ThreatExpert Report: W32.Rahack.W, Net-Worm.Win32.Allaple.b, W32/RAHack, WORM

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 September 2012, 04:55:34
Processing time: 10 min 12 sec
Submitted sample:

File MD5: 0x1808FAA30B069E56F4DD479C34C440AD
File SHA-1: 0xB6470451D2D4688E33F4F1F538B3A050602B5678
Filesize: 85,504 bytes
Alias:

W32.Rahack.W [Symantec]
Net-Worm.Win32.Allaple.b [Kaspersky Lab]
W32/RAHack [McAfee]
WORM_ALLAPLE.IK [Trend Micro]
W32/Allaple-F [Sophos]
Worm:Win32/Allaple.A [Microsoft]
Net-Worm.Win32.Allaple [Ikarus]
Win-Trojan/Starman.Gen [AhnLab]

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\Inetpub\wwwroot\kkvwbsrw.exe	85,504 bytes	MD5: 0x3721CF8000BFDCAC3D9C58CD1F231567 SHA-1: 0xF08D99FAE9C92DF54C3E3A46A115970EF3F72C35	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
2	[pathname with a string SHARE]\bcwvzwbh.exe	85,504 bytes	MD5: 0xB11574E725BE6D7855118589B0A46812 SHA-1: 0x55BBB914C5298FCE321E498D361EFF7DF90F20E7	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
3	[pathname with a string SHARE]\bhrhnkht.exe	85,504 bytes	MD5: 0xB5C844E5D26A3D980BEC9A50BF7B1F74 SHA-1: 0xABDBF30CC0CF280EC813CB4722F5EE106580D036	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
4	[pathname with a string SHARE]\bnbtzwxt.exe	85,504 bytes	MD5: 0x81BE7E04151583B2917359BC47D2CA44 SHA-1: 0xEB0C7C658527C076D3071D331E7AE546A8015056	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
5	[pathname with a string SHARE]\brvrjrke.exe	85,504 bytes	MD5: 0x9C509046FFAE95228ACCF99350C2DA60 SHA-1: 0x3828AFC72BEF5D58DD3978A1FA5845E544971335	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
6	[pathname with a string SHARE]\bzqlkhrh.exe	85,504 bytes	MD5: 0xC010A3A3502D2A6269EA6A6F08CBDB61 SHA-1: 0x4AB82F207C00F2BD8F455D13CDF040B6D8EC764C	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
7	[pathname with a string SHARE]\czjevcet.exe	85,504 bytes	MD5: 0x0BA135AD3C5D2806012EB15A020F30FA SHA-1: 0x1A7F0F264F739DF28E4D3CAB32ECDBF702308CAD	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
8	[pathname with a string SHARE]\ehbebsrn.exe	85,504 bytes	MD5: 0x695BB6E5135642568EF06C9020A690C2 SHA-1: 0x14A2FCE0BFFEED296C2C51AF2AAE557F60BA04B4	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
9	[pathname with a string SHARE]\elwtjnbj.exe	85,504 bytes	MD5: 0xC79A5207BA5F1F42C358F604A9B9F1B8 SHA-1: 0x51B1F5266DDCCF613C2DF2E8CEB3AA1AD858C7CD	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
10	[pathname with a string SHARE]\njbsvtll.exe	85,504 bytes	MD5: 0x617A0F5C595525B7C3A7EF0A83F71B39 SHA-1: 0x1AFED256FC7E69749260AE19EFD6503DF7DE8E1D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
11	[pathname with a string SHARE]\nsqjttkv.exe	85,504 bytes	MD5: 0xD23B60FE5E99D3205EBCE7AE302D3A5B SHA-1: 0x0101F60F74149292A796AD46326899E74C2F3BB2	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
12	[pathname with a string SHARE]\qjllsjhl.exe	85,504 bytes	MD5: 0x2A8139936CB1B51770B8C3414AF002D5 SHA-1: 0xB8D49EF6DB34039515641F35CF976AF46265A8C5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
13	[pathname with a string SHARE]\tlcwjrwt.exe	85,504 bytes	MD5: 0xF4949730062F6FEE1258427D68DFB15F SHA-1: 0x04F9B7ECC8F4DF35DD247823A0AB199CEB8C54C7	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
14	[pathname with a string SHARE]\vkjljzrn.exe	85,504 bytes	MD5: 0xA5BDCC22D59B45F386A2643BABC83393 SHA-1: 0x97F5100D93F798F1DD8183C3407A3FFA97610D44	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
15	[pathname with a string SHARE]\xrljqjzn.exe	85,504 bytes	MD5: 0xD92524241898F304997944542AE1E7CC SHA-1: 0x64762C92BA4D4C4B91BECAA3D2BFF4D22AADF38C	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
