ThreatExpert Report: not-a-virus:AdWare.Win32.EZula.bc, not-a-virus:AdWare.Win32.EZula..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 13 December 2010, 13:41:48
Processing time: 12 min 3 sec
Submitted sample:

File MD5: 0xA2D3403EC604057C59E7ED3D47DB15F6
File SHA-1: 0x918D10D28E1F2DF2FC3262794A965F1DC704E550
Filesize: 2,925,329 bytes
Alias:

not-a-virus:AdWare.Win32.EZula.bc [Kaspersky Lab]
not-a-virus:AdWare.Win32.EZula [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.eZula	When installed, eZula will alter all pages viewed in IE, adding extra links to words and phrases targeted by advertisers. These links are unauthorised by the operators of the sites being viewed.
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Adware.WhenU_WeatherCast	Weathercast displays weather forecasts in real time. It also bundles WhenUSearch with it and displays text-based advertisements within the WeatherCast program.
Adware.Component.WhenU	Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.
Adware.VB	Adware.VB is a generic detection for adware programs compiled in Visual Basic. It displays popup advertisements and may download other adware and spyware without the users knowledge.
Adware.SaveNow!sd5	Adware.SaveNow!sd5 is a potentially unwanted adware program that could be used to display various pop-up advertisements.

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\ICQFileShare.lnk	680 bytes	MD5: 0x5579FF6FC022A22C93988BBEAB47A943 SHA-1: 0x1074E295D450BB9C071D0E52465FF22CF4689CE2	(not available)
2	%Programs%\ICQ File Share\ICQ File Share.lnk	692 bytes	MD5: 0x132EE48E10D8B979D32D51CE8E06FDD9 SHA-1: 0x53DD9E89BA79BBC1E16B02263938852974CAA537	(not available)
3	%Programs%\ICQ File Share\Manual.lnk	727 bytes	MD5: 0xE5E2D80EB37724F53CB3E0AD6D5E3028 SHA-1: 0xC2BB08EA18BBD3234BAF3E58C186F4D73E8AD817	(not available)
4	%Programs%\Startup\ICQFileShare.LNK	800 bytes	MD5: 0x477C8C17B8C59A3925034424C7186556 SHA-1: 0xD44EA1C8291F9C0B03A423DD314FA5EFF174E292	(not available)
5	%Programs%\WeatherCast\WeatherCast.lnk	1,504 bytes	MD5: 0x2B729002D23D3208F2C948601CBA1C83 SHA-1: 0x95F23C5CFD01F1F06F090B2A266E5D1C9A159C2F	(not available)
6	%ProgramFiles%\ICQ File Share\Data\License.txt	1,576 bytes	MD5: 0xE698C64D74723D02F6225FF68A9ED34A SHA-1: 0x9DE192E90117FC0701AC672B199C4EB938A258E2	(not available)
7	%ProgramFiles%\ICQ File Share\Help\btnbrowse.gif	894 bytes	MD5: 0xF4A4FAC9F2094F8CAEFDB5C01ECFA62F SHA-1: 0xEA9DAD72C9901EB3F2FC89D964CF4265D222C95D	(not available)
8	%ProgramFiles%\ICQ File Share\Help\directories.gif	1,123 bytes	MD5: 0x77327861984B07AFDB8FEC2FA5AADA34 SHA-1: 0x69562E342B52ECC6FDBDE848CD9C98B36E65FA0C	(not available)
9	%ProgramFiles%\ICQ File Share\Help\dlgcreatelist.gif	3,451 bytes	MD5: 0xC09E3E3BEF9AF57D7E0190665A0126D4 SHA-1: 0x105606103E71C6253548F7328CBA5D36E7FAF176	(not available)
10	%ProgramFiles%\ICQ File Share\Help\dlginvite.gif	6,370 bytes	MD5: 0x1E9E023ACB0268FAC0D004347AAD8E53 SHA-1: 0xCE0893934AFA114C25548D768BD42518ECD71332	(not available)
