ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 17 July 2012, 06:04:41
Processing time: 13 min 31 sec
Submitted sample:

File MD5: 0x94FB81C162C71F397C6BC9E3DC082843
File SHA-1: 0xE4039CB3866EE0FE9375BB9CD103DF8B64DEB8EB
Filesize: 122,368 bytes

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	c:\Inetpub\wwwroot\kkvwbsrw.exe	122,368 bytes	MD5: 0xDDA4B9D1CCDB62267DA666ACCD6C65DE SHA-1: 0x544111336FBFD8F1C291B926DC8D7BBFD74C5616
2	[pathname with a string SHARE]\bcwvzwbh.exe	122,368 bytes	MD5: 0x8C8E70F5E937CFF085B2708D937A6884 SHA-1: 0xB0852F72AB785B0E4813A1E963830508A403B1A9
3	[pathname with a string SHARE]\bhrhnkht.exe	122,368 bytes	MD5: 0xD5201C6A1C7FF5AA454429883F60D2EE SHA-1: 0x29F7342C7FF37F4E69890F8009C1E4FE039F3750
4	[pathname with a string SHARE]\bnbtzwxt.exe	122,368 bytes	MD5: 0x8C15FC7B53886C1CDB66AA3A65F72665 SHA-1: 0xD894981D1C459CAEE6A4B2F6EFB930253EB0BD48
5	[pathname with a string SHARE]\brvrjrke.exe	122,368 bytes	MD5: 0x62BE9D95E4CD8FACEDE63953D86986E9 SHA-1: 0xC0D6EB01275CD640A80B1711D1DD61198E8D0333
6	[pathname with a string SHARE]\bzqlkhrh.exe	122,368 bytes	MD5: 0x1BE00D70A8A5A5C732399C9F2BDACA51 SHA-1: 0x48831E4A8BF0CEC8D13140386041D23589648112
7	[pathname with a string SHARE]\czjevcet.exe	122,368 bytes	MD5: 0xAA710D1122852E426A00939439C23946 SHA-1: 0x0C1ED4FF21BF09678F6057E6BB41C73F35B26770
8	[pathname with a string SHARE]\ehbebsrn.exe	122,368 bytes	MD5: 0x4BF609ABF27786E704469513BFE5A308 SHA-1: 0xAFB836005831032B6D45F0B52DE2B46C4741BF8D
9	[pathname with a string SHARE]\elwtjnbj.exe	122,368 bytes	MD5: 0x75384B73341A587178954364AAA45664 SHA-1: 0x05F57F6F691AC5E0837093C527B5706465720C9F
10	[pathname with a string SHARE]\njbsvtll.exe	122,368 bytes	MD5: 0xEF95211648E8023F6F926180FCC71CF7 SHA-1: 0x09C26E5046884F89652D02B818B8F35082EEF86A
11	[pathname with a string SHARE]\nsqjttkv.exe	122,368 bytes	MD5: 0x3ECB44BB6D42BE70B648AA92CA136F74 SHA-1: 0x981247DCFBBB9D43206FD18A42624F3C196C5242
12	[pathname with a string SHARE]\qjllsjhl.exe	122,368 bytes	MD5: 0xA630096E9207CAE7AD918502064C9653 SHA-1: 0x7EB9A28C15F1152284A73478C5B7C3C42C07AE6C
13	[pathname with a string SHARE]\tlcwjrwt.exe	122,368 bytes	MD5: 0xB259E1B0FFA0AF42506A1CE9599F9711 SHA-1: 0x00CD1998E16C137F159B374690F20B70AF0FB76F
14	[pathname with a string SHARE]\vkjljzrn.exe	122,368 bytes	MD5: 0x63DA6A612BF074F419E0ECA7BF7646F9 SHA-1: 0x58B7F9B03675A51022AB67C2552DFFF5F90639DA
15	[pathname with a string SHARE]\xrljqjzn.exe	122,368 bytes	MD5: 0xEFEFAA8AAEC59E6937B6AC5E42CBA76D SHA-1: 0xDCB864327398EFCCF280431F529C911514E8B7E1
16	%ProgramFiles%\Common Files\System\ado\tsektjkj.exe	122,368 bytes	MD5: 0xB7735199E31F1C8C82B3B406BB0DCAB8 SHA-1: 0x883E1191F9B6CFD7076A480A21992A2D3E2F7AB2
17	%ProgramFiles%\NetMeeting\rsewzjqn.exe	122,368 bytes	MD5: 0x5DD314AA4DC1E871166CF2D4DC9AEA61 SHA-1: 0xBF950E74512B79860F90139BDBCBD7F8A1EDD93B
18	c:\tvsknrse.exe	122,368 bytes	MD5: 0xBC3418C49F317798DC3E5EAA39C3F219 SHA-1: 0xC685E3AD8207FD52426BEF2A92B4130BA4BA5C51
