEFILE
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsEFILE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.clsEFILE>Clsid
In the right panel, locate and delete the entry:
(Default) = "{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}"
Again In the right panel, locate and delete the entry:
(Default) = "clsEFILE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{E4946C33-031F-47E5-A655-5DFF4A3E6EE2}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B280B23B-7E53-4577-8FD5-7FC81B1739F0}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsATXPrint"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B280B23B-7E53-4577-8FD5-7FC81B1739F0}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsATXPrint"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B280B23B-7E53-4577-8FD5-7FC81B1739F0}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B280B23B-7E53-4577-8FD5-7FC81B1739F0}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B280B23B-7E53-4577-8FD5-7FC81B1739F0}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.clsATXPrint
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsATXPrint"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.clsATXPrint>Clsid
In the right panel, locate and delete the entry:
(Default) = "{B280B23B-7E53-4577-8FD5-7FC81B1739F0}"
Again In the right panel, locate and delete the entry:
(Default) = "clsATXPrint"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{1476A3D2-6A76-45CF-8A0B-983E4F259098}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.IMain"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.IMain"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.IMain
In the right panel, locate and delete the entry:
(Default) = "ATXml06.IMain"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.IMain>Clsid
In the right panel, locate and delete the entry:
(Default) = "{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}"
Again In the right panel, locate and delete the entry:
(Default) = "IMain"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{28A55B1F-C3F4-4A28-8FD3-39280F6CFAB3}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsReturn"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsReturn"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.clsReturn
In the right panel, locate and delete the entry:
(Default) = "ATXml06.clsReturn"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.clsReturn>Clsid
In the right panel, locate and delete the entry:
(Default) = "{9A89175F-8D8D-4846-ACFF-49EC7DC1FF0D}"
Again In the right panel, locate and delete the entry:
(Default) = "clsReturn"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{322E61AA-53A2-498D-8644-03B53A2105C9}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlFormSetNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlFormSetNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlFormSetNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlFormSetNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlFormSetNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlFormSetNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{9F790079-8315-4F94-B839-0EE7C3819F12}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlClientNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlClientNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlClientNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlClientNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlClientNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlClientNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{C7BCC8D3-B191-4ED4-B46A-B2277861C015}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{CA2333E8-3255-4C72-93B1-25463753DD3F}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlReturnNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{CA2333E8-3255-4C72-93B1-25463753DD3F}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlReturnNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{CA2333E8-3255-4C72-93B1-25463753DD3F}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{CA2333E8-3255-4C72-93B1-25463753DD3F}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{CA2333E8-3255-4C72-93B1-25463753DD3F}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlReturnNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlReturnNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlReturnNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{CA2333E8-3255-4C72-93B1-25463753DD3F}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlReturnNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{30744E3C-24A7-45C0-BD32-FDA5448BA9D1}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlDOMDocument"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlDOMDocument"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlDOMDocument
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlDOMDocument"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlDOMDocument>Clsid
In the right panel, locate and delete the entry:
(Default) = "{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlDOMDocument"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{4C2BE82C-FBE6-4D5F-BB69-8486E231927D}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E5742954-02BA-4107-8453-04473C31B49A}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlDataNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E5742954-02BA-4107-8453-04473C31B49A}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlDataNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E5742954-02BA-4107-8453-04473C31B49A}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E5742954-02BA-4107-8453-04473C31B49A}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{E5742954-02BA-4107-8453-04473C31B49A}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlDataNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlDataNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlDataNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{E5742954-02BA-4107-8453-04473C31B49A}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlDataNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A8713635-724C-4CCD-BA0C-F2F58EB0BFBE}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlTabNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlTabNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlTabNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlTabNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlTabNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlTabNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{118B1C3F-83C8-466F-9996-8CCB80359E32}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{90804A8E-0E10-4780-99E0-600F4273FC7C}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlRangeNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{90804A8E-0E10-4780-99E0-600F4273FC7C}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlRangeNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{90804A8E-0E10-4780-99E0-600F4273FC7C}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{90804A8E-0E10-4780-99E0-600F4273FC7C}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{90804A8E-0E10-4780-99E0-600F4273FC7C}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlRangeNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlRangeNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlRangeNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{90804A8E-0E10-4780-99E0-600F4273FC7C}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlRangeNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{421B6D3E-4B0C-4615-B456-5C2AE7C23D3C}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlParseError"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlParseError"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlParseError
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlParseError"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlParseError>Clsid
In the right panel, locate and delete the entry:
(Default) = "{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlParseError"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{A051CF9E-DE19-4190-961D-C0131CB19D55}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{271BBCFA-A2CA-45F3-816B-23AD8485D43B}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlIndexNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{271BBCFA-A2CA-45F3-816B-23AD8485D43B}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlIndexNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{271BBCFA-A2CA-45F3-816B-23AD8485D43B}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{271BBCFA-A2CA-45F3-816B-23AD8485D43B}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{271BBCFA-A2CA-45F3-816B-23AD8485D43B}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlIndexNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlIndexNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlIndexNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{271BBCFA-A2CA-45F3-816B-23AD8485D43B}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlIndexNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{6CAAD269-40AA-4122-A8DB-860B452D23F7}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlFormNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}>ProgID
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlFormNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}>LocalServer32
In the right panel, locate and delete the entry:
(Default) = "{malware file path and name}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}>TypeLib
In the right panel, locate and delete the entry:
(Default) = "{F5AF018C-2993-4F60-B186-72AE59CCD1E3}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>CLSID>{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}>VERSION
In the right panel, locate and delete the entry:
(Default) = "2.1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlFormNode
In the right panel, locate and delete the entry:
(Default) = "ATXml06.ATXmlFormNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>ATXml06.ATXmlFormNode>Clsid
In the right panel, locate and delete the entry:
(Default) = "{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}"
Again In the right panel, locate and delete the entry:
(Default) = "ATXmlFormNode"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Wow6432Node>Interface>{DBCDFB21-E896-4B0B-B9B0-84F9AB755F5E}>ProxyStubClsid
In the right panel, locate and delete the entry:
(Default) = "{00020424-0000-0000-C000-000000000046}"
Close Registry Editor.

Step 3

Scan your computer with your Trend Micro product to delete files detected as Trojan.Win32.FAREIT.UHBAZCLIG. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Step 4

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3F7EF3D-CF41-48BD-93D5-D1925DFEC795}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B280B23B-7E53-4577-8FD5-7FC81B1739F0}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B72B32D5-9B6F-4630-8F99-DCE75A0BCB47}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35849DFA-D9D3-40F1-8117-4BAB84DEB2AE}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4017EC2C-56FA-4C9A-A598-9D880B76D3D7}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA2333E8-3255-4C72-93B1-25463753DD3F}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFDF3AD-3C06-4F9C-BD14-8802431EAB9D}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5742954-02BA-4107-8453-04473C31B49A}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{506C91FD-BA31-44F5-A4C3-A5E65C7CF4DC}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90804A8E-0E10-4780-99E0-600F4273FC7C}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{417D8B2B-B8AA-41C5-B3B9-91FCA194C145}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{271BBCFA-A2CA-45F3-816B-23AD8485D43B}\LocalServer32
- ThreadingModel

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8E1F7FF-02BC-4692-BCC1-8650AA5864D1}\LocalServer32
- ThreadingModel

Did this description help? Tell us how we did.

Trojan.Win32.FAREIT.UHBAZCLIG

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

Trojan.Win32.FAREIT.UHBAZCLIG

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific