ThreatExpert Report: W32.Rahack.W, W32/RAHack, WORM

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 July 2012, 04:15:34
Processing time: 11 min 42 sec
Submitted sample:

File MD5: 0x5F7D38D867EE659619C4080FB3473CC5
File SHA-1: 0xC0D9D85F7C31384E20698385D21A6D168CA4B7DE
Filesize: 57,856 bytes
Alias:

W32.Rahack.W [Symantec]
W32/RAHack [McAfee]
WORM_ALLAPLE.IK [Trend Micro]
W32/Allaple-F [Sophos]
Net-Worm.Win32.Allaple [Ikarus]

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[pathname with a string SHARE]\bcwvzwbh.exe	57,856 bytes	MD5: 0x7F23034DF9439591F0BD3C6F9385D6EB SHA-1: 0xBC2E9E84B9AA1D2EB52098252BADA950D08F31B9	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
2	[pathname with a string SHARE]\bhrhnkht.exe	57,856 bytes	MD5: 0xB8D469F49222B8C96075FA69D27CEDD9 SHA-1: 0x4AB56E53624CA4C4983A2479E6C798E60439D0CE	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
3	[pathname with a string SHARE]\bnbtzwxt.exe	57,856 bytes	MD5: 0xFDBF0EF6BF201909D074D46197838EE8 SHA-1: 0x08BED8F48312E0CD75A797B063B9110746E87AD9	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
4	[pathname with a string SHARE]\brvrjrke.exe	57,856 bytes	MD5: 0x6A5CFC378FF51AF4D5B5B8C56E17B38A SHA-1: 0x485B5E76B78CD7886D00DC03F6B25A1A9C09E812	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
5	[pathname with a string SHARE]\bzqlkhrh.exe	57,856 bytes	MD5: 0x88ABEEAB63F1F509B94A0E6F35E3A8BE SHA-1: 0x5AEAAD7D6E2EFFA5216245AA46091D16B518466F	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
6	[pathname with a string SHARE]\czjevcet.exe	57,856 bytes	MD5: 0x435268E27924DCC07E8EE0DAA0480B21 SHA-1: 0xEE1C67E680C453F908A067B756940016D5C1B2F9	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
7	[pathname with a string SHARE]\ehbebsrn.exe	57,856 bytes	MD5: 0xCB14B25E53BB20C929C8C9A034454CD3 SHA-1: 0xC2D10FDDC2BF2D339814379E2DA58C6A528BFBA9	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
8	[pathname with a string SHARE]\elwtjnbj.exe	57,856 bytes	MD5: 0xCAA52B6B97BF0E3DED878F1EF59A15FC SHA-1: 0x5482670EEC5E5A803010E20D369F88BA3B58106C	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
9	[pathname with a string SHARE]\njbsvtll.exe	57,856 bytes	MD5: 0x2650A78EAE2AD9380FA83CE747AAFD0E SHA-1: 0xF90567811986CA781FBF02371C171B4890D07DE1	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
10	[pathname with a string SHARE]\nsqjttkv.exe	57,856 bytes	MD5: 0x9D8F1F72774BF624906161A04C616888 SHA-1: 0x6D8BD9400AA9301A49FFC874756047E830E545E4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
11	[pathname with a string SHARE]\qjllsjhl.exe	57,856 bytes	MD5: 0xF8E7AE20F553D22DEADE43E81E5773C5 SHA-1: 0x7D790BE0C94F673B2E5AC5A255997A50A2A3FBF2	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
12	[pathname with a string SHARE]\tlcwjrwt.exe	57,856 bytes	MD5: 0x1AEAB4BEEB75F992C9003856BD75FB04 SHA-1: 0x9FAA24B01EEE0826815D01778BA6CC2DF7B7F0C7	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
13	[pathname with a string SHARE]\vkjljzrn.exe	57,856 bytes	MD5: 0xCEEDDF8CF717A595AE63F19B9AF11FA8 SHA-1: 0x05895B5CBB5662EF2D5DC6E913D708ACB1EBB48E	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
14	[pathname with a string SHARE]\xrljqjzn.exe	57,856 bytes	MD5: 0x00B5A5963422A0ABF0826A8808655AAC SHA-1: 0x06B3C0567325E91DD18F7C22BE3A3F7A1A2299B5	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
15	%ProgramFiles%\Common Files\System\ado\tsektjkj.exe	57,856 bytes	MD5: 0xD36D726134A54155746D12A749FE68F6 SHA-1: 0x6D9D3953EC36F69A2C89624E4CB5DB62B288FA4D	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
16	%ProgramFiles%\NetMeeting\rsewzjqn.exe	57,856 bytes	MD5: 0x1F22B385FCB0476FA78CAD84595F02A7 SHA-1: 0x127DD90654D1F8D46FDE5CCE357E0942CC1AFF87	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
17	c:\tvsknrse.exe	57,856 bytes	MD5: 0x6A4B107FF6ED7AC47799821142C3C2A4 SHA-1: 0x2F8532E579952802AE634E68FFA9363A661A2983	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