11	%ProgramFiles%\ICQ File Share\Help\dlgmonitorwindow.gif	13,613 bytes	MD5: 0x7B1DC8F1B6CF5FBD95A22C768A58BA60 SHA-1: 0x1733774BB82D1FF422B3BBB184DAD695583185C6	(not available)
12	%ProgramFiles%\ICQ File Share\Help\dlgoptions.gif	4,135 bytes	MD5: 0xFC8CACBE61D9E40A3F240293BB3A0E9C SHA-1: 0xD0FBB8A74D9082471743B3BC578C482F373E2D98	(not available)
13	%ProgramFiles%\ICQ File Share\Help\dlgsearch.gif	7,959 bytes	MD5: 0x18ACD585BA5F26CC3B4D82EC92E8B697 SHA-1: 0xAFCAE78F31149113667A3E01A824F1E1C4DD7EBF	(not available)
14	%ProgramFiles%\ICQ File Share\Help\dlgsendlist.gif	4,299 bytes	MD5: 0x9AE6427612ABB1BE689B05979528CFDF SHA-1: 0xF9B558C17F545800C337A4C26845E17C63048BB9	(not available)
15	%ProgramFiles%\ICQ File Share\Help\dlgshare.gif	7,269 bytes	MD5: 0x5CB57A32725AC7D0784607E702011022 SHA-1: 0xB9EAB8620E9D136F073A205FD6FA99C736AB0D49	(not available)
16	%ProgramFiles%\ICQ File Share\Help\dlgshareinvitation.gif	4,170 bytes	MD5: 0xC242466F046DF2030165C556D879E4D4 SHA-1: 0x5F9372FF6A627020C33E0928C280BD0AC03FF63C	(not available)
17	%ProgramFiles%\ICQ File Share\Help\dlgsharewindow.gif	20,172 bytes	MD5: 0xC0C625B006E7FF8F8A4B289E3B47446C SHA-1: 0x05CE765D125D5A062A102840A360BCE6CE6A37EF	(not available)
18	%ProgramFiles%\ICQ File Share\Help\dlgtransfers.gif	13,075 bytes	MD5: 0x2A0ACD746F2F8455ECE7FD125FB7BDDD SHA-1: 0xB0A06D4B6BA5F630AB2472DA89C7514898CA0862	(not available)
19	%ProgramFiles%\ICQ File Share\Help\licenseagreement.htm	2,585 bytes	MD5: 0x840BEE7214FC1CF450128A98E9336C0C SHA-1: 0x5DB3722DC959879AF6C62352FBEE83706A52F14E	(not available)
20	%ProgramFiles%\ICQ File Share\Help\manual.htm	20,527 bytes	MD5: 0x95368BBADF56A8387A05FE1EFBFDAFDE SHA-1: 0x156CEBE2DAFD6B2226F6F7D19C914911EEC41D0B	(not available)
21	%ProgramFiles%\ICQ File Share\Help\mnuextra.gif	1,219 bytes	MD5: 0xAAAEE33C39F06FCE45B262EF05D57BE4 SHA-1: 0x50441708C068123C336142FE7486D5DF794B8AA5	(not available)
22	%ProgramFiles%\ICQ File Share\Help\mnufile.gif	1,130 bytes	MD5: 0xF51A01287C5EA31810F50F0738ADE2EA SHA-1: 0x16846445B136D4CE927DD07820D751851935FE9D	(not available)
23	%ProgramFiles%\ICQ File Share\Help\mnuhelp.gif	1,971 bytes	MD5: 0x587377C15A1824737A2A540718B89B30 SHA-1: 0xE3CC1EA7C11E032D50A6C4614A6EDD9B62C74634	(not available)
24	%ProgramFiles%\ICQ File Share\Help\mnushare.gif	1,873 bytes	MD5: 0xAEA80BC05A0EA4B8AF8B2F15439EDA8D SHA-1: 0xE42AE3A307514A12A084FC910F573634EB2DF00A	(not available)
25	%ProgramFiles%\ICQ File Share\Help\purpleflower.gif	903 bytes	MD5: 0xC6625CCA11C2DB95021261A434AB55B5 SHA-1: 0x51564FC1A87791876590E066C9F63744EB74EE62	(not available)
26	%ProgramFiles%\ICQ File Share\Help\tlbcreatelist.gif	908 bytes	MD5: 0x5C306F7ADFA6F8F84C07AC80639769A0 SHA-1: 0x7FD1565051CFBF60DE2E6054DDA3D7013CF3C178	(not available)
27	%ProgramFiles%\ICQ File Share\Help\tlbhelp.gif	877 bytes	MD5: 0xF84028D8A4724B9CDD9AEFBC84410678 SHA-1: 0xB2B2CABE51CCDB8DCF28322395846881169281EC	(not available)