19	%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe	122,368 bytes	MD5: 0x8C0BFC0512AE0EC8DFA65BDC3FAC4F85 SHA-1: 0xE1B7846EF344E0DF183BC3134FB16679CCC2A89A
20	%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe	122,368 bytes	MD5: 0x9AA5B9EE5A4433ABF6DCBDC2813F5FEF SHA-1: 0xB954203A42E00381E1B74244D330C61063BB432D
21	%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe	122,368 bytes	MD5: 0xB9B6111B53D5D3D4C91E21F95A569824 SHA-1: 0xE9D0C09BB4993CF67859D5CD347EF1C6CB0A08DE
22	%Windir%\pchealth\helpctr\System\CompatCtr\zlhqrlbx.exe	122,368 bytes	MD5: 0xB805527063AE5EB62B33287B0E2976CD SHA-1: 0x85AC0A8CE15F08202AA947B2C3AD5DABD06CAA72
23	%Windir%\pchealth\helpctr\System\DVDUpgrd\shrrtjet.exe	122,368 bytes	MD5: 0xA990D8CAA8DB567FFE96A8B02247BBEE SHA-1: 0x0FCEE47867601F28699AC6BC75AFD629F5EB4B72
24	%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe	122,368 bytes	MD5: 0x9B0DC8D9588AA555C67046D89E26FF61 SHA-1: 0x14B225D74A3D10C70D3AC2E4D653D9621D111864
25	%Windir%\pchealth\helpctr\System\errors\jcjjlqnq.exe	122,368 bytes	MD5: 0x169E56E7226E85EA85FE1E17A0A8C446 SHA-1: 0x3F96E90ADAA669334D111B8DB7E73E946473B3D4
26	%Windir%\pchealth\helpctr\System\NetDiag\hsjqschn.exe	122,368 bytes	MD5: 0xDFA41D84CCAA08B36E31F892B2EE1067 SHA-1: 0xEFB0C19C595A52AA78E5D9877A09F7C0776C2FB6
27	%Windir%\pchealth\helpctr\System\NetDiag\xrvxszvs.exe	122,368 bytes	MD5: 0x26296E438119C81759594AFE3CE8613A SHA-1: 0x47D672452F09B511A2C40ABC129C286204830CBB
28	%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe	122,368 bytes	MD5: 0xC997FA13E3DF1707D12EAFB35F04CE23 SHA-1: 0x318E3D25E0B412E66E6C9460D8E7C0FADF4A2FD7
29	%Windir%\pchealth\helpctr\System\panels\sncncweb.exe	122,368 bytes	MD5: 0x5B3F0B69B9C77A52ED50E64C4DC935B8 SHA-1: 0x031572236EB6A380EEC96C19F3D5388F47A74609
30	%Windir%\pchealth\helpctr\System\rc\qbrblthb.exe	122,368 bytes	MD5: 0x78A0EB0EB7EAD864F9A519E36FA7BC65 SHA-1: 0x8FB864D907A1D83B62A861EE6464D7695053332B
31	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\hxrshqsj.exe	122,368 bytes	MD5: 0xCA98CA80B55FBF9AFE8EA2FDAB26154C SHA-1: 0x7EA1F8FE0F8ED260669BA9944E0FC8C834620763
32	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\rwcjrqhw.exe	122,368 bytes	MD5: 0x5167E81796457FDB8F3E6197A0E36288 SHA-1: 0x977785EDD6F423818B05269EBDAD4DE63B753512
33	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe	122,368 bytes	MD5: 0x8E691826AEC9C33B18E2C22C53BC4FF1 SHA-1: 0xEF00FE384392F0145E118534A9282994BAF3A04E
34	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ekjvhbcn.exe	122,368 bytes	MD5: 0x5D7071B7ECCA4F1203EE825049B30274 SHA-1: 0x1ECB2FF29756D8C902BB5699E7DE546A7E5D733C
35	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\jjennetl.exe	122,368 bytes	MD5: 0x8E49E565D42770D84684EB3789A770A0 SHA-1: 0xAF4078394F77D80AF06F129189FA76DB5CF5B520
36	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\knenvxlj.exe	122,368 bytes	MD5: 0x5FE3CA31DB34FA501AE7BC581BA97C6B SHA-1: 0x262CD06B53167F3D0450BA7E6366D8B711E9A190
37	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe	122,368 bytes	MD5: 0x5D43B7B5AB27332DCB470AD100759FB7 SHA-1: 0x282BDEAE9D44385CFF9B585AEE340BD52F7FA454
