ThreatExpert Report: W32.Rahack.H, W32/RAHack, WORM

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 July 2012, 05:04:24
Processing time: 11 min 40 sec
Submitted sample:

File MD5: 0xBAEDCBC069582F0319BA39CC889A5161
File SHA-1: 0x1EC8CB5B945221B48FC867ED448B4E30BD227123
Filesize: 57,856 bytes
Alias:

W32.Rahack.H [Symantec]
W32/RAHack [McAfee]
WORM_ALLAPLE.IK [Trend Micro]
W32/Allaple-F [Sophos]
Net-Worm.Win32.Allaple [Ikarus]

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\Inetpub\wwwroot\kkvwbsrw.exe	57,856 bytes	MD5: 0x096D6D0999A305F033156DA36142B428 SHA-1: 0xC26490E53145673D4DDEE26FDC0BA297025BC95B	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
2	[pathname with a string SHARE]\bcwvzwbh.exe	57,856 bytes	MD5: 0x789892FB46D73BCCE8F74C3C9534C0E6 SHA-1: 0x504482588D61B0E388A2B273CAC16F795EB9A6FD	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
3	[pathname with a string SHARE]\bhrhnkht.exe	57,856 bytes	MD5: 0xF2EE6F9CCB3B8F7D7EED49CCC7577726 SHA-1: 0x21C91CA9367A425DCFA66585885B23D84A2592CF	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
4	[pathname with a string SHARE]\bnbtzwxt.exe	57,856 bytes	MD5: 0xAFE480EEDCE901644A13765D04270F11 SHA-1: 0x80EEB5478C5C013310662C94B27BC0D7F94B5023	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
5	[pathname with a string SHARE]\brvrjrke.exe	57,856 bytes	MD5: 0x81A46CCE9F3B9A66F739AEEF9C81ED2E SHA-1: 0x08D41C2C5BEBE0F03248CB840716DF259BD35845	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
6	[pathname with a string SHARE]\bzqlkhrh.exe	57,856 bytes	MD5: 0x3C8CCC2E5A80CE6BC3DCFA7FDA892CB9 SHA-1: 0xFEEE67DBD54030FB4B59C958F5701CE3987B3B2D	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
7	[pathname with a string SHARE]\czjevcet.exe	57,856 bytes	MD5: 0x83CCB43FD1F27AD9668842F8B46AFB39 SHA-1: 0x5D0C87CE8E451B71F8C803D4CF5893EEFD692CB1	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
8	[pathname with a string SHARE]\ehbebsrn.exe	57,856 bytes	MD5: 0x9056436DACC4DC69B049BF8AD809ED10 SHA-1: 0xF12FA428C7941369DAD2E1C9249F9DF7CC0D0367	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
9	[pathname with a string SHARE]\elwtjnbj.exe	57,856 bytes	MD5: 0x898806B5D9B68FF89193BA73E71AF8A9 SHA-1: 0x698D356C2F3DF23A5DB8FF1B018CA53C250777B7	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
10	[pathname with a string SHARE]\njbsvtll.exe	57,856 bytes	MD5: 0xD25AEBD0EA7802FA6B864DD038D72223 SHA-1: 0xCBCED1FEA8C41C003F19777EE162A8B3CAC7A8E5	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
11	[pathname with a string SHARE]\nsqjttkv.exe	57,856 bytes	MD5: 0x877A2F49EDC18FD82FEDEF80BF060567 SHA-1: 0x6072170387BD33A101163B9544193141F9361D49	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
12	[pathname with a string SHARE]\qjllsjhl.exe	57,856 bytes	MD5: 0xD636AE4F2078E574A77983E6EE42F5AE SHA-1: 0xBF3391FABD6C3C5C438C8CEE2B5CB1F28EB20974	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
13	[pathname with a string SHARE]\tlcwjrwt.exe	57,856 bytes	MD5: 0xBD43580D68224669EA2A80C8CBF899C2 SHA-1: 0x6497AF69A3DA3A3CCA774CD37911C4BEE309C63D	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
14	[pathname with a string SHARE]\vkjljzrn.exe	57,856 bytes	MD5: 0xEF931CCDDC05D096C0D728294BA79CAD SHA-1: 0xFE3ADFC824E6A0C8BF8E1A6076C72E092775501A	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
15	[pathname with a string SHARE]\xrljqjzn.exe	57,856 bytes	MD5: 0xFC1C3F7D17D46F362141153291A10FDE SHA-1: 0x3BE036C7AF4ECA681990E395F5B1FB930169ADBB	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
16	%ProgramFiles%\Common Files\System\ado\tsektjkj.exe	57,856 bytes	MD5: 0xDB7BEC6804E94FCD798D2B9C5FE3E8C2 SHA-1: 0xDFFD5A5DB1D2F5124E77C291BE9E4F4EBAC61E4A	W32.Rahack.H [Symantec] Net-Worm.Win32.Allaple.a [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