18	%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe	57,856 bytes	MD5: 0xB56223159904E72DBA39C480F43C0A60 SHA-1: 0xC743C9359964F6FE349056061AF0C5621C60D5B3	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
19	%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe	57,856 bytes	MD5: 0x1E4ACAE336D143FF021F48F70696AA6E SHA-1: 0x8FFF1F564E2FFC9C491DB0BA89967BB7E13B3DB4	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
20	%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe	57,856 bytes	MD5: 0x1B4BB5BB9BAD12CAF620F338B931368D SHA-1: 0x0A393DB4AE603249A4017387B083D7B7BEE8AAD8	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
21	%Windir%\pchealth\helpctr\System\CompatCtr\zlhqrlbx.exe	57,856 bytes	MD5: 0x34A0D786C5AA542F91641A9240AB90FC SHA-1: 0x554CFC53CD1D8F1FC1718D34C7CCC6AB96DC7797	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
22	%Windir%\pchealth\helpctr\System\DVDUpgrd\shrrtjet.exe	57,856 bytes	MD5: 0x6945948B35C280A63F8331CA5CD78DA1 SHA-1: 0x2B1338CEFCEE88336380A7542DD9562F7DDCC9E9	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
23	%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe	57,856 bytes	MD5: 0x4D968CFE27D14CC47E3CC469B6AD5ABE SHA-1: 0xEA6C53920724A9AA51996C70522F01FD4EA619DF	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
24	%Windir%\pchealth\helpctr\System\errors\jcjjlqnq.exe	57,856 bytes	MD5: 0xA7383B44372BE4BA2AF33A796049C98E SHA-1: 0x90C8C8C4630D9976228DEB879280DED6FD5D0A87	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
25	%Windir%\pchealth\helpctr\System\NetDiag\hsjqschn.exe	57,856 bytes	MD5: 0x8417BE07A3821F0595D5CE83B3BEA118 SHA-1: 0x83E703A6866D1DC13EA7A22F35DF434F753352A5	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
26	%Windir%\pchealth\helpctr\System\NetDiag\xrvxszvs.exe	57,856 bytes	MD5: 0x7878229605627B5A62805AFD5EEC716C SHA-1: 0x2682061C9030B528F2213017A76DB7B5A0E0C289	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
27	%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe	57,856 bytes	MD5: 0x0EDC0709E73F73A264A38490B75A60AA SHA-1: 0x84801627473B53EC0208E2E192BBCA8081AFB548	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
28	%Windir%\pchealth\helpctr\System\panels\sncncweb.exe	57,856 bytes	MD5: 0xA3DBC16B1F96F0DCC2A42566603F100F SHA-1: 0xB167502217AC1DEA9F6F60F447C59CF450FD4615	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
29	%Windir%\pchealth\helpctr\System\rc\qbrblthb.exe	57,856 bytes	MD5: 0xBD827C4B56471E7A410FCEA7E93F1F42 SHA-1: 0xBF1262EEF71B787724C96ACA6380A989271678AA	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
30	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\hxrshqsj.exe	57,856 bytes	MD5: 0x263874B8AC27F1430974AE7189A8E98F SHA-1: 0x00A320E0B63883CA617A191601A1B0B9ADD7CC2A	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
31	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\rwcjrqhw.exe	57,856 bytes	MD5: 0xC647FCE18409948CF8764B3F7D7E7977 SHA-1: 0x426A6916AAEAD1300A794DFD94AFE9FDF66AF67A	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
32	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe	57,856 bytes	MD5: 0xDF4C8D727AA94ABD39A2A8BE596706FE SHA-1: 0x97BA020D82850C23566BD81CC39C69E4E9FA89FE	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
33	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ekjvhbcn.exe	57,856 bytes	MD5: 0xB44F02133454F539A0B38EEFF452C029 SHA-1: 0x8395036690FB7B0514B0EF84482706EA4EAB0A00	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
34	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\jjennetl.exe	57,856 bytes	MD5: 0x7DA961BCDA9F35A3AF6AA315B96023AC SHA-1: 0xB2E9B50004F70B171C30C6F734EB045FCBF5BB98	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
35	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\knenvxlj.exe	57,856 bytes	MD5: 0x21743A878FBF8EEB2CABC2CAA998D9BD SHA-1: 0x30C165792C9E200C17C5B4110381C40BBAA49773	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