16	%ProgramFiles%\Common Files\System\ado\tsektjkj.exe	85,504 bytes	MD5: 0xE1167C22BF6D17FBA5C91310FC416801 SHA-1: 0xBCE28F2C9708B35566B6EC673E270CF3295D27C9	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
17	%ProgramFiles%\NetMeeting\rsewzjqn.exe	85,504 bytes	MD5: 0x3B03524392D27244D61DA5F693511031 SHA-1: 0x1EE60A7040F0E08E60B0981BA6198D2CD74233C3	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
18	c:\tvsknrse.exe	85,504 bytes	MD5: 0x5290EE81E90F18F5578373F458447B60 SHA-1: 0xF4FBD265293B750A7F8503F6B62CCA21F874BCC4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
19	%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe	85,504 bytes	MD5: 0x2654582470DD9ACD7CC773C678EE4B7C SHA-1: 0xE33065495E1C12B6D5329BBC5553BB5866BDD09A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
20	%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe	85,504 bytes	MD5: 0xCB631A1554A2A974DD7746F56D9718B4 SHA-1: 0x180685DC88365A4CA91D666AA6BB48CA9F697BC4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
21	%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe	85,504 bytes	MD5: 0x68828D4B620BEC398A1A7EBEFB660794 SHA-1: 0x9AB80F619D577416C3C5CEECC3B32D9F89788C97	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
22	%Windir%\pchealth\helpctr\System\CompatCtr\zlhqrlbx.exe	85,504 bytes	MD5: 0xA40A8403C37B8A7788477DBB1421D4B7 SHA-1: 0xC008277240B31C7417CD2B0B56289124F628272A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
23	%Windir%\pchealth\helpctr\System\DVDUpgrd\shrrtjet.exe	85,504 bytes	MD5: 0x4668C8D5A6CA25568BD98272E2029C56 SHA-1: 0x21BBE291AE6C5FA925A55C67813A5D1F54271770	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
24	%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe	85,504 bytes	MD5: 0x03C6469ED145BB102646E2CCB36F71E1 SHA-1: 0xF8F2445405D48BD47A13B8C660CC74D0BA1BC077	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
25	%Windir%\pchealth\helpctr\System\errors\jcjjlqnq.exe	85,504 bytes	MD5: 0xE72C8FE7FB9A0F765CEC54C6C30746DC SHA-1: 0x52CC446457D9DFA3300A191CF3D59B209B1105F6	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
26	%Windir%\pchealth\helpctr\System\NetDiag\hsjqschn.exe	85,504 bytes	MD5: 0xD015F6436DC344F066BBCDF00AACA0A3 SHA-1: 0xA5488B0CE0CD480117BFCBB1AD150E3C37960492	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
27	%Windir%\pchealth\helpctr\System\NetDiag\xrvxszvs.exe	85,504 bytes	MD5: 0x6AE939F98B8CE9D4692701A5B0875E76 SHA-1: 0xCE310F35575DC4F9357F470D8B0107C001533A3D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
28	%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe	85,504 bytes	MD5: 0xFC8E2DD186346960A1E45F75F8E8284D SHA-1: 0x59F28295BBC985CE25C3E5E5AB0EBF0EF50B0E19	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
29	%Windir%\pchealth\helpctr\System\panels\sncncweb.exe	85,504 bytes	MD5: 0xA6B63909654AC43EC42C12FC33D871A5 SHA-1: 0x741AAC765D36AF254279911A7582526D358103FD	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
30	%Windir%\pchealth\helpctr\System\rc\qbrblthb.exe	85,504 bytes	MD5: 0x1BBD15473F072F79D28E884215348702 SHA-1: 0x2AEFAFF98A9C5BD1CDC9D4E545AA49342FDFCF6C	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
31	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\hxrshqsj.exe	85,504 bytes	MD5: 0xF1BB5B440B72D3158D5736CEFFB3395E SHA-1: 0x55CF9459CEBBC254B263017B0EFD45911712DD8B	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
32	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\rwcjrqhw.exe	85,504 bytes	MD5: 0x0C8704C9D586FAE2FCBE2CD1265ADC34 SHA-1: 0x514930C5E90640A3ED06A49E9F99B33B48A74BB5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
33	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe	85,504 bytes	MD5: 0xE029B64590045F7180CE6366A2815E73 SHA-1: 0x0F48CCB81E5125F2486E34CC60037234F61D1927	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