38	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe	122,368 bytes	MD5: 0xA3DBF61A3F354710DE24A405B93B6431 SHA-1: 0xDCF83A1233F315DD0D294CE25E333F0595754D76
39	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\zqwkjbbt.exe	122,368 bytes	MD5: 0xCA65E92BD1D77D00E06EB3667E318417 SHA-1: 0x56333359BE4AB12996CB8370FB1162995CEB1A08
40	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\bbsbrlee.exe	122,368 bytes	MD5: 0x51BD8084E71C5BBB072935E36F239428 SHA-1: 0xF8E96E0AC51AE5A5E59BCE1D8A480F186ECD3162
41	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\kbzzlwlr.exe	122,368 bytes	MD5: 0x662BA85B3750594C0FD2F06C4A672A6D SHA-1: 0xC36E8E16AEE120E8946ED0C953EFF6487F73A7C0
42	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\rbntkevt.exe	122,368 bytes	MD5: 0xAC030EF8BFE638C59E4BED30492DDB26 SHA-1: 0x3FE2E65FCACC0F9BBA859008EB2FCB6E300CC59B
43	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\shnkjjbh.exe	122,368 bytes	MD5: 0xD7A34FDA5E996D391404D46D3B4211BB SHA-1: 0x54A0291EC5A33C081997E109710237530913D96B
44	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe	122,368 bytes	MD5: 0xAC80943A2E2826CC340B06CD9A0DB744 SHA-1: 0x8D70FE588933ADC8CB045CE8B211D9E01438A137
45	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ctjxljxh.exe	122,368 bytes	MD5: 0xB2C31CDDA1785C9674810A9C5184EF36 SHA-1: 0xDA7CDBEFFEF11BEBB3DC41C7ECED4C9BEA5F9386
46	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ezslqrbz.exe	122,368 bytes	MD5: 0xE79A18019A1F69332D1E6902D262C99F SHA-1: 0xBD1E6E4A0298179C03A2578083E5E2198D4DC877
47	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\neqvzkeh.exe	122,368 bytes	MD5: 0x9C113D9F8F661FB82D796A9E5C912BEA SHA-1: 0xC3232BB8AF9A2CD4E010F3B002C4B477985EAF76
48	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\shrnxshq.exe	122,368 bytes	MD5: 0x25EED628ABAA7DAC341EEF39E6371F92 SHA-1: 0x9C7268E95384EA64F4DF923DCA2ACE21FC21EBC0
49	%Windir%\pchealth\helpctr\System\Remote Assistance\rqxjhbsl.exe	122,368 bytes	MD5: 0xA41FA2292E8EEB6859B7BA5B4E9A407F SHA-1: 0xABF5DDA88414F13431D8F2459512E928D000B62A
50	%Windir%\pchealth\helpctr\System\Remote Assistance\rzqstbqq.exe	122,368 bytes	MD5: 0xD2D9FB30558CE7E0204711571307C287 SHA-1: 0x868F2D6373557411C98B54B52A3BE0FD5C3A0550
51	%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe	122,368 bytes	MD5: 0x492C59A50174ED5D0C3A4BEA5197FEAA SHA-1: 0x254492980DD89CF5775A9A3ACF7E75581A2DBAAF
52	%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe	122,368 bytes	MD5: 0xA9894D800259C13A407D364906F8349E SHA-1: 0xF42E77C4FF85E76620CB336B891A666631DC9E79
53	%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe	122,368 bytes	MD5: 0x92864D94F4A75B0E83BCA3B4846B03E9 SHA-1: 0x44289BA50A496A9F463535F32836F6260F5DFE13
54	%Windir%\pchealth\helpctr\System\sysinfo\jbrhbztz.exe	122,368 bytes	MD5: 0x183059F7C6B5883E20617FF0E3EE6FE3 SHA-1: 0x74F0E682A97A376499D102CF2BD625E66E0C468D
55	%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe	122,368 bytes	MD5: 0x04CEC99A7FADD14C89CBC99D1F831A7A SHA-1: 0x74FE5E6C66D18B4E0F8465FD292C928876C0B30F