17	%ProgramFiles%\NetMeeting\rsewzjqn.exe	57,856 bytes	MD5: 0xFFD1B1D982BC4469B6E70F203BDB4CA2 SHA-1: 0xCB690ECF863106BE3680106DD747206CE67F161C	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
18	c:\tvsknrse.exe	57,856 bytes	MD5: 0xB9013C4AA80B50352490F701CEC29A7D SHA-1: 0x3C515DA875E1BA9B7FE6276CE811631DEED5C4E5	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
19	%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe	57,856 bytes	MD5: 0x0B33512E3C394CF664210BB31DB2599D SHA-1: 0x393E6D5602024057526B9C64B773EE3A730689B5	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
20	%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe	57,856 bytes	MD5: 0x11D9EB726003847792176425D0FA54F9 SHA-1: 0xA5C074A52A110A4AEB0FE4D38E2D5C6FADDD676D	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
21	%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe	57,856 bytes	MD5: 0x56F670B77DEE712A9A6C2B0FC97FE97C SHA-1: 0xC74731918439698D850F8F587427F1CF811C26AD	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
22	%Windir%\pchealth\helpctr\System\CompatCtr\zlhqrlbx.exe	57,856 bytes	MD5: 0x0079A1ED04AA23B62871FA767B69BFFF SHA-1: 0x51212A859F9EC297676A14FEC6ED79816EEBEE73	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
23	%Windir%\pchealth\helpctr\System\DVDUpgrd\shrrtjet.exe	57,856 bytes	MD5: 0xE35D5C4F2B7D4633644017E561B49B46 SHA-1: 0x98D682A48587E5BF7A029675E53063A44C165EAC	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
24	%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe	57,856 bytes	MD5: 0x8713DA0210025D238ED2AC1F5E9EF165 SHA-1: 0x7F462DF9CB256F3922CE712DF10676AEA05261C5	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
25	%Windir%\pchealth\helpctr\System\errors\jcjjlqnq.exe	57,856 bytes	MD5: 0xED9A24E9A76D259644D1391BAEB4613A SHA-1: 0xA79BF20C7A0A53D13C166A64C314199F0BDA012F	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
26	%Windir%\pchealth\helpctr\System\NetDiag\hsjqschn.exe	57,856 bytes	MD5: 0xA2EBFB8681F5D16295E8CAECF8AED8AB SHA-1: 0xFFC67EE75CAECED0261406C9490F24B443D3A9A3	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
27	%Windir%\pchealth\helpctr\System\NetDiag\xrvxszvs.exe	57,856 bytes	MD5: 0x836A72C789538911D8F8609AA347A3F4 SHA-1: 0x4C92768146EE21DE6B5B3DDEA89FFB2CCA2B13F3	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
28	%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe	57,856 bytes	MD5: 0xA40C8A94D74AEEE6F74ED9429C9809C6 SHA-1: 0xF707B37BD79193ED7F8495E241DE318F4E2E1DC4	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
29	%Windir%\pchealth\helpctr\System\panels\sncncweb.exe	57,856 bytes	MD5: 0x1A21B53EC8B5410FCF95E5FAE22905D7 SHA-1: 0xEC1DF54444B3F846CF3CF8C1ABDB95F0F95559E0	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
30	%Windir%\pchealth\helpctr\System\rc\qbrblthb.exe	57,856 bytes	MD5: 0xD499FF48C3E4F13A5C5A996F3DD7712D SHA-1: 0x550ACA3CE1ECC304C307454A5E4109F3B73D9BAB	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
31	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\hxrshqsj.exe	57,856 bytes	MD5: 0x3A1522D0821C7006FFD3D9F833A1817A SHA-1: 0x8FAAD8393C2271AB8C5368620E824F02FFBEEF4B	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
32	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\rwcjrqhw.exe	57,856 bytes	MD5: 0xB6010C73A80F27114894D49788841634 SHA-1: 0x5301AF35B170E45B547CF995A47EE743CFD8DC5A	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
33	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe	57,856 bytes	MD5: 0xC2E03687F41DA12178BD604413BB9117 SHA-1: 0xA6BB9C79316DFE5505C717BD2645CAF9A47F744D	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