28	%ProgramFiles%\ICQ File Share\Help\tlbinvite.gif	879 bytes	MD5: 0x5700E46BE792DA9DE85D4DEBCF361C51 SHA-1: 0xD8F1A1AB45EB8A91DF951DAD64C5126EC957659A	(not available)
29	%ProgramFiles%\ICQ File Share\Help\tlboptions.gif	900 bytes	MD5: 0x3BC2AB8444CBB8549406BD7B08BA1991 SHA-1: 0xCBF40B0ACFD2AA3A1EBF9C4612D6422040815385	(not available)
30	%ProgramFiles%\ICQ File Share\Help\tlbsendlist.gif	904 bytes	MD5: 0x8EDC805721713B71E9CF9E5E441AD407 SHA-1: 0x032018FAC18196962673F34620DC953F033E3955	(not available)
31	%ProgramFiles%\ICQ File Share\Help\tlbshare.gif	896 bytes	MD5: 0x2F108733A6DFBA49AC7C827353B6C206 SHA-1: 0xDCD212B4B50B5F65F1F37EF67B0BA833B3DBD56E	(not available)
32	%ProgramFiles%\ICQ File Share\Help\tlbshowip.gif	894 bytes	MD5: 0xF519992174BE6B525344CA20F57C30C4 SHA-1: 0xAF99228E0E4C0698AC41EF81C4B9D38AC5C08168	(not available)
33	%ProgramFiles%\ICQ File Share\Help\tlbtellafriend.gif	890 bytes	MD5: 0x6F3312571EA46AC60A6DB8072961483E SHA-1: 0xC617AD2659C87B8878E70EC8750F6C7E41CE0EBD	(not available)
34	%ProgramFiles%\ICQ File Share\Help\tlbvisitsite.gif	916 bytes	MD5: 0xF9D7A43137D451AB210993BD16D9B034 SHA-1: 0x69A4C909073C4BAA47BCBFC167C2816846D600A7	(not available)
35	%ProgramFiles%\ICQ File Share\Help\toolbar.gif	2,544 bytes	MD5: 0xFB1DAC58602BD6FF45FAAC66D620D2BD SHA-1: 0x5B9E1AA2D01E5A6A1A85405F10E483DB3BC3E29C	(not available)
36	%ProgramFiles%\ICQ File Share\ICQCallDll.dll	36,864 bytes	MD5: 0xDB475E5839DE633883180470BC865647 SHA-1: 0x331CCB57D887AD372583DF3F11245E37D0B61546	(not available)
37	%ProgramFiles%\ICQ File Share\ICQFileShare.exe	602,112 bytes	MD5: 0x3E65AC7515A75CCCA34E0E48439A7585 SHA-1: 0xA50FB6C40D3F167A83DDE4AC2747EDC8D5FEDEA1	(not available)
38	%ProgramFiles%\ICQ File Share\ICQMAPI.dll	58,368 bytes	MD5: 0xE04B4E4D03DE8D0A5EDFE01738C54755 SHA-1: 0x407AA20A1801E936E61E33262CF709788DACAFCB	(not available)
39	%ProgramFiles%\ICQ File Share\INSTALL.LOG	5,553 bytes	MD5: 0x517D96E568EA8A38EE0C98633E066FA4 SHA-1: 0x9A98E85676289D12DB8C6E091F366A4981934571	(not available)
40	%ProgramFiles%\ICQ File Share\Partner\BSaveInstWm.exe	211,096 bytes	MD5: 0x8B41D9793AAA6665B61ABCFDD85C44D5 SHA-1: 0xB0B0D4055DA4481EA1AF00A08C30C4911B84CF79	Adware.Savenow [Symantec] not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl [Kaspersky Lab] Adware-SaveNow [McAfee] Adware:Win32/WhenU.A [Microsoft] not-a-virus:AdWare.Win32.SaveNow [Ikarus]
41	%ProgramFiles%\ICQ File Share\Partner\ezsTTtub.exe	53,248 bytes	MD5: 0x52767EE6F610FA53881E6DFE5DBBFB28 SHA-1: 0x50E60219C3334A0DAF86790321C43A0E4048479F	Adware.Ezula [Symantec] not-a-virus:AdWare.Win32.EZula.bc [Kaspersky Lab] Adware-Ezula [McAfee] Adware:Win32/Ezula.F [Microsoft] not-a-virus:AdWare.Win32.EZula.bh [Ikarus] Win-Trojan/Ezula.53248 [AhnLab]
42	%ProgramFiles%\ICQ File Share\Sounds\DownloadComplete.wav	28,298 bytes	MD5: 0x53D6957D0328F01BA584E37BA0E9EB60 SHA-1: 0xEDF1CDB7B4F1B8976344995B63D40CF31192BB45	(not available)
43	%ProgramFiles%\ICQ File Share\Sounds\LiveUpdate.wav %ProgramFiles%\ICQ File Share\Sounds\Warning.wav	14,354 bytes	MD5: 0xFD0BB67914B5A9E09587A9DB8907E622 SHA-1: 0x842CBA7FBFB83A83E83203CCEFBC327CB90E724F	(not available)
