ThreatExpert Report: W32.Rahack.W, W32/RAHack, WORM_ALLAPLE.IK, W32/Allaple-F, Worm:Win32/Allaple.A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 October 2012, 00:33:51
Processing time: 10 min 17 sec
Submitted sample:

File MD5: 0x7441A79E4F6726CD2543D34C37F4F793
File SHA-1: 0xCC446A42D3ECBFC2E677F848940564D57235EB41
Filesize: 86,528 bytes
Alias:

W32.Rahack.W [Symantec]
W32/RAHack [McAfee]
WORM_ALLAPLE.IK [Trend Micro]
W32/Allaple-F [Sophos]
Worm:Win32/Allaple.A [Microsoft]
Net-Worm.Win32.Allaple [Ikarus]
Win-Trojan/Starman.Gen [AhnLab]

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[pathname with a string SHARE]\bcwvzwbh.exe	86,528 bytes	MD5: 0xE5080D7D5BF1E35C156BD3C268E7C35F SHA-1: 0xE7F20C88A16EA58EBAE5E671FD59A3F5570E2E3A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
2	[pathname with a string SHARE]\bhrhnkht.exe	86,528 bytes	MD5: 0xD034B3FA3F00D60757AC160FAE827C10 SHA-1: 0x8425E06DDA5F1AC7EB08A092F34A33722C524A99	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
3	[pathname with a string SHARE]\bnbtzwxt.exe	86,528 bytes	MD5: 0xBB919AC44BD08FF9DF3F18FEC40E8D59 SHA-1: 0xCDBD9685DB9E453EFA9BCDB7BF38155793B669FE	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
4	[pathname with a string SHARE]\brvrjrke.exe	86,528 bytes	MD5: 0x8250EAF800864C46AC6ABD541FA45530 SHA-1: 0xAE668AEC1E6EE30FFBF7DDDDA35F32BC55B774E7	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
5	[pathname with a string SHARE]\bzqlkhrh.exe	86,528 bytes	MD5: 0x891E7F98652420498CAFCC46CA7D6087 SHA-1: 0x2AED6BC70B60C80E2A953404A4097501D1209428	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
6	[pathname with a string SHARE]\czjevcet.exe	86,528 bytes	MD5: 0xEC1DF5EA22A7332324C5A59A400C063E SHA-1: 0x75D5DBFC70838CEEF827157D730D276B818430F5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
7	[pathname with a string SHARE]\ehbebsrn.exe	86,528 bytes	MD5: 0x9CBC9484572F1CF59DFE642B6160E980 SHA-1: 0x4DD945881102B6EA3E881229638BA7D33B42EDAA	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
8	[pathname with a string SHARE]\elwtjnbj.exe	86,528 bytes	MD5: 0x0DD020678E0B345289B04F312615116D SHA-1: 0x52A0672C6A36CCB0B5FBB83AEA665EF2F7C9BF9C	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
9	[pathname with a string SHARE]\njbsvtll.exe	86,528 bytes	MD5: 0x435D1BA29792A9C9C7A254141261BC30 SHA-1: 0x86353B8DD2B020CB8B1E012A355CE601F0BF5FA5	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
10	[pathname with a string SHARE]\nsqjttkv.exe	86,528 bytes	MD5: 0xEF273D931FC828EEB356386BD768BC6D SHA-1: 0xB2F0A5595029B5CE0F55621E0067BEEFF54EDF06	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
11	[pathname with a string SHARE]\qjllsjhl.exe	86,528 bytes	MD5: 0xCFB2AF281BBCA4C5CBCEDA6B54E0AC0B SHA-1: 0x477B17D838FB0F0D76FE2605FAD29CC94DB53BBA	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
12	[pathname with a string SHARE]\tlcwjrwt.exe	86,528 bytes	MD5: 0x0F224F04AE4A9A4B3705A2452EF27661 SHA-1: 0xBB046E00F0FFA503575506F0AE9ABB092405B942	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
13	[pathname with a string SHARE]\vkjljzrn.exe	86,528 bytes	MD5: 0x12520F8292BBC72A3268BB11CDD3FDB2 SHA-1: 0x5D52A72909D49CBC59E45F01A5122F2770E755CD	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
14	[pathname with a string SHARE]\xrljqjzn.exe	86,528 bytes	MD5: 0xD09F0683C084A73A6D9A962F97EC7A64 SHA-1: 0xB62AD8ADB8CE53FA880267F713AF35ED4C850B37	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
15	%ProgramFiles%\Common Files\System\ado\tsektjkj.exe	86,528 bytes	MD5: 0xC87868865EA8D3A88783A6950787F9F1 SHA-1: 0xBCB066DF8C0C49BC61E2630AC3B16776A2F346D4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