56	%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe	122,368 bytes	MD5: 0xCF6CDAE60B4B339FC6498F961B0A631D SHA-1: 0x65B54E34218135FC2654A5247CBB6B93AD8EE65D
57	%Windir%\pchealth\helpctr\System\sysinfo\rercrnhh.exe	122,368 bytes	MD5: 0xEEBE891E03E0A94ABEE0E7B81611BA03 SHA-1: 0xB6FA5CC020D86A1ACF729B93C078329E62245983
58	%Windir%\pchealth\helpctr\System\sysinfo\rnbrkrlv.exe	122,368 bytes	MD5: 0xCE30D93C2662DB4BD5BAC7A3E5AE9F7E SHA-1: 0xE1C5CD78231E199D77C21CCEA2C4BACA01F862BE
59	%Windir%\pchealth\helpctr\System\sysinfo\vkchbbxh.exe	122,368 bytes	MD5: 0x5D80ADEE3C7AF8F9C604BEBE68BB474E SHA-1: 0xE5A6031B02728A7A2DB074DDF9562C7F4918F9A4
60	%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe	122,368 bytes	MD5: 0xBBCE617DACFD29B96A6FB7536B923072 SHA-1: 0x1308BED887FC98F963EA3A15E2C6D6C3E1520F38
61	%Windir%\pchealth\helpctr\System\UpdateCtr\qxshkkqn.exe	122,368 bytes	MD5: 0xBDD0C82557939998D575729238208C39 SHA-1: 0x1AE22F3031BBAAF26ABDAB5DC4AADDADE0CDA902
62	%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe	122,368 bytes	MD5: 0x4670CD27B130DA70F800D9A783B6DA95 SHA-1: 0x6391197D409F70F5D5C85CD2B5FA6B8B40DB5B6B
63	%Windir%\pchealth\helpctr\System\UpdateCtr\snqesjrk.exe	122,368 bytes	MD5: 0x774C73A74D046B959EDB6C12A85050E0 SHA-1: 0xAC0B431418AF8AE1E53119F6B64F7B4F72E047CF
64	%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe	122,368 bytes	MD5: 0x5A871D1CD006A3A0CEC8E693B4EA498D SHA-1: 0xA77038927E541B366E16D426B0918B981EB93A39
65	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\erwskeqr.exe	122,368 bytes	MD5: 0xDCE14481DB81F78BCB3472777767CFF4 SHA-1: 0xD586EA2133E9721B77D7589C1F9017E310463E54
66	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe	122,368 bytes	MD5: 0xC8DF24CCEC9EC8869B1BDEC370B8FD6F SHA-1: 0x2B1DA0B0F406D2F2B491C6BB70DC8A26B8B966AA
67	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\vxwqhwzs.exe	122,368 bytes	MD5: 0xCD50622B1EF955A4780217AE5D0A2CCD SHA-1: 0xAA00AA8BA8E4F8820E00F004C072F6F606E34623
68	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\vxwqhwzs.exe	122,368 bytes	MD5: 0xF5D767CB80C4072A2C2E6324C141D46B SHA-1: 0x1AC07B585818FAF581E96532D3AC05082C8AE32A
69	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\vxwqhwzs.exe	122,368 bytes	MD5: 0x27D3345279CE0DF75F911E03479F673B SHA-1: 0xD760F316760E3B2F821061510EB53A24C4A4925B
70	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe	122,368 bytes	MD5: 0xDBFFBDBBF55AE090D312B9CC542F6F44 SHA-1: 0x3091FEBF3FB66F6F14E4EF3621DDE39B232AF74A
71	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\vsekkehe.exe	122,368 bytes	MD5: 0x1284F93FBC4592E1146E10DF02D36AF2 SHA-1: 0xC185396C29F3E7142BCAA6D3830C1BC52AF701E7
72	[file and pathname of the sample #1]	122,368 bytes	MD5: 0x94FB81C162C71F397C6BC9E3DC082843 SHA-1: 0xE4039CB3866EE0FE9375BB9CD103DF8B64DEB8EB
73	%System%\urdvxc.exe	122,368 bytes	MD5: 0xF2076B56A82B60569F57D8546833B36A SHA-1: 0xF14878C81B8F678F4539A052DF9F59481C37E6F7
74	%Windir%\Web\wcxnjhhj.exe	122,368 bytes	MD5: 0x2EA4FA1C62E4CCDBEAC47F1674FA8875 SHA-1: 0xA23EF9275BC49603AE8506FC88CA8E5ACA5D99DF