44	%ProgramFiles%\ICQ File Share\Sounds\ShareInvitation.wav	33,338 bytes	MD5: 0x1AC0F65473595ED427415979237897BE SHA-1: 0x90C5E51205350A106074AE88D15FE7D8B6EE7F77	(not available)
45	%ProgramFiles%\ICQ File Share\Sounds\UploadComplete.wav	27,402 bytes	MD5: 0x86F29EA6FBBE64B5797510E2870AAA98 SHA-1: 0x7C3E8DB0B92B3C5C4F4C7C9E1B14B10D911848DA	(not available)
46	%ProgramFiles%\ICQ File Share\UNWISE.EXE	162,304 bytes	MD5: 0x3A938ED2427DF10E571041069E6980CB SHA-1: 0xC3C96CC03EC6714CF7C98CAADB00FBFAA8E82411	(not available)
47	%ProgramFiles%\Save\ReadMe.txt	3,472 bytes	MD5: 0x308698A03FB807FBD6934CF896E5692B SHA-1: 0x3398AE0255054B1E62E37F18C9A5643258F2EA9E	Adware-SaveNow [McAfee]
48	%ProgramFiles%\Save\Save.exe	221,696 bytes	MD5: 0x6B05418CD9B52CC82ED9ADE264BAE255 SHA-1: 0xB3124F4AA83824C85CDEC93A325477826039E725	Adware.Savenow [Symantec] not-a-virus:AdWare.Win32.SaveNow.e [Kaspersky Lab] Adware-SaveNow [McAfee] Adware:Win32/WhenU.A [Microsoft] not-a-virus:AdWare.Win32.SaveNow.e [Ikarus]
49	%ProgramFiles%\Save\save.htm	44,008 bytes	MD5: 0xCC61EAC881F85F1D3C22CDE257BB20A6 SHA-1: 0x56BB91EDBDBE7DE35A496660964E64C0CA3C9122	(not available)
50	%ProgramFiles%\Save\SaveUninst.exe	20,540 bytes	MD5: 0x76BB4833C3B0A887DB4390E501DB4420 SHA-1: 0x0572D58D5776499F8E282F4D8518659DE5CBF55F	not-a-virus:AdWare.Win32.SaveNow.bl [Kaspersky Lab] Adware-SaveNow [McAfee] Adware:Win32/WhenU.A [Microsoft] not-a-virus:AdWare.Win32.SaveNow.bl [Ikarus] Win-Trojan/Savenow.20992 [AhnLab]
51	%ProgramFiles%\WeatherCast\Uninst.exe	16,951 bytes	MD5: 0x718F99F57CBCF57C6F12AA6CD4877B07 SHA-1: 0x1EA1F61287636F7976AD026D85570B5D31E84BAB	not-a-virus:AdWare.Win32.SaveNow.bl [Kaspersky Lab] Adware-SaveNow [McAfee] Adware:Win32/WhenU.A [Microsoft] not-a-virus:AdWare.Win32.SaveNow [Ikarus]
52	%ProgramFiles%\WeatherCast\Weather.exe	84,992 bytes	MD5: 0x3FDD788210E9F7D580D95081ED3160E4 SHA-1: 0x14E96A8438B61A63DF1988074B1C8FB245E9B676	Adware.Savenow [Symantec] not-a-virus:AdWare.Win32.SaveNow [Kaspersky Lab] Adware-SaveNow [McAfee] Adware:Win32/WhenU.D [Microsoft] not-a-virus:AdWare.Win32.SaveNow [Ikarus]
53	%System%\Base64.dll	45,056 bytes	MD5: 0x921BD793A27D811881B4BC33F1F39E7A SHA-1: 0x3F909DF4192E52FF904D1FE43E1CCA4EB75C98F6	(not available)
54	%System%\InstallDll.dll	69,632 bytes	MD5: 0x628A3B9C40FC8B7FE065C7D3A54A3B58 SHA-1: 0xA114828F0A526A6374E08F59BBA50905692C318F	(not available)
55	%System%\MsgHoo32.ocx	28,672 bytes	MD5: 0x4DC9752BA6418BBAC12852BBCF0374CB SHA-1: 0xECDE09C3BF8678330BED9AF25C9683551A302B2F	(not available)
56	[file and pathname of the sample #1]	2,925,329 bytes	MD5: 0xA2D3403EC604057C59E7ED3D47DB15F6 SHA-1: 0x918D10D28E1F2DF2FC3262794A965F1DC704E550	not-a-virus:AdWare.Win32.SaveNow.bl, not-a-virus:AdWare.Win32.EZula.bc [Kaspersky Lab] not-a-virus:AdWare.Win32.EZula [Ikarus]
57	%System%\Vb5stkit.dll	29,696 bytes	MD5: 0xF17CCC7123909FBB13158003EDC68034 SHA-1: 0xF06989A733361EA7F8AD464F4233C4103C6F8EF9	(not available)