34	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ekjvhbcn.exe	85,504 bytes	MD5: 0x59924D6C7D813DE7C627976D2C43397C SHA-1: 0x3865BE9658ADBCCC25052E7D2CE586B2129D5A77	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
35	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\jjennetl.exe	85,504 bytes	MD5: 0x841019FEFB5A893C0A350DE7B1C21A26 SHA-1: 0xFE3A9E1EA67FD93EA1E73B9DBE68D4D6B3423681	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
36	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\knenvxlj.exe	85,504 bytes	MD5: 0x0E95DA74078DF8CC5F8C7CBF36A3B56D SHA-1: 0x28921F42D11AB79EF38E674853F5BC699BC44250	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
37	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe	85,504 bytes	MD5: 0xB14DFC15AA54193EC41B4D70744B3635 SHA-1: 0xFBAE4383A6D0DC7C24580AB96A84F3477A453617	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
38	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe	85,504 bytes	MD5: 0x3A158528D9A045222FBB07CC80E8884E SHA-1: 0xA83CEC582CC1136E6785616D1C81C9C505D20841	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
39	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\zqwkjbbt.exe	85,504 bytes	MD5: 0x8A6E6936C665D27F88B86B646D709FD0 SHA-1: 0x00149A6395E975B9AB1D018D9D61C4E3C9DEB187	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
40	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\bbsbrlee.exe	85,504 bytes	MD5: 0x390858F5EF7FCAE52593B6083814885B SHA-1: 0xE2BEC97914A80B5E24E68ED63DAC2AEBB76C8E9A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
41	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\kbzzlwlr.exe	85,504 bytes	MD5: 0x40870689B8E5D454B926E3EC109CF4BC SHA-1: 0x34CC2735C8CFDE9D9DEEEAC1E17BC5B88B7D87C6	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
42	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\rbntkevt.exe	85,504 bytes	MD5: 0x582BE261E8A15007E8564CB6A217513D SHA-1: 0xC1B156E60668E2E5570B290130079C5498483799	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
43	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\shnkjjbh.exe	85,504 bytes	MD5: 0x2530B449327BAFDC5E2797EE3B86829D SHA-1: 0x9DF968221189B97037B47781C89A6AE0D9C79DEC	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
44	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe	85,504 bytes	MD5: 0x4FE0AAE5220DA89438BE0D3F2DA457B7 SHA-1: 0xD7029993806B21F00F015B95F0351EDEAF840CE2	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
45	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ctjxljxh.exe	85,504 bytes	MD5: 0xD2F2EC7B16E4D6B7BF9A65C04628C1B8 SHA-1: 0x7E9ACA5A2A666625CDD40A7DC1C397682A1E4E2B	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
46	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ezslqrbz.exe	85,504 bytes	MD5: 0x0B463BB11ADBBB9F8FC802CB95DF84C2 SHA-1: 0xB8734AAFD07FE4C6D6BB7372005134C3F10437CB	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
47	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\neqvzkeh.exe	85,504 bytes	MD5: 0x17D36591334675AA556957F8F69D3A47 SHA-1: 0xE376E1AE3ED46A17DA47FC8D26DA1C4EE7DF5290	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
48	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\shrnxshq.exe	85,504 bytes	MD5: 0x28C40F1312CA303373B7AE7C21C1E317 SHA-1: 0x78B68F6B213F3658A577016A141B1CF2BB3C64C3	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
49	%Windir%\pchealth\helpctr\System\Remote Assistance\rqxjhbsl.exe	85,504 bytes	MD5: 0x194C0C67CF59C083DF29FC5C2B46BE44 SHA-1: 0x19E40F9014C5324785DAB6645A099A582DB25E45	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