36	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe	57,856 bytes	MD5: 0x47C17716558DD224573F334CBA3AEAA2 SHA-1: 0x5E14C9CC5C4B26E3E44BD6046C6A305CA57C7419	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
37	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe	57,856 bytes	MD5: 0xA0ACF0B7F1426D96A9D376B50515293A SHA-1: 0xA190DDD7B195E218EB5D08640BE2D05FF2B8972A	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
38	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\zqwkjbbt.exe	57,856 bytes	MD5: 0x7E62706705403A8A25115AA832609F2F SHA-1: 0x1B9A019DC46EB481857F3E6F6E9C9597E6B472C5	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
39	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\bbsbrlee.exe	57,856 bytes	MD5: 0xD1D37988AA278B90A128C7A47B9E8DE7 SHA-1: 0x546C62BABD0C7240E17A580B6B21DCF4B40FCA72	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
40	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\kbzzlwlr.exe	57,856 bytes	MD5: 0x7C1BB19BAF1FBE1CF6589934464B7611 SHA-1: 0x37F51CF571CDBEC5C290F483E09244CA1D428E10	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
41	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\rbntkevt.exe	57,856 bytes	MD5: 0xA996A86284B669C77F33AE98891B9978 SHA-1: 0x5D514EF057345A50665598589A0D77E75ACD0F37	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
42	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\shnkjjbh.exe	57,856 bytes	MD5: 0x97D8C3EDE98B4F226F003E8143FD6C77 SHA-1: 0x2A928D9CEFFB2735F75BF56E0558CB70A28EA20E	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
43	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe	57,856 bytes	MD5: 0x4F5B316F04A964B53895719661BBD96F SHA-1: 0x0FEA58FE5B586EB8855714564D45F7CA6176F227	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
44	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ctjxljxh.exe	57,856 bytes	MD5: 0x8260F618B12AD2D3FC6465AF31DB66C8 SHA-1: 0xB83C87AE9E3751F77F1BAE26B66853691E2E3648	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
45	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ezslqrbz.exe	57,856 bytes	MD5: 0x8E0B042E229FF9606FCCD9604A18FC49 SHA-1: 0x12687B85BDB0046804C0D109E6B1CD9EED9F3C6B	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
46	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\neqvzkeh.exe	57,856 bytes	MD5: 0x8B13CD8072117652657AB13F81D2907A SHA-1: 0xCF8911C9978328209147E0E0D0BE44550BB3BF58	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
47	%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\shrnxshq.exe	57,856 bytes	MD5: 0x80EDC1D19475D451DD995E9C3E17F147 SHA-1: 0xB50793F5F77E38DBE027B8273128FC113A895AE5	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
48	%Windir%\pchealth\helpctr\System\Remote Assistance\rqxjhbsl.exe	57,856 bytes	MD5: 0xBB96BEA3AFFFABE445FFFD9D642D8CEA SHA-1: 0x40B9E2ED53B0638D5FB8A1F77C14A08711AB572E	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
49	%Windir%\pchealth\helpctr\System\Remote Assistance\rzqstbqq.exe	57,856 bytes	MD5: 0x2C14DD2B1E8F084BDDCB80C2BC8D89AA SHA-1: 0x24A903C2D78C94D870AB88CD00DB2496D531292E	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
50	%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe	57,856 bytes	MD5: 0xC9EC092075C401392B0CDBC345C056DE SHA-1: 0x526C5FDB7A6EC7C256191764CCF1DEEC90670D32	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
51	%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe	57,856 bytes	MD5: 0xF8308CA21DDED39347A9275CC33DA798 SHA-1: 0xE7107B52AD68D12DB4C4044F90EDFC77B91A19E1	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
52	%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe	57,856 bytes	MD5: 0xEA2EC174AC0DC10DA594E36DD4391832 SHA-1: 0x3D6F5941E00EDC4667CC6FEC2C35A843FFC95A49	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
53	%Windir%\pchealth\helpctr\System\sysinfo\jbrhbztz.exe	57,856 bytes	MD5: 0x6000B34769B60A8173CAB5707411B8D6 SHA-1: 0xCCA2AC3EF2F9F914A5527BCE1E4C018942E24C94	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