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

%System%\MSCOMCTL.OCX
%System%\MSFLXGRD.OCX

The following directories were created:

%Programs%\ICQ File Share
%Programs%\WeatherCast
%ProgramFiles%\ICQ File Share
%ProgramFiles%\ICQ File Share\Data
%ProgramFiles%\ICQ File Share\Downloads
%ProgramFiles%\ICQ File Share\Help
%ProgramFiles%\ICQ File Share\Partner
%ProgramFiles%\ICQ File Share\Share
%ProgramFiles%\ICQ File Share\Sounds
%ProgramFiles%\ICQ File Share\Uploads
%ProgramFiles%\Save
%ProgramFiles%\WeatherCast

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	28,672 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
Base64.dll	%System%\Base64.dll	Process name: ICQFileShare.exe Process filename: %ProgramFiles%\icq file share\icqfileshare.exe Address space: 0x64080000 - 0x6408B000
MsgHoo32.ocx	%System%\MsgHoo32.ocx	Process name: ICQFileShare.exe Process filename: %ProgramFiles%\icq file share\icqfileshare.exe Address space: 0x10000000 - 0x1000C000
VB5STKIT.DLL	%System%\VB5STKIT.DLL	Process name: ICQFileShare.exe Process filename: %ProgramFiles%\icq file share\icqfileshare.exe Address space: 0x2B70000 - 0x2B7C000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\eZulaBootExe.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\VERSION
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\Control
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\MiscStatus
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\MiscStatus\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5044-76B3-11CE-BF00-0080AD0EF894}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5044-76B3-11CE-BF00-0080AD0EF894}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Base64Lib.Base64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Base64Lib.Base64\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBHT.Msghook
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBHT.Msghook\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WUSN.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICQ File Share
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\eZula
HKEY_CURRENT_USER\Software\NPSsoft
HKEY_CURRENT_USER\Software\NPSsoft\ICQFileShare
HKEY_CURRENT_USER\Software\NPSsoft\ICQFileShare\General
HKEY_CURRENT_USER\Software\WhenU
HKEY_CURRENT_USER\Software\WhenU\Weather