50	%Windir%\pchealth\helpctr\System\Remote Assistance\rzqstbqq.exe	85,504 bytes	MD5: 0x139835C3FFFC258035A8713BDC00A468 SHA-1: 0xA40CE6B47F09A09305D1DB14FC009092CD931652	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
51	%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe	85,504 bytes	MD5: 0x544D231C5376ED7256C0C9CDAEC7FE3E SHA-1: 0x9D2BF75D20A77FC0DB3F7DE52B900C2F0437F66E	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
52	%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe	85,504 bytes	MD5: 0x35ED282C7EBBF39859D016050EF2B6F7 SHA-1: 0x06063FA96CD7F6832D8CDB68620F1E74BAE584EB	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
53	%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe	85,504 bytes	MD5: 0xC98EDAD1BDFBB8236DAB8F037D6EF567 SHA-1: 0x1A889F1D8DE552A3C8181D16870373D991562111	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
54	%Windir%\pchealth\helpctr\System\sysinfo\jbrhbztz.exe	85,504 bytes	MD5: 0xEA346667B81A1445AA90AF6CF8B99023 SHA-1: 0x7754F00173276D69574AD467B2C40311E94D187B	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
55	%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe	85,504 bytes	MD5: 0xBAE56E1F36516D2C6769A75A7E64FFC1 SHA-1: 0xF4BA37164B6EF04E2885FB26E9F8C1EB02E0A475	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
56	%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe	85,504 bytes	MD5: 0x0091E13E81A2BCE02B8638975F159F04 SHA-1: 0x1DABCD15980DFBFD1309920CF012A686A43B55C2	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
57	%Windir%\pchealth\helpctr\System\sysinfo\rercrnhh.exe	85,504 bytes	MD5: 0x36503AAB3683E0110B08252AB43158BC SHA-1: 0x5E20A94A7AA7ABDEA07CA2F2B9741532FE7E5686	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
58	%Windir%\pchealth\helpctr\System\sysinfo\rnbrkrlv.exe	85,504 bytes	MD5: 0x7938F5EC8B8012F76AEE8C4C0F41B351 SHA-1: 0x3C45F938B1F011B0B22BB21C852E1FB6BF42AF66	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
59	%Windir%\pchealth\helpctr\System\sysinfo\vkchbbxh.exe	85,504 bytes	MD5: 0x11F21368E4C97D84A93247B729D7532F SHA-1: 0x1D05B8766D41364F7757440EF363A449A2C7857D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
60	%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe	85,504 bytes	MD5: 0xB3AD2E89833B0105980C58D755E7C474 SHA-1: 0x82B91F262AB6A426ED302D1906F8FD5374167F18	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
61	%Windir%\pchealth\helpctr\System\UpdateCtr\qxshkkqn.exe	85,504 bytes	MD5: 0xF7018E1D8DA3191D6FA2036A10676721 SHA-1: 0xF41CE93C812F985718CE1D7972282E0793B39B4C	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
62	%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe	85,504 bytes	MD5: 0xC96D29BD0912BB61F98CCA25F7FCC71D SHA-1: 0xBD521A827E019F0FF9C3ED6FE020E523413743DC	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
63	%Windir%\pchealth\helpctr\System\UpdateCtr\snqesjrk.exe	85,504 bytes	MD5: 0x96690E735A59540DBC458DD574F51019 SHA-1: 0xAD43D10234DB8AE9939386822C579485A5D49ED0	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
64	%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe	85,504 bytes	MD5: 0x4C3351A8DFA54D07E078A84CD0010878 SHA-1: 0xDFE8B589E9C8DBCB36DDF844CA036E668D94AF07	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
65	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\erwskeqr.exe	85,504 bytes	MD5: 0xD73EF7EE48CDEE9667FD906F01FDB732 SHA-1: 0x712120748ED5BF355C1C33CEC888877C38495E1F	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
66	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe	85,504 bytes	MD5: 0xCF5AC32FD321D578F45DF02F1EEF160B SHA-1: 0x262EC79C2A297A323489C09CD002FC5C5FEC23B5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
