ThreatExpert Report: Adware.Relevant!sd5, not-a-virus:WebToolbar.Win32.WhenU.a..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 27 February 2010, 06:07:40
Processing time: 7 min 56 sec
Submitted sample:

File MD5: 0xF32A9AEB6D64CAA7A773C5EF67FA7B2A
File SHA-1: 0x2FC7F8DEBAB6AE9E8CFF50DEAABA38F1292311AC
Filesize: 1,454,917 bytes
Alias:

Adware.Relevant!sd5 [PCTools]
not-a-virus:WebToolbar.Win32.WhenU.a [Kaspersky Lab]
Dropper/Malware.1454917 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Ares Gold\Ares Gold.lnk	647 bytes	MD5: 0x4FEDCAD634155968BFAB6F4A4961DB1F SHA-1: 0xAFBA5D456EC26690312C3FF1E0432950DA186EE6	(not available)
2	%DesktopDir%\Ares Gold.lnk	635 bytes	MD5: 0xDB7FB004EB529B463E547F0F158D38C9 SHA-1: 0x0ABD1C37BEDA090947FF9CBB7107FE5E78525299	(not available)
3	%AppData%\Microsoft\Windows Media\9.0\WMSDKNSD.XML	53 bytes	MD5: 0xA9B5DA9AEC61657B32393D96217165F0 SHA-1: 0x80B5C577155ACD269B450D70F6B2CBED693EDF49	(not available)
4	%ProgramFiles%\Ares Gold\AresGold.exe	2,263,552 bytes	MD5: 0x904FBFA8C951E1158349079FDCAFFEC8 SHA-1: 0xEB7D2556FA7D93F9391EF000AE8DD6F5E1970D46	(not available)
5	%ProgramFiles%\Ares Gold\Data\defaultcache.net	9,048 bytes	MD5: 0x4B6E2293F59AF88F010F4EC5DE506821 SHA-1: 0x3895D7D766922900E3028657522E05497D0FCA08	(not available)
6	%ProgramFiles%\Ares Gold\Data\defaultultracache.net	3,883 bytes	MD5: 0x951A37CF24A3FD677C659B3100375F1F SHA-1: 0xE86482D36124A5A26B41E9DDE197B47C6567D115	(not available)
7	%ProgramFiles%\Ares Gold\Data\defaultwebcache.net	5,749 bytes	MD5: 0xD1F2D92DC97C7093691C184D0AD50EC1 SHA-1: 0xA5F6C84DFF76C9C1523A6F67966AF646BBA1C497	(not available)
8	%ProgramFiles%\Ares Gold\Data\MyMedia.edb	37,144 bytes	MD5: 0x57AA6DB70EF97E59B0B84BDD8F943B25 SHA-1: 0x4D54170D73B006A9974A2D1B75F53B62F35F8717	(not available)
9	%ProgramFiles%\Ares Gold\Partner\NPSSoftware_WhenUSaveNow_InstallerInst.exe	121,768 bytes	MD5: 0x87362D92D384A695D00F468840BE7243 SHA-1: 0xADBBAAFB55DF850DD534E97F86D3AF2ED376D082	Adware.WhenU_SaveNow [PCTools] not-a-virus:WebToolbar.Win32.WhenU.a [Kaspersky Lab] Generic PUP.g [McAfee] Adware:Win32/WhenU.gen [Microsoft] not-a-virus:WebToolbar.Win32.WhenU [Ikarus]
10	%ProgramFiles%\Ares Gold\tcpip_patcher.sys	15,744 bytes	MD5: 0x4F781A6337CF1048147C684ED21B34D1 SHA-1: 0x66AFE5CD521A80A8EF16E9869B8960AE626CAA23	(not available)
11	%ProgramFiles%\Ares Gold\unins000.dat	1,614 bytes	MD5: 0xACEDB6D8F1DF3816620DEE64DA1519A2 SHA-1: 0x9804220FCF0AC6BB87C7F6E21306865052ADA05C	(not available)
12	%ProgramFiles%\Ares Gold\unins000.exe	77,257 bytes	MD5: 0xBF15CE70E055955FAFD81A18EC1C0771 SHA-1: 0x2E744B01A4A96B82F1C298304D497A26D75C5B91	(not available)
13	%ProgramFiles%\NPSSoftware_WhenUSaveNow_Installer\NPSSoftware_WhenUSaveNow_Installer.exe	148,480 bytes	MD5: 0xD6AE0CA18C0853EEF1807E8968C1039B SHA-1: 0x60F8DED83DAF361DCF3A62FFAA129559C8ED612B	Adware.SaveNow.BJ [PCTools] Adware.Savenow [Symantec] not-a-virus:AdWare.Win32.SaveNow.cb [Kaspersky Lab] Generic.dx [McAfee] Adware:Win32/WhenU.A [Microsoft] not-a-virus:AdWare.Win32.SaveNow [Ikarus]
14	%ProgramFiles%\NPSSoftware_WhenUSaveNow_Installer\vvsn.cfg	282 bytes	MD5: 0xD3859A7ED82F1E2B07F6A20217FE7A38 SHA-1: 0x981B46D3BAD369FD01C13357BE5A5D228580E267	(not available)
15	%System%\GnucDNA.dll	1,040,384 bytes	MD5: 0x899CBFACB20BB41B8E2423C4856B498C SHA-1: 0xFFC81AD50665863D99AB53AD990935FA43BC73CA	(not available)
16	%System%\rkinstaller.exe	114,688 bytes	MD5: 0xA3339DCB7EE84DCBEB443ACB6DF9785D SHA-1: 0x50940D7488C06490D4B862EF210BECEFDEA065DB	Spyware.Marketscore_Netsetter [PCTools] Spyware.Marketscore [Symantec] not-a-virus:AdWare.Win32.Relevant.a [Kaspersky Lab] Proxy-OSS [McAfee] Program:Win32/Comscore.gen [Microsoft] Win-Trojan/Relevant.114688 [AhnLab]
17	[file and pathname of the sample #1]	1,454,917 bytes	MD5: 0xF32A9AEB6D64CAA7A773C5EF67FA7B2A SHA-1: 0x2FC7F8DEBAB6AE9E8CFF50DEAABA38F1292311AC	Adware.Relevant!sd5 [PCTools] not-a-virus:AdWare.Win32.Relevant.a, not-a-virus:WebToolbar.Win32.WhenU.a [Kaspersky Lab] Dropper/Malware.1454917 [AhnLab]
18	%System%\wbem\Performance\WmiApRpl_new.h	357 bytes	MD5: 0x231323658D79D9BDF946E1CFBE01E500 SHA-1: 0xD3D145D037FCA0C669C4B3E2990906B922B22ADE	(not available)