16	%ProgramFiles%\NetMeeting\rsewzjqn.exe	86,528 bytes	MD5: 0xA99DC45EA5FAB26A90502C823DDDB71A SHA-1: 0x1B379B7157B99148FDF06AABE8349B0138441084	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
17	c:\tvsknrse.exe	86,528 bytes	MD5: 0x4BB960304F289B96052CD1538CCFAC26 SHA-1: 0xED251530B435FCCFE6272E0A087137A8EC0006EA	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
18	%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe	86,528 bytes	MD5: 0x6CA89C252874B3B2DECE7AF0F85B2DFE SHA-1: 0xC242BE3AC610808544491F3C74111E6C0E24D629	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
19	%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe	86,528 bytes	MD5: 0x2F856751FB642C28C26A343015E196B4 SHA-1: 0x81BC80E74EF817A5FB58D1BFC25B9B79784B7C5E	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
20	%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe	86,528 bytes	MD5: 0x048A16DDD4BDBB273D33A11A25A9236D SHA-1: 0x400F59E9267C28BB81CC5097E6B9D73980D5B4EA	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
21	%Windir%\pchealth\helpctr\System\CompatCtr\zlhqrlbx.exe	86,528 bytes	MD5: 0xB9BFA95C331321AF58A926D4593A93FD SHA-1: 0xADE9B7198A62590FE42FB8B2B933B5740D0822F5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
22	%Windir%\pchealth\helpctr\System\DVDUpgrd\shrrtjet.exe	86,528 bytes	MD5: 0x000DACDF7EF5CAA57536E9925949B1C3 SHA-1: 0xA21C4AC86CD0351C88C33F39858C78B346E3E44F	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
23	%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe	86,528 bytes	MD5: 0xC292741CCEC001F9EC492859151893A6 SHA-1: 0x969E2274F658C05EB887D25C844B4E82D3C76405	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
24	%Windir%\pchealth\helpctr\System\errors\jcjjlqnq.exe	86,528 bytes	MD5: 0x6EB5F8AD3100C1400F1728CCDD195668 SHA-1: 0xF564E183B3536979B6CD4A64297C5C4D3EE3F42A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
25	%Windir%\pchealth\helpctr\System\NetDiag\hsjqschn.exe	86,528 bytes	MD5: 0xD905CC129588F1E5842A30A9E49D61A6 SHA-1: 0x268F81499D214B622F03022F093197F003A318AA	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
26	%Windir%\pchealth\helpctr\System\NetDiag\xrvxszvs.exe	86,528 bytes	MD5: 0x68244EA7294662639FCB4505F14C524F SHA-1: 0xEC80F7BD0D20973B0E04C46DBF2204A157E639B1	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
27	%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe	86,528 bytes	MD5: 0x387B472672DB43551F2C9C69F7EA5515 SHA-1: 0x5A8F66C71777FB0A6B0892DB18B03019FE4F26BE	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
28	%Windir%\pchealth\helpctr\System\panels\sncncweb.exe	86,528 bytes	MD5: 0x4C192B97C9BF4278D36AC9125950F576 SHA-1: 0xB2E45C3DE112DE880B3C07BC2F8781DF57845879	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
29	%Windir%\pchealth\helpctr\System\rc\qbrblthb.exe	86,528 bytes	MD5: 0xE394697FF0DC9B099278B5CE68077242 SHA-1: 0xE4EE778C1BFD2B21CF4E10EBC8C5D5AF7A088D47	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
30	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\hxrshqsj.exe	86,528 bytes	MD5: 0x4DEBE0C4AAC23B713819850587CC18E7 SHA-1: 0x55CE12D5F84DF0E892A2F86F74258FF1C1B515F4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
31	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\rwcjrqhw.exe	86,528 bytes	MD5: 0xCCE96710931648D4FC1106CBE334BC52 SHA-1: 0x59620F0F5994F936E51DF714269B611EA6D66557	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
32	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe	86,528 bytes	MD5: 0x4207BF769ED31CC58F16BE764A5144A5 SHA-1: 0x014B35CCE9CD16AB7EE288254699762F85D08D2A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