67	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\vxwqhwzs.exe	85,504 bytes	MD5: 0xE7E9083C0F344D49FC1B6415C9625422 SHA-1: 0x4F7C0718EB4137C48A8B64CB736FF4110F306CAA	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
68	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\vxwqhwzs.exe	85,504 bytes	MD5: 0x1AD7E51316F7321656AF3C081A32AA53 SHA-1: 0x8DABBDD043BA86DDD0D028902433741A354821BF	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
69	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\vxwqhwzs.exe	85,504 bytes	MD5: 0x5FF7B5D032DF7382E2823E497E8539F9 SHA-1: 0x5E844FA825DDF13F9FA80DA9F37ED638E586A586	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
70	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe	85,504 bytes	MD5: 0x6FA8473EAB80F6FFF04E9C7157842611 SHA-1: 0xAE553FFC1BD388C9A789DC0503CC720E3351250E	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
71	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\vsekkehe.exe	85,504 bytes	MD5: 0xE1F604566E50F607E6CFC0B89123BAD1 SHA-1: 0xFDF00A2EBD7C4E76163BD1DD9A8A57CB8E570DBF	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
72	[file and pathname of the sample #1]	85,504 bytes	MD5: 0x1808FAA30B069E56F4DD479C34C440AD SHA-1: 0xB6470451D2D4688E33F4F1F538B3A050602B5678	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
73	%System%\urdvxc.exe	85,504 bytes	MD5: 0x56A4336296AD45633A3C0FDD58A69BBE SHA-1: 0x50D2691F50AB4BD6BD4ED19D8DB2516396C82E2B	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\NetMeeting\netmeet.htm
%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm
%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm
%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm
%Windir%\pchealth\helpctr\System\errors\connection.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm
%Windir%\pchealth\helpctr\System\panels\blank.htm
%Windir%\pchealth\helpctr\System\panels\NavBar.htm
%Windir%\pchealth\helpctr\System\rc\rcRequest.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAChatClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAStatusBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rcscreen6_head.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\ErrorMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RCFileXfer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\voicefirewallmsg.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\VOIPMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar1.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar2.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAChatServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\SettingServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\rcBuddy.htm
%Windir%\pchealth\helpctr\System\sysinfo\msinfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysComponentInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysEvtLogInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysHealthInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysinfosum.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysRemoteInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysServicesInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\AboutWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\Learn.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\LearnInternet.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\learnWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\updatecenter.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	180,224 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
MSWindows	Network Windows Service	"Stopped"	"%System%\urdvxc.exe" /service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}\LocalServer32]