34	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ekjvhbcn.exe	57,856 bytes	MD5: 0x08E6F18636117D05C4C76E4A544DA95F SHA-1: 0x1CB94A7566B0D44172F0FBAC6A3D79E35BB2A417	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
35	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\jjennetl.exe	57,856 bytes	MD5: 0xCFDA219F2C2A45749CE5AE1F0E9F1082 SHA-1: 0xDA2A59E2486746D9C3D1D2FD9CAC40AF782E18B1	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
36	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\knenvxlj.exe	57,856 bytes	MD5: 0x9BF95F2C5048133C2B0FD3874D11DEDD SHA-1: 0x406119A9C1E00FC69D193A3C2A6D3FA35CDE7451	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
37	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe	57,856 bytes	MD5: 0x06F0F59A675E71A24602EB6FE61C4185 SHA-1: 0x9A8F6E180A5A407EFFE0C642D5948E056226FD17	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
38	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe	57,856 bytes	MD5: 0x63C7CA4A68C91445B37E47B63DC800E2 SHA-1: 0xD092B167FC53468943F10CD8243B51A35CCA2118	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
39	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\zqwkjbbt.exe	57,856 bytes	MD5: 0xB1AF4EBC5600805FED703DEF7061E74C SHA-1: 0xF36FF8C9996BF4194F9DB481B784FCCB56CC7BCD	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
40	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\bbsbrlee.exe	57,856 bytes	MD5: 0xD972E16C6C4536DA09E842612F77D9F7 SHA-1: 0xF361FEC2BFC78EE81FAC70592CAE7C4845D47C22	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
41	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\kbzzlwlr.exe	57,856 bytes	MD5: 0xDFFF509BB8D2B3C03E09284049D75B3F SHA-1: 0xFAEA37C9BEBA4B60F91E9E89E49844A1964548D0	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
42	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\rbntkevt.exe	57,856 bytes	MD5: 0xBDF6F122C6166FC7EBF6F3D9BD321C35 SHA-1: 0x51F5D8C3EB5961AB851CFB98E8A3977F3680006A	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
43	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\shnkjjbh.exe	57,856 bytes	MD5: 0xC2D8FADDF43581EC7567EECAC58F1EA8 SHA-1: 0xC4B2881D6412E5FA04854A19CD8C7D09EDC01B10	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
44	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe	57,856 bytes	MD5: 0x16A06262B45EFE5EF772632A6D892DE3 SHA-1: 0x5C4E9A0A0C823FA815D51D5DE070A1D64D7B3E61	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
45	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ctjxljxh.exe	57,856 bytes	MD5: 0xC94ABFD701B134775CA5C06231E45C92 SHA-1: 0x0D3D37EFC4DCC37F196539AE432BC5C7E0689CAE	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
46	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ezslqrbz.exe	57,856 bytes	MD5: 0x582E94458BF5147198EBF89601416CCC SHA-1: 0x44764085C0777B3021402A340937EDAED23855AF	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
47	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\neqvzkeh.exe	57,856 bytes	MD5: 0x5E9FBA91D4562021CAFBA82854ED36B8 SHA-1: 0xEA3541D57F4300281AA67910157FC61A3338D313	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
48	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\shrnxshq.exe	57,856 bytes	MD5: 0xA6F77C6089793247862613C4ACBE3E30 SHA-1: 0xE560E96F5CEB1108AE50F793361EFE53DB32D60E	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
49	%Windir%\pchealth\helpctr\System\Remote Assistance\rqxjhbsl.exe	57,856 bytes	MD5: 0x6D29F1BFFC629E76A080171AC651EA24 SHA-1: 0x40FD23AEF4573CCC26DA8708DE47EA255D885C3B	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