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following file was modified:

%AppData%\Microsoft\Windows Media\9.0\WMSDKNS.XML

The following directories were created:

%CommonPrograms%\Ares Gold
%ProgramFiles%\Ares Gold
%ProgramFiles%\Ares Gold\Data
%ProgramFiles%\Ares Gold\Partner
%ProgramFiles%\NPSSoftware_WhenUSaveNow_Installer
%ProgramFiles%\NPSSoftware_WhenUSaveNow_Installer\URL1

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GnucDNA.Core
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GnucDNA.Core\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ares Gold_is1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{DB28B382-9162-41C0-949B-7B00A53BCA72}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{DB28B382-9162-41C0-949B-7B00A53BCA72}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{DB28B382-9162-41C0-949B-7B00A53BCA72}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{DB28B382-9162-41C0-949B-7B00A53BCA72}\Properties
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{384342E3-EFCC-4AA1-99E6-146B54CF0418}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Ares Gold
HKEY_CURRENT_USER\Software\Ares Gold\General
HKEY_CURRENT_USER\Software\Ares Gold\Options

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\ProgID]

(Default) = "GnucDNA.Core"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\InProcServer32]

(Default) = "%System%\GnucDNA.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}]

(Default) = "GnucDNA.Core"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}]

(Default) = "_IDownloadEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}]

(Default) = "IUpload"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}]

(Default) = "_IShareEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}]

(Default) = "_IUpdateEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}]

(Default) = "_INetworkEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}]

(Default) = "ICore"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}]

(Default) = "_IChatEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}]

(Default) = "ICache"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}]

(Default) = "IShare"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}]

(Default) = "IChat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}]

(Default) = "ISearch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}]

(Default) = "IUpdate"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}]

(Default) = "_IUploadEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}]

(Default) = "IPrefs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}]

(Default) = "_ISearchEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}]

(Default) = "IDownload"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}]

(Default) = "IMeta"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib]

(Default) = "{2850BDC7-2330-4E31-9FA0-88268846539A}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}]

(Default) = "INetwork"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\0\win32]

(Default) = "%System%\GnucDNA.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\HELPDIR]

(Default) = "%Windir%\system32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2850BDC7-2330-4E31-9FA0-88268846539A}\1.0]

(Default) = "GnucDNA"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GnucDNA.Core\CLSID]

(Default) = "{F02C0AE1-D796-42C9-81E1-084D88F79B8E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GnucDNA.Core]

(Default) = "GnucDNA.Core"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

NPSSoftware_WhenUSaveNow_Installer = "%ProgramFiles%\NPSSoftware_WhenUSaveNow_Installer\NPSSoftware_WhenUSaveNow_Installer.exe"

so that NPSSoftware_WhenUSaveNow_Installer.exe runs every time Windows starts

The following Registry Value was deleted:

[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings]

Client ID = "{8B2FC17F-5905-448A-88D5-C64086555F44}"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace]

LocalBase =
DTDFile =
LocalDelta =
RemoteDelta =

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.