(Default) = "%Windir%\Web\wcxnjhhj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}]

(Default) = "hsrlnrvstvshnrtw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qkezbwtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}]

(Default) = "bkvltxbettlqckss"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rvwwbqje.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}]

(Default) = "jlkktrnrktlejqer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}]

(Default) = "tzkbvsseewnrjbjt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}]

(Default) = "hxertrnctrkhnksv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}]

(Default) = "hletqtknlcstxzbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}]

(Default) = "txzlrxheevehhbxj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32]

(Default) = [pathname with a string SHARE]\czjevcet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}]

(Default) = "xeczjccscseekqzs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xjshnvvh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}]

(Default) = "rbkjlvxrhklxtkkk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}]

(Default) = "trqzrlcbkebjwljn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}]

(Default) = "blweecrqejjtsehq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}]

(Default) = "jeeetstwvbkrqstr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jhtkcrqk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}]

(Default) = "lqthlsxljvqtekhn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32]

(Default) = "%ProgramFiles%\NetMeeting\rsewzjqn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}]

(Default) = "wknzsrhlrxbzwrxs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\zxtlktls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}]

(Default) = "hezrezqkqbckbttn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jehkxqtn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}]

(Default) = "qreknehkthxejhjs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32]

(Default) = "C:\Inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}]

(Default) = "htwrntsknthvbhwh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}]

(Default) = "xhejlxhbbwxjwzhr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}]

(Default) = "tnxenbntlhzsbjkc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32]

(Default) = "%System%\urdvxc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}]

(Default) = "klkhrxjtcvjhxtnb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}]

(Default) = "brxnhkwjtqjsljsk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jcjcvqtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}]

(Default) = "hnjrhvrqkwbrwqhj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}]

(Default) = "ebrjrnbrnrzhnhxk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}]

(Default) = "jkzrbnnehbbbzjln"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}]

(Default) = "kjbxkbtblezqerlt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}]

(Default) = "xtkserktlbzrzwbt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32]

(Default) = [pathname with a string SHARE]\qjllsjhl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}]

(Default) = "rcwsbkznjxlsbers"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\tjqlrkhx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}]

(Default) = "xqltzkkrwvwsntjs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\ehlbrqvs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}]

(Default) = "qlvssbnrsksnlevq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}]

(Default) = "rlbtqxzjschewvrb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\Howto\tbzrsrxv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}]

(Default) = "ezrwkrtqntvrxlcq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\tsektjkj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}]

(Default) = "tjkrebnqjlrrvqkw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\nxhtnbrt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}]

(Default) = "xznwtllbnkzbewtj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}]

(Default) = "zlsshbjhkswxhjjr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32]

(Default) = "C:\tvsknrse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}]

(Default) = "rtrrtzjltxhjenlq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\srzectxw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}]

(Default) = "ernstlrqhznqjsjr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32]

(Default) = [pathname with a string SHARE]\bhrhnkht.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}]

(Default) = "cnqtleslhcztjnbk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}]

(Default) = "wtrxsstrsttrjehs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}]

(Default) = "nwsjnchrehjkjlhr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}]

(Default) = "zhjlztbbrsnvwjkq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ktensxxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}]

(Default) = "hesnkjqstlljjjeb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nxxhexkh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}]

(Default) = "zhklvtlnhwtbrrwk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32]

(Default) = [pathname with a string SHARE]\bcwvzwbh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}]

(Default) = "swbqjbtsernnxnqb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\snrlrkcn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}]

(Default) = "xhwhwslskcxnnzlj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}]

(Default) = "sjxwteenrhrwrbez"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}]

(Default) = "rlheknbbbcejrcbx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jclbnjhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}]

(Default) = "hjrsjvkxjlbkneth"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32]

(Default) = [pathname with a string SHARE]\bnbtzwxt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}]

(Default) = "kbjsrsbjrqxhbhrc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\elbkcznj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}]

(Default) = "nsljhsbxnwrhjsvs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}]

(Default) = "bshqrqeksjbrknzs"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

To mark the presence in the system, the following Mutex object was created:

jhdheddfffffhjk5trh

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.