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\eZulaBootExe.EXE]

AppID = "{C0335198-6755-11D4-8A73-0050DA2EE1BE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}]

(Default) = "eZulaBootExe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\VERSION]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\TypeLib]

(Default) = "{28656AB9-8E12-11D2-950F-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\ProgID]

(Default) = "Base64Lib.Base64"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}\InprocServer32]

(Default) = "%System%\Base64.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28656ABB-8E12-11D2-950F-000000000000}]

(Default) = "Base64Lib.Base64"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\MiscStatus\1]

(Default) = "132497"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\Version]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\TypeLib]

(Default) = "{307C5043-76B3-11CE-BF00-0080AD0EF894}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\ToolboxBitmap32]

(Default) = "%System%\MsgHoo32.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\ProgID]

(Default) = "VBHT.Msghook"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\MiscStatus]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\InprocServer32]

(Default) = "%System%\MsgHoo32.ocx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}\Control]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5040-76B3-11CE-BF00-0080AD0EF894}]

(Default) = "Msghook Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5044-76B3-11CE-BF00-0080AD0EF894}\InprocServer32]

(Default) = "%System%\MsgHoo32.ocx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{307C5044-76B3-11CE-BF00-0080AD0EF894}]

(Default) = "Msghook Property Page"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\VersionIndependentProgID]

(Default) = "EZulaBootExe.InstallCtrl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\TypeLib]

(Default) = "{C0335197-6755-11D4-8A73-0050DA2EE1BE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\ProgID]

(Default) = "EZulaBootExe.InstallCtrl.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}\LocalServer32]

(Default) = "C:\PROGRA~1\ICQFIL~1\Partner\ezsTTtub.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}]

(Default) = "InstallCtrl Class"
AppID = "{C0335198-6755-11D4-8A73-0050DA2EE1BE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}\TypeLib]

(Default) = "{28656AB9-8E12-11D2-950F-000000000000}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28656ABA-8E12-11D2-950F-000000000000}]

(Default) = "Base64"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}\TypeLib]

(Default) = "{307C5043-76B3-11CE-BF00-0080AD0EF894}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5041-76B3-11CE-BF00-0080AD0EF894}]

(Default) = "_DMsghook"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}\TypeLib]

(Default) = "{307C5043-76B3-11CE-BF00-0080AD0EF894}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{307C5042-76B3-11CE-BF00-0080AD0EF894}]

(Default) = "_DMsghookEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\TypeLib]

(Default) = "{C0335197-6755-11D4-8A73-0050DA2EE1BE}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}]

(Default) = "IInstallCtrl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\0\win32]

(Default) = "%System%\Base64.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\HELPDIR]

(Default) = "%Windir%\system32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}\1.0]

(Default) = "Base64 Encoding Library v2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\0\win32]

(Default) = "%System%\MsgHoo32.ocx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\HELPDIR]

(Default) = "%Windir%\system32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0\FLAGS]

(Default) = "2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{307C5043-76B3-11CE-BF00-0080AD0EF894}\1.0]

(Default) = "Msghook OLE Custom Control module"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\0\win32]

(Default) = "C:\PROGRA~1\ICQFIL~1\Partner\ezsTTtub.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\HELPDIR]

(Default) = "C:\PROGRA~1\ICQFIL~1\Partner\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0]

(Default) = "eZulaBootExe 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Base64Lib.Base64\Clsid]

(Default) = "{28656ABB-8E12-11D2-950F-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Base64Lib.Base64]

(Default) = "Base64Lib.Base64"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CurVer]

(Default) = "EZulaBootExe.InstallCtrl.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CLSID]

(Default) = "{C03351A4-6755-11D4-8A73-0050DA2EE1BE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl]

(Default) = "InstallCtrl Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl.1\CLSID]

(Default) = "{C03351A4-6755-11D4-8A73-0050DA2EE1BE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EZulaBootExe.InstallCtrl.1]

(Default) = "InstallCtrl Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBHT.Msghook\CLSID]

(Default) = "{307C5040-76B3-11CE-BF00-0080AD0EF894}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBHT.Msghook]

(Default) = "Msghook Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WUSN.1]