33	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ekjvhbcn.exe	86,528 bytes	MD5: 0x61DDC42E760A9689B350E5586AE265B8 SHA-1: 0x2F9B84BF33AF879B9667991E3C43AE8D0E8FFB75	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
34	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\jjennetl.exe	86,528 bytes	MD5: 0xCF479566371CE2A168F8020447196F2F SHA-1: 0xB73E4A169D395CCE4F2A129774A22E3241DB35A4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
35	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\knenvxlj.exe	86,528 bytes	MD5: 0xE2B55D7602AD2E4CB219E02E9400EBA1 SHA-1: 0x6369A5BE9FC9D6E7149A7FC971B975D6944A432D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
36	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe	86,528 bytes	MD5: 0xF07A4BACFD9D54304744FE04D4C5F310 SHA-1: 0x2DB3E59961B689192BF19A47947ADD1D770CAD4D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
37	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe	86,528 bytes	MD5: 0xD46087E98AB990BF6A19FEAECDE282AB SHA-1: 0x231067EACEA3F3E69D5EC36CFBA9325BBDC494D2	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
38	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\zqwkjbbt.exe	86,528 bytes	MD5: 0xAC1DFD481F378A4DC6A6608795A2B6AF SHA-1: 0x05ECA0A080B40129AE4D3B7CB725ED82E7BD9892	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
39	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\bbsbrlee.exe	86,528 bytes	MD5: 0x39CB13D4D5023A508E78E33818F5CB94 SHA-1: 0x6B66A18FD83EA7BD6C23D05C226A1AB3D95CD991	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
40	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\kbzzlwlr.exe	86,528 bytes	MD5: 0x9505CBBDC27841A7B65AA68AA6BA9662 SHA-1: 0x1A153BC274F6CFD54AAC89B771BDDC5B5072A2FC	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
41	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\rbntkevt.exe	86,528 bytes	MD5: 0x8AE652275305E903A5DEEA1BAE9E9BB1 SHA-1: 0xC3D68C446B15E4C6CA9871DDED1A5A4CE11563C0	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
42	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\shnkjjbh.exe	86,528 bytes	MD5: 0x56DF10391A39E2CF4D51807A8506B7E6 SHA-1: 0x8DEFC66807B04A1DA70C80CEFE48449C7E53E30D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
43	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe	86,528 bytes	MD5: 0x3330F72230E4A618F62223471618BB1F SHA-1: 0x9655231798DD108593A2C9AF7A6509FA150180D4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
44	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ctjxljxh.exe	86,528 bytes	MD5: 0x68DCD1C10F49A0FC9106430620123E4B SHA-1: 0xFE8B6F7A27E5585D7AE5F334C79FDE742C926682	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
45	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ezslqrbz.exe	86,528 bytes	MD5: 0xBE2C6C616B483D507094AB7773F9BA3D SHA-1: 0x409E0F91AD2B128A20B4F5912B2EFDBF988CEEF1	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
46	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\neqvzkeh.exe	86,528 bytes	MD5: 0x0D837FD694BF8F77D920C76AAA02D905 SHA-1: 0xF08A894BC3677750B9E3B95E943BE9B57555A156	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
47	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\shrnxshq.exe	86,528 bytes	MD5: 0x4896EBEE2AF0C1FB454BD175C3AC41DB SHA-1: 0x6CCD92C7877D260DD3117DFCD41781914CD7F5A5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
48	%Windir%\pchealth\helpctr\System\Remote Assistance\rqxjhbsl.exe	86,528 bytes	MD5: 0x0288A2D359276CA00F7A0DA2FD90D57E SHA-1: 0xBD111CCE4019F8CA2B40B587A313B25C446C3212	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