50	%Windir%\pchealth\helpctr\System\Remote Assistance\rzqstbqq.exe	57,856 bytes	MD5: 0xC17DA05604A081E0D85D086B9E2CC8B8 SHA-1: 0x327D2B944D05E8C54B94F942D02BB1E66EC847BB	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
51	%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe	57,856 bytes	MD5: 0xFA6F93A84B42679C486DB1EF17497B4B SHA-1: 0x03FA3C9840A0071F07860CBA4F3B4F4F6AFB18C5	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
52	%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe	57,856 bytes	MD5: 0x0A25886E3CA576B3C9A467BD861EDAC5 SHA-1: 0x6089934EB5BD271FBF1113B5D9949F2CDC0DC73E	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
53	%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe	57,856 bytes	MD5: 0x305017182AD950209A32272748F48446 SHA-1: 0x061196B3AB4C3B7E86858C7C118848F374563C7B	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
54	%Windir%\pchealth\helpctr\System\sysinfo\jbrhbztz.exe	57,856 bytes	MD5: 0x62E61BFE10BDA87E4958C5E9FCE58269 SHA-1: 0xBC67B765F46A4A60BF1AB891756681CEBE2FBA7A	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
55	%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe	57,856 bytes	MD5: 0x4E98BFBE29D5A2A7CBB5E7E3211A8262 SHA-1: 0xBF5ABEB22EF47E9FBE4DF760EE744211F584FB2E	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
56	%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe	57,856 bytes	MD5: 0xCF76447E302609FF013D0C957CAFB0B5 SHA-1: 0x6D622B8CC532AA588362CEB39E987EECD92290CC	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
57	%Windir%\pchealth\helpctr\System\sysinfo\rercrnhh.exe	57,856 bytes	MD5: 0x743FC8FB8C0F9348F2675E3C2D58177F SHA-1: 0x0CDBA65AFEBC36A1BA795B9EF52A532622662A20	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
58	%Windir%\pchealth\helpctr\System\sysinfo\rnbrkrlv.exe	57,856 bytes	MD5: 0x7A67E419B4C665ADF98EB5E1B2C52FA4 SHA-1: 0x17131D340DD73B3A77236CB2C85519F92A97BFDF	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
59	%Windir%\pchealth\helpctr\System\sysinfo\vkchbbxh.exe	57,856 bytes	MD5: 0x253885063111E83F9E888900711B289E SHA-1: 0x1FA9CF3B82EACCCDFCA7BE5EC3241E8BC060C57D	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
60	%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe	57,856 bytes	MD5: 0x3924902D806C797A678249AA3FD1B6F3 SHA-1: 0x83BA1E22D75B494DDEDDB55147E3FE10B4240AAC	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
61	%Windir%\pchealth\helpctr\System\UpdateCtr\qxshkkqn.exe	57,856 bytes	MD5: 0x1F9A6AE5AD96F3FC145970BDB0865CA3 SHA-1: 0xB069C63876491E9E687962AA1DC68AEE0F42F9D4	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
62	%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe	57,856 bytes	MD5: 0x4C894D63B61625E36BCAA51B02B56AA1 SHA-1: 0x604632434A6A185FBA21BAB92A2A4033CE08F272	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
63	%Windir%\pchealth\helpctr\System\UpdateCtr\snqesjrk.exe	57,856 bytes	MD5: 0x4E262FDF1A9DB68CFA8BBD224BCCA141 SHA-1: 0xF8BE819E4368EBCB45E2AC2AA96C83A532E0FA47	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
64	%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe	57,856 bytes	MD5: 0x439877EE2A526628B6DAA4921CC4E215 SHA-1: 0xBC1169026306C1F513A0BF496ADFD2FD0F83B607	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
65	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\erwskeqr.exe	57,856 bytes	MD5: 0x9DD49AE1B484C9220E27D1FC9EC69EDA SHA-1: 0x36522546DB90AC9903068B24303490FDA6E0C04B	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
66	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe	57,856 bytes	MD5: 0x903CF300FDF4FE6DD1096C98B9103760 SHA-1: 0x2C296E024CB33E001292908102DB735C3FD868DF	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