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\NetMeeting\netmeet.htm
%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm
%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm
%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm
%Windir%\pchealth\helpctr\System\errors\connection.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm
%Windir%\pchealth\helpctr\System\panels\blank.htm
%Windir%\pchealth\helpctr\System\panels\NavBar.htm
%Windir%\pchealth\helpctr\System\rc\rcRequest.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAChatClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAStatusBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rcscreen6_head.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\ErrorMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RCFileXfer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\voicefirewallmsg.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\VOIPMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar1.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar2.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAChatServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\SettingServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\rcBuddy.htm
%Windir%\pchealth\helpctr\System\sysinfo\msinfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysComponentInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysEvtLogInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysHealthInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysinfosum.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysRemoteInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysServicesInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\AboutWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\Learn.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\LearnInternet.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\learnWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\updatecenter.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	214,594 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
MSWindows	Network Windows Service	"Stopped"	"%System%\urdvxc.exe" /service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}\LocalServer32]

(Default) = "%Windir%\Web\wcxnjhhj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0026A548-2A19-E8A0-B03E-B8692A75086E}]

(Default) = "xhjebxerzlhlqxew"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qkezbwtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}]

(Default) = "bcjltsxsbbjkbljk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rvwwbqje.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}]

(Default) = "hjrstlhkbjslctle"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}]

(Default) = "ettnjjqtthqlekkw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}]

(Default) = "jcbjrhcnkqtnltkt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}]

(Default) = "ljjnwsbsnjherrqs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}]

(Default) = "kvlqskcsltetzhen"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32]

(Default) = [pathname with a string SHARE]\czjevcet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}]

(Default) = "kbxhwbsvcjhcbses"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xjshnvvh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}]

(Default) = "hzbjkjjxbxsexsnh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}]

(Default) = "hbjhnvbrjqlsbrhs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}]

(Default) = "hqlxlbrwerjcztvh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}]

(Default) = "erhlsvsthqhrlbjn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jhtkcrqk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}]

(Default) = "stnhnsvbjwejkbbk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32]

(Default) = "%ProgramFiles%\NetMeeting\rsewzjqn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}]

(Default) = "zrjcntnjxnnvqsnr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\zxtlktls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}]

(Default) = "njksbtzerjevnvwr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jehkxqtn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}]

(Default) = "lbtesznvbxvnxesv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32]

(Default) = "C:\Inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}]

(Default) = "sncskxxznjvbzebs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}]

(Default) = "hkwlxrcbxwrsjsrj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}]

(Default) = "wethbnlrrsnrnsns"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32]

(Default) = "%System%\urdvxc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}]

(Default) = "zbsrrrlrrsneklqb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}]

(Default) = "tbtkwjwzqjbhcrbr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jcjcvqtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}]

(Default) = "vqknrhnvseesjlqt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}]

(Default) = "sltjchqcsbsejbse"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}]

(Default) = "elkwlstrbbxlrejj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}]

(Default) = "bnswkhcwzrvlkjhb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}]

(Default) = "tsbsvrslkkbvrcrw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32]

(Default) = [pathname with a string SHARE]\qjllsjhl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}]

(Default) = "texlskvvlneebstr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\tjqlrkhx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}]

(Default) = "rrtwhkbhsrvrbvkn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\ehlbrqvs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}]

(Default) = "crnqjeltnsscbnwz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}]

(Default) = "wtllncrjnzsktler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\Howto\tbzrsrxv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}]

(Default) = "lrkbhjezrchbzzbz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\tsektjkj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}]

(Default) = "bneqhlbcttzthjej"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\nxhtnbrt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}]

(Default) = "hjxeqzebtzhjbsvz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}]

(Default) = "terznrwrkhxhlrxe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32]

(Default) = "C:\tvsknrse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}]

(Default) = "lewtcnnessbctjwe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\srzectxw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}]

(Default) = "qjnchlwhlzrqvesc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32]

(Default) = [pathname with a string SHARE]\bhrhnkht.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}]

(Default) = "xqrjjnqlbhltkvsl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}]

(Default) = "ezbwnzsbklstqvnn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}]

(Default) = "sctsjtqbtebvshkt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}]

(Default) = "klbcqtlbsjejkjqk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ktensxxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}]

(Default) = "senheqwlhhrzertl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nxxhexkh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}]

(Default) = "ntenbsshrescsvlj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32]

(Default) = [pathname with a string SHARE]\bcwvzwbh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}]

(Default) = "wvcjqeezechxwvxe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\snrlrkcn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}]

(Default) = "snljqcbzlhtjbnej"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}]

(Default) = "ttthrhqnhjknbbel"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}]

(Default) = "esteksbnvrrhvcsv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jclbnjhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}]

(Default) = "hlsbzwkkehlrqjsk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32]

(Default) = [pathname with a string SHARE]\bnbtzwxt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}]

(Default) = "qlchrkjhhcelthrl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\elbkcznj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}]

(Default) = "bbselxqjhersbqkj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}]

(Default) = "vsvnblwthhnhezbj"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

To mark the presence in the system, the following Mutex object was created:

jhdheddfffffhjk5trh

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.