49	%Windir%\pchealth\helpctr\System\Remote Assistance\rzqstbqq.exe	86,528 bytes	MD5: 0x721DCFD5B83243F550903E706A0E52E8 SHA-1: 0xFC0B2BDF96A961B727CB5B511F4CEB9663506103	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
50	%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe	86,528 bytes	MD5: 0x8FE3C39D19535CCAD4B27E11185958A7 SHA-1: 0x186F548D97B0245F1954B46FFBB02555BC10B7B8	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
51	%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe	86,528 bytes	MD5: 0x8F9C8EB5CCD6B9486FAED8D2CE9DCB50 SHA-1: 0x931E80DE79C5546CC4E5F63F73B65814DC08B3E0	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
52	%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe	86,528 bytes	MD5: 0x0A892B8D7DAB2835AE5512E26660190D SHA-1: 0xC10921EE7FD8B9B93570ED7FA215F6DD3EE92008	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
53	%Windir%\pchealth\helpctr\System\sysinfo\jbrhbztz.exe	86,528 bytes	MD5: 0xD844A9C63F5F0DB8B56E6D3075370586 SHA-1: 0x0B66BE8947EEAC798594B170C8A8DA18E5AD2AC8	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
54	%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe	86,528 bytes	MD5: 0x5BCED829991C5D45D166B36AC3A2F157 SHA-1: 0xCC7D7CA4E13AD52F17712BE0C8572EA0D0EC87EC	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
55	%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe	86,528 bytes	MD5: 0xA021CFBCE580F19A35EAD45582D7B3FD SHA-1: 0x62E9742DF70AE956309B2ABC30CC3325D650C484	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
56	%Windir%\pchealth\helpctr\System\sysinfo\rercrnhh.exe	86,528 bytes	MD5: 0x4148966BC7C3AA28023DF9CF2FD120DF SHA-1: 0x17C1932A97A5013E0C9FCEBB8217B0C9A51B6845	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
57	%Windir%\pchealth\helpctr\System\sysinfo\rnbrkrlv.exe	86,528 bytes	MD5: 0x6A95F26EA9A590BDBD5FA9F8336FCB32 SHA-1: 0x41D0A3901DDA8977F4381AD3EC4FB21D41F87EE5	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
58	%Windir%\pchealth\helpctr\System\sysinfo\vkchbbxh.exe	86,528 bytes	MD5: 0xB3D0E136460A710F7CCBBC9B44C84189 SHA-1: 0xB4A81D3E8206F1E07099FCEC067FDA9482A26B9E	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
59	%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe	86,528 bytes	MD5: 0x4A5559BD72D86D63662135AA716164F5 SHA-1: 0xD927367A78AFDB9DF2B0D66390C580C1681A1D7D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
60	%Windir%\pchealth\helpctr\System\UpdateCtr\qxshkkqn.exe	86,528 bytes	MD5: 0x67D0F54E4390F9BFE68B4ED2046A1519 SHA-1: 0x1EF9C1A5049200760C534414712577BA20929109	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
61	%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe	86,528 bytes	MD5: 0xC6D2CC301365E2117F6758F242C3DABB SHA-1: 0x41CE5E4A5F74D174A9ACBA94A554149A84F794CD	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
62	%Windir%\pchealth\helpctr\System\UpdateCtr\snqesjrk.exe	86,528 bytes	MD5: 0xC6669BCD8B8EA3AA8D2772846D5E6208 SHA-1: 0x402D3EF9F5409E03C434F7CC6BD3C7F0F1D1DC2A	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
63	%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe	86,528 bytes	MD5: 0xEFF8A76C17970F70449D896725FEB5FD SHA-1: 0x5B8B25A6E832A2CDF97F6C2246FFD478C7C05F9E	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
64	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\erwskeqr.exe	86,528 bytes	MD5: 0xA241A49C1D61ED564346E5448347DA4A SHA-1: 0xA4818E2B39045E12895ADFE5181D33E1A469301C	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
65	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe	86,528 bytes	MD5: 0x3A146B2DD353FF35FCD082D819968FD9 SHA-1: 0x1A7BF5B8E14E11D910588B7251E5312FFCC43822	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