WUSN_Id = EB 7A 86 78 BE AF DD 4D 8E 5D C3 C1 55 D3 3A B6

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

WhenUSave = "C:\PROGRA~1\Save\Save.exe"

so that Save.exe runs every time Windows starts

[[pathname with a string SHARE]\SharedDlls]

%System%\Vb5stkit.dll = 0x00000001
%System%\Base64.dll = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICQ File Share]

DisplayName = "ICQ File Share"
UninstallString = "C:\PROGRA~1\ICQFIL~1\UNWISE.EXE C:\PROGRA~1\ICQFIL~1\INSTALL.LOG"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow]

DisplayIcon = "C:\PROGRA~1\Save\Save.exe,1"
DisplayName = "SaveNow"
DisplayVersion = "1.61"
HelpLink = "www.whenu.com"
Publisher = "WhenU.com, Inc."
UninstallString = "C:\PROGRA~1\Save\SaveUninst.exe /rWUSV /kSaveNow /dSaveNow"
UrlInfoAbout = "www.whenu.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast]

DisplayIcon = "%ProgramFiles%\WeatherCast\Weather.exe,-0"
DisplayName = "WeatherCast"
DisplayVersion = "1.0"
HelpLink = "www.whenu.com/about_weather.html"
Publisher = "WhenU.com, Inc."
UninstallString = "C:\PROGRA~1\WEATHE~1\Uninst.exe"
UrlInfoAbout = "http://www.whenu.com/about_weather.html"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV]

Partner = "WUSV0602"
InstallTime = "20101213134352"
PartnerDesc = "SaveNow"
PartnerParam = "dt=Save Now!,q=,i=1"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST]

Partner = "CAST0702"
InstallTime = "20101213134353"
PartnerDesc = "WeatherCast"
PartnerFile = "C:\PROGRA~1\WEATHE~1\Weather.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave]

db_local_update = "0"
db_script_update = "1001500019"
InstallDir = "C:\PROGRA~1\Save"
pats_url = "http://a1964.g.akamai.net/f/1964/2730/1h/app.whenu.com/OffersData"
pat_chunks_url = "http://a1964.g.akamai.net/f/1964/2730/15d/app.whenu.com/DataChunks"
script_url = "http://a1964.g.akamai.net/f/1964/2730/1h/web.whenu.com/offscript2.html"

The following Registry Values were deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>`NTP6lYuf(laaqF-Q9q."

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>-S}(z(Bof(0l9efGjyo1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>-S}(z(Bof(0l9efGjyo1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>-S}(z(Bof(0l9efGjyo1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>-S}(z(Bof(0l9efGjyo1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]

InprocServer32 = "IW[F9`$@Q?NcrI3z%N[,>-S}(z(Bof(0l9efGjyo1"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib]

(Default) =
Version =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib]

(Default) =
Version =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.Slider]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog.1]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5E9E78A0-531B-11CF-91F6-C2863C385E30}\1.0]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5E9E78A0-531B-11CF-91F6-C2863C385E30}\1.0\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]

C:\WINDOWS\system32\COMDLG32.OCX =
C:\WINDOWS\system32\MSFLXGRD.OCX =
C:\WINDOWS\system32\MSINET.OCX =
C:\WINDOWS\system32\MSWINSCK.OCX =
C:\WINDOWS\system32\MSCOMCTL.OCX =

Other details

Analysis of the file resources indicate the following possible country of origin:

Spain

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
66.152.85.200	80
66.152.85.202	80

The data identified by the following URLs was then requested from the remote web server:

http://app.whenu.com/WeatherPrefs
http://spapp.whenu.com/WeatherDB
http://app.whenu.com/Tracker?type=wcast&pageid=3&page=choicesnew&sid=12922693461741338988949
http://app.whenu.com/Weather?id=78867AEBAFBE4DDD8E5DC3C155D33AB6&url=FIND0702&src=silent
http://web.whenu.com/heartbeat?program=weather&partner=FIND0702&id=78867AEBAFBE4DDD8E5DC3C155D33AB6&ver=1.00
http://www.whenudownloads.com/weatherupdate.exe
http://spweather.whenu.com/images/choicesnew3.gif

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.