67	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\vxwqhwzs.exe	57,856 bytes	MD5: 0x211C0F15A8DC247293AA1A840F54E0E3 SHA-1: 0x80272A923F374FE9E76708FC285FA28932D7618B	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
68	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\vxwqhwzs.exe	57,856 bytes	MD5: 0xFAD890EEA39342A4D925DD2CFDD6B645 SHA-1: 0x1F9727D914D5B3645C13E36A6980554434D519E4	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
69	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\vxwqhwzs.exe	57,856 bytes	MD5: 0x4AA42FE869EA47E2449DE39EB59979D8 SHA-1: 0x58D33EDCAE13807DDE9AFE1003390046E0F5794A	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
70	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe	57,856 bytes	MD5: 0xDABE1D96A332AB931FF785FFEF072CB9 SHA-1: 0xFFDD19FD1B15B8019B193479DFA9947EFA0A53B8	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
71	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\vsekkehe.exe	57,856 bytes	MD5: 0x763800613C3C311A29FB4C2FC568925A SHA-1: 0x4C33D4858EC69FEEB928A9FBA0489D0190F2441B	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
72	[file and pathname of the sample #1]	57,856 bytes	MD5: 0xBAEDCBC069582F0319BA39CC889A5161 SHA-1: 0x1EC8CB5B945221B48FC867ED448B4E30BD227123	W32.Rahack.H [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\NetMeeting\netmeet.htm
%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm
%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm
%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm
%Windir%\pchealth\helpctr\System\errors\connection.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm
%Windir%\pchealth\helpctr\System\panels\blank.htm
%Windir%\pchealth\helpctr\System\panels\NavBar.htm
%Windir%\pchealth\helpctr\System\rc\rcRequest.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAChatClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAStatusBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rcscreen6_head.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\ErrorMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RCFileXfer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\voicefirewallmsg.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\VOIPMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar1.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar2.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAChatServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\SettingServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\rcBuddy.htm
%Windir%\pchealth\helpctr\System\sysinfo\msinfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysComponentInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysEvtLogInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysHealthInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysinfosum.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysRemoteInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysServicesInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\AboutWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\Learn.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\LearnInternet.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\learnWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\updatecenter.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	128,602 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2FAF53-4ADD-C43A-4E61-1B61075FC924}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2FAF53-4ADD-C43A-4E61-1B61075FC924}\LocalServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qkezbwtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}]