66	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\vxwqhwzs.exe	86,528 bytes	MD5: 0xE93B2DB7CC9F49690FE82BB197986209 SHA-1: 0x9123AD7B12CE4D8607A6B76A24FC7FE3133A7972	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
67	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\vxwqhwzs.exe	86,528 bytes	MD5: 0x39D515FF74881DC91BA66EC2C7185FF8 SHA-1: 0x2013BE434841A7772BE89EF70E0B28DEEF5B7261	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
68	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\vxwqhwzs.exe	86,528 bytes	MD5: 0x51F0B06AC498512C0488883A954741FA SHA-1: 0x3E9F3C276B399DC63B4100AF89668B1A8882FF73	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
69	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe	86,528 bytes	MD5: 0x8C66455EAF9A4C00E2BC304EAFE56329 SHA-1: 0x52D4037B871E5E3310624476B49CAF650B4B7025	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
70	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\vsekkehe.exe	86,528 bytes	MD5: 0x6372B52DA64657D0FF5BA70CC0C7E11F SHA-1: 0xB1C1949835E6584C5DF2C863B27F45F8B2BFF31C	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
71	[file and pathname of the sample #1]	86,528 bytes	MD5: 0x7441A79E4F6726CD2543D34C37F4F793 SHA-1: 0xCC446A42D3ECBFC2E677F848940564D57235EB41	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
72	%System%\urdvxc.exe	86,528 bytes	MD5: 0x99D6658E3D54F5A0C023A183D5E93DCA SHA-1: 0x51B38089049EEEFE18044C91665BA85BEC1906F1	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\NetMeeting\netmeet.htm
%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm
%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm
%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm
%Windir%\pchealth\helpctr\System\errors\connection.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm
%Windir%\pchealth\helpctr\System\panels\blank.htm
%Windir%\pchealth\helpctr\System\panels\NavBar.htm
%Windir%\pchealth\helpctr\System\rc\rcRequest.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAChatClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAStatusBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rcscreen6_head.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\ErrorMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RCFileXfer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\voicefirewallmsg.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\VOIPMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar1.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar2.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAChatServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\SettingServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\rcBuddy.htm
%Windir%\pchealth\helpctr\System\sysinfo\msinfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysComponentInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysEvtLogInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysHealthInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysinfosum.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysRemoteInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysServicesInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\AboutWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\Learn.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\LearnInternet.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\learnWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\updatecenter.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	159,744 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
MSWindows	Network Windows Service	"Stopped"	"%System%\urdvxc.exe" /service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}\LocalServer32]

