Favorite Set as home Contact Us
Google
Home | More Virus Remove Process...
Free antivirus software,Free antivirus,Trojan Removal Instructions,Spyware remove Instructions
      How to remove Adware.Okcashbackmall
Adware.Okcashbackmall removal process
Author:admin CopyFrom:web Hits: UpdateTime:2008-5-1 19:09:57

Adware.Okcashbackmall removal process


Adware.Okcashbackmall remover


How to get rid of Adware.Okcashbackmall


How to clean Adware.Okcashbackmall


Begin of the article Adware.Okcashbackmall removal process


1.DownloadGoogle recommend safer browser Web browserFor more safe , Stay Secure on the Web  and stay far away virus,Download URL http://www.oral8.net/firefox/firefox.htm
2. Temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all Adware.Okcashbackmall infected files and Delete/Modify any values added to the registry.
Navigate to the subkey and delete the valuesas following:

When the program is executed, it creates the following files:
  • %CurrentFolder%\tmp_1023921881.exe
  • %CurrentFolder%\DelZip179.dll
  • %UserProfile%\Desktop\[KOREAN CHARACTERS].lnk
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %UserProfile%\Favorites\[KOREAN CHARACTERS]\[KOREAN CHARACTERS].url
  • %ProgramFiles%\cashbackkorea\auction.ico
  • %ProgramFiles%\cashbackkorea\cashbackkorea.dll
  • %ProgramFiles%\cashbackkorea\cashbackkoreabar.dll
  • %ProgramFiles%\cashbackkorea\shoppingmall.zip
  • %ProgramFiles%\cashbackkorea\uninstall.exe
  • %ProgramFiles%\cashbacksys\auction.ico
  • %ProgramFiles%\cashbacksys\cashbacksys.dll
  • %ProgramFiles%\cashbacksys\cashbacksysbar.dll
  • %ProgramFiles%\cashbacksys\shoppingmall.zip
  • %ProgramFiles%\cashbacksys\uninstall.exe
  • %ProgramFiles%\mizane\auction.ico
  • %ProgramFiles%\mizane\mizane.dll
  • %ProgramFiles%\mizane\mizanebar.dll
  • %ProgramFiles%\mizane\shoppingmall.zip
  • %ProgramFiles%\okcashbackmall\uninstall.exe
  • %System%\dwqblw[RANDOM CHARACTERS].exe
  • %System%\dwqblw[RANDOM CHARACTERS].exe
  • %System%\dwqblw[RANDOM CHARACTERS].exe
  • %System%\icons.dll
  • %System%\img1.flv
  • %System%\img2.flv
  • %System%\tempfiles_[RANDOM NUMBERS].exe
  • %System%\zadwqblw[RANDOM CHARACTERS].exe
  • %System%\zadwqblw[RANDOM CHARACTERS].exe


Next, the program creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"dwqblwppx.exe" = "C:\WINDOWS\system32\dwqblw[RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"dwqblwpvl.exe" = "C:\WINDOWS\system32\dwqblw[RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"dwqblwrsq.exe" = "C:\WINDOWS\system32\dwqblw[RANDOM CHARACTERS].exe"


It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{1DE525ED-EF71-4119-8C3C-1CE5315ADA74}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{D04358AE-CE03-4A26-9F02-69C4D3A5267F}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CLASSES_ROOT\CLSID\{1DDE8A86-89D8-4B55-A936-65C40B6A8DD0}
  • HKEY_CLASSES_ROOT\CLSID\{1DE525ED-EF71-4119-8C3C-1CE5315ADA74}
  • HKEY_CLASSES_ROOT\CLSID\{4D2D9681-C234-47A3-B499-9CEE26FF54C2}
  • HKEY_CLASSES_ROOT\CLSID\{7AC1D6D1-B83B-4D77-A916-839F90216BC7}
  • HKEY_CLASSES_ROOT\CLSID\{D04358AE-CE03-4A26-9F02-69C4D3A5267F}
  • HKEY_CLASSES_ROOT\cashbackkorea.cashbackkorea.com
  • HKEY_CLASSES_ROOT\cashbackkoreabar.cashbackkorea
  • HKEY_CLASSES_ROOT\cashbacksys.cashbacksys.com
  • HKEY_CLASSES_ROOT\cashbacksysbar.cashbacksys.com
  • HKEY_CLASSES_ROOT\mizane.mizane.com
  • HKEY_CLASSES_ROOT\mizanebar.mizane.com
  • HKEY_CLASSES_ROOT\okcashbackmall.okcashbackmall.com
  • HKEY_CLASSES_ROOT\okcashbackmallbar.okcashbackmall.com.Bar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1DDE8A86-89D8-4B55-A936-65C40B6A8DD0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D2D9681-C234-47A3-B499-9CEE26FF54C2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7AC1D6D1-B83B-4D77-A916-839F90216BC7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows cashbackkorea Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows cashbacksys Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows mizane Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\okcashbackmall Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\cashbackkorea


The program then connects to the following remote location:
[http://]okcashbackmall.com/down/ho[REMOVED]

It then downloads the following files from the above location:
  • %ProgramFiles%\mizane\uninstall.exe
  • %ProgramFiles%\okcashbackmall\okcashbackmall.dll
  • %ProgramFiles%\okcashbackmall\okcashbackmallbar.dll


The file okcashbackmall.dll is registered as the following Browser Helper Object, which is used to monitor browser activity:
1DDE8A86-89D8-4B55-A936-65C40B6A8DD0

The program may then re-direct the browser from destination Web sites.

5. Exit registry editor .
6.delete the IE temp files or you may download ATF temp files cleaner to run a full cleaning.and restart the computer.
8. Now you may remove Adware.Okcashbackmall successfully.



howtoremoveInputer:admin    Editor:admin 
End Of The Article how to remove Adware.Okcashbackmall
  • Back 个howtoremove:
  • Next 个howtoremove:
    • Sponsors
    Hot remove process
    Elite remove process
    Related Virus remover
    MalwareProtector2008
    Spyware.TupInsight
    Spyware.SpyBossPro
    Spyware.ExpressKeylog
    Downloader.Swif.C
    Generic Downloader q  …
    Generic Downloader x  …
    Downloader 28205   rem…
    Downloader BHS  remova…
    Downloader 24568   rem…
    Downloader 29895   rem…
    Downloader 5530   remo…
    Downloader 20220   rem…
    Downloader ASL  remova…
    Downloader gen a  remo…
    Generic Downloader ch …
    Downloader 25475   rem…
    Downloader 30704   rem…
    Downloader 31219   rem…
    Downloader 24465   rem…
    Contact Us
    Copyright 2006-2007 Free Antivirus Program