(Default) = "qjhwsljteelrkebn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rvwwbqje.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}]

(Default) = "bzkebceteseheehk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}]

(Default) = "ssjwctjkqbttteee"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}]

(Default) = "bjjezbztwvjlkkqc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}]

(Default) = "xznbtncevksqbkbt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}]

(Default) = "rvjklnxhbeqcnelk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32]

(Default) = [pathname with a string SHARE]\czjevcet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}]

(Default) = "xrnnhhkhvsbrwech"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xjshnvvh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}]

(Default) = "jbrejcbjjketrrts"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}]

(Default) = "ncbbhrrwrvbsjsel"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}]

(Default) = "vhnlnhrlswtbneeh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}]

(Default) = "cckzzssbnbhtjhrx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jhtkcrqk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}]

(Default) = "lstzqsktvexkjvjq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32]

(Default) = "%ProgramFiles%\NetMeeting\rsewzjqn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}]

(Default) = "ntnezestkeeerekh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\zxtlktls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}]

(Default) = "rklhrllhxeksxrck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jehkxqtn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}]

(Default) = "bssszvrktzktthxr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32]

(Default) = "C:\Inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}]

(Default) = "tnklrkhnbwkteqbe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}]

(Default) = "snjshjjhzbbhrrwr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}]

(Default) = "knhtzerrcsxnrvzh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}]

(Default) = "jesnlrhbjnvkqskt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jcjcvqtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}]

(Default) = "bsjkqkkjbtebxzth"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}]

(Default) = "nsrxhejnshtrhqth"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}]

(Default) = "wqvbqxetjxhqleeq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}]

(Default) = "nektbezwjtrbsbwl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}]

(Default) = "bjwexscsshxswhtz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32]

(Default) = [pathname with a string SHARE]\qjllsjhl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}]

(Default) = "elkrjnctzwnjtsls"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\tjqlrkhx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}]

(Default) = "vnthtlvqltnhvqek"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\ehlbrqvs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}]

(Default) = "xrnkvetcllnbebks"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}]

(Default) = "ennstrcqwslnrenb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\Howto\tbzrsrxv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}]

(Default) = "rkjksstnkxcrwvth"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\tsektjkj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}]

(Default) = "jeekhsesnlckrncb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\nxhtnbrt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}]

(Default) = "xvneljznnswtjqjq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}]

(Default) = "ersqnhnejksjkrln"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32]

(Default) = "C:\tvsknrse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}]

(Default) = "snhhvtlzeljlzsqt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\srzectxw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}]

(Default) = "xjbnjxnetbbblbje"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32]

(Default) = [pathname with a string SHARE]\bhrhnkht.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}]

(Default) = "crrrkesbrelqsnct"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}]

(Default) = "jzejqbcecetnswlt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}]

(Default) = "jljxscehszntzqcl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}]

(Default) = "ehvjzsrcqlrvwjxr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ktensxxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}]

(Default) = "lqjrzkjsnnbzvkkv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nxxhexkh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}]

(Default) = "nqcvxclhwnxbetsh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32]

(Default) = [pathname with a string SHARE]\bcwvzwbh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}]

(Default) = "vhnsrbnsjskzbrjk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\snrlrkcn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}]

(Default) = "xwksqwehxjlewthr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}]

(Default) = "tlbhsexnesejtkkx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}]

(Default) = "hhsbhrtslnxqxtlv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jclbnjhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}]

(Default) = "xblsbthkecwensns"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32]

(Default) = [pathname with a string SHARE]\bnbtzwxt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}]

(Default) = "bweerrstcncsqrrq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\elbkcznj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}]

(Default) = "kbbhtllbkrevntkj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}]

(Default) = "shctsrbzjlxhnswl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}\LocalServer32]

(Default) = [pathname with a string SHARE]\xrljqjzn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}]

(Default) = "snssehkecsjweehw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2FAF53-4ADD-C43A-4E61-1B61075FC924}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\vkchbbxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2FAF53-4ADD-C43A-4E61-1B61075FC924}]

(Default) = "qtnnnsebexjjkwhs"

Other details

To mark the presence in the system, the following Mutex object was created:

jhdheruhfrthkgjhtjkghjk5trh

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.