(Default) = "%Windir%\Web\wcxnjhhj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}]

(Default) = "kjttkhthttlkhxbl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qkezbwtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}]

(Default) = "levktlhjrbtqtvxw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rvwwbqje.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}]

(Default) = "cxtjktjsrnhstchx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}]

(Default) = "cvjrhjwhqqrvkrxb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}]

(Default) = "kxvtjssbkkjrkjrc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}]

(Default) = "hjwejnrtkthnrbsw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}]

(Default) = "ecrqbcsnerjnskrh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32]

(Default) = [pathname with a string SHARE]\czjevcet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}]

(Default) = "znrzeelkejhehsbh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xjshnvvh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}]

(Default) = "sxxsrnqrhnwknjzt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}]

(Default) = "tblkhqslvlkbqcxb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}]

(Default) = "eshbbvthvxbnesvl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}]

(Default) = "hsjrecrxrksrtshh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jhtkcrqk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}]

(Default) = "ltekbcrlshlxlkrh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32]

(Default) = "%ProgramFiles%\NetMeeting\rsewzjqn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}]

(Default) = "ehwttenheskrxjrl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\zxtlktls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}]

(Default) = "wnevstttekkvcqrn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jehkxqtn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}]

(Default) = "hsksltslbelzllrl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32]

(Default) = "C:\Inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}]

(Default) = "hrbvslhsehvbhhqk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}]

(Default) = "nbkstjtqlkzhlxvh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}]

(Default) = "jbbkwhqzereejxlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32]

(Default) = "%System%\urdvxc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}]

(Default) = "tskqvrjwbtskqnct"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}]

(Default) = "lnttehkkrknbvttk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jcjcvqtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}]

(Default) = "htszrksshlcercbt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}]

(Default) = "zlljvtkrrstznsnj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}]

(Default) = "lwqnlxcrnhxqrwnb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}]

(Default) = "exsrbrqtsshbjhln"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}]

(Default) = "wkklewvnhjlbsrne"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32]

(Default) = [pathname with a string SHARE]\qjllsjhl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}]

(Default) = "hksewbnerebrwbrt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\tjqlrkhx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}]

(Default) = "ljjtkzezklhnvxxn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\ehlbrqvs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}]

(Default) = "jktchwjlkxnhexvn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}]

(Default) = "nelclkerqrbcqnql"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\Howto\tbzrsrxv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}]

(Default) = "bkkkxbhtbetwcweh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\tsektjkj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}]

(Default) = "ebvblrckqelrqtxh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\nxhtnbrt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}]

(Default) = "jqszextkrbzbxrrs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}]

(Default) = "brhcevbvxrkbbwkb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32]

(Default) = "C:\tvsknrse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}]

(Default) = "thlkzkvjxlnbexsv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\srzectxw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}]

(Default) = "qrwecehlrrevrehb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32]

(Default) = [pathname with a string SHARE]\bhrhnkht.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}]

(Default) = "nltkhwwtbtbkensb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}]

(Default) = "sqxberezzeshxsvb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}]

(Default) = "ethbnbhccejlxsln"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}]

(Default) = "xwjllbsxvlnrjllx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ktensxxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}]

(Default) = "ezlqbqzjehnerbsh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nxxhexkh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}]

(Default) = "zttrssxhjvllsxje"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32]

(Default) = [pathname with a string SHARE]\bcwvzwbh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}]

(Default) = "rrqnhlqhernbtejx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\snrlrkcn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}]

(Default) = "kllbzlllhjsjneln"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}]

(Default) = "ebnjstrwljlrkjjk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}]

(Default) = "lbbjvwchsbbjcnll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jclbnjhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}]

(Default) = "zrkssjthhxwcscbn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32]

(Default) = [pathname with a string SHARE]\bnbtzwxt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}]

(Default) = "elkwktxxjqtvhktr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\elbkcznj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}]

(Default) = "hnrqqvkrwcnrlejs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}]

(Default) = "bennqstnsvebxqbn"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

To mark the presence in the system, the following Mutex object was created:

jhdheddfffffhjk5trh

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.