54	%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe	57,856 bytes	MD5: 0xA82A5C49BAA633C90BA92B13606FC84C SHA-1: 0xF1B40B72B96058E26E5126EE56F68F095298981A	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
55	%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe	57,856 bytes	MD5: 0xB4EDC4741EA9B032F7D5F196BD582A11 SHA-1: 0x3E65F77FCBA79A82CA55CD06528B238E7FAEF251	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
56	%Windir%\pchealth\helpctr\System\sysinfo\rercrnhh.exe	57,856 bytes	MD5: 0xAD0F3AB5701B44F18B9DB6FA4FD129F6 SHA-1: 0x06E80B642B1C5F85CCF918499850E0150BF8FC60	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
57	%Windir%\pchealth\helpctr\System\sysinfo\rnbrkrlv.exe	57,856 bytes	MD5: 0x4D05EA5ED32CC7A3F34FD1C27AC8B6DE SHA-1: 0x7C6C7AEE4FE88D67AB0A791296E25FFF71CEC4AF	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
58	%Windir%\pchealth\helpctr\System\sysinfo\vkchbbxh.exe	57,856 bytes	MD5: 0x8ADCDA0864CC02ABC1DE157DD60096C6 SHA-1: 0x281E1E3DCCA48825F33C3AE4C7B62E38DC58088A	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
59	%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe	57,856 bytes	MD5: 0xE2AAE67516B876C9C3480CCE14C975CF SHA-1: 0xFB5C744FDB7161338FA99B5BE27777123C7FAA99	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
60	%Windir%\pchealth\helpctr\System\UpdateCtr\qxshkkqn.exe	57,856 bytes	MD5: 0x41D4906023F98AAA4E5C8E3F0A5BE6CB SHA-1: 0x21EF49DFEB61F741C7A122590A29DD3D6E0BC8E2	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
61	%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe	57,856 bytes	MD5: 0x5259E1AEC510BA0EB4C6A1680DD7A443 SHA-1: 0xABF42EF95EF7DCD90CB15DE2CC102E309F1D6AB4	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
62	%Windir%\pchealth\helpctr\System\UpdateCtr\snqesjrk.exe	57,856 bytes	MD5: 0x48D5C1DB3AC72BF083B86B6203097E27 SHA-1: 0x93ADCFC9F72F7E1988BA317E2CFEE38B0BEFC481	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
63	%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe	57,856 bytes	MD5: 0x6F3E0697E5A7AE4ED18E28AB0371AE9E SHA-1: 0x78DF9FAEE7DECC641252F3921687227CB23EE765	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
64	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\erwskeqr.exe	57,856 bytes	MD5: 0x32218659CA8AFAEF2546D9D9DAA3A0B4 SHA-1: 0x97DA62FC3F0139629ECBEC6EF17453E0EA0B6426	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
65	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe	57,856 bytes	MD5: 0x8C600FF7EA1189274DD75B8585766404 SHA-1: 0x0ED54C51BBF5B8B7A7854B8D34C681DE8E8D4ACC	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
66	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\vxwqhwzs.exe	57,856 bytes	MD5: 0x6F1ED0100B8501030FAA50C2D02FF797 SHA-1: 0xE48EE8962F26F0F422D1F4ED74010CE232CE1740	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
67	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\vxwqhwzs.exe	57,856 bytes	MD5: 0x389C9792CA1A3AB91043A07BE4ACFE38 SHA-1: 0x4D6B073893A8E3EB1B17B6CEA9E3B890C24DF85D	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
68	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\vxwqhwzs.exe	57,856 bytes	MD5: 0x204F5ADD1631D3F91692B6EF36B93C5D SHA-1: 0xBC1F44D17FD3C82FFC0B7624D4970F4A09D78E01	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
69	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe	57,856 bytes	MD5: 0x3C6FB2895EB5590196C603FD933A24D8 SHA-1: 0xD963AC67C582C9A9378377BEC5FF61174E319921	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
70	%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\vsekkehe.exe	57,856 bytes	MD5: 0x9DF684285494331C1FC21ACC8F3347F4 SHA-1: 0x82CFE24C68368E11C9ED07554F6D816EE858E8DE	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
71	[file and pathname of the sample #1]	57,856 bytes	MD5: 0x5F7D38D867EE659619C4080FB3473CC5 SHA-1: 0xC0D9D85F7C31384E20698385D21A6D168CA4B7DE	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]
72	%System%\urdvxc.exe	57,856 bytes	MD5: 0xB625B1E1037F30C7C8DB4610BD10BA80 SHA-1: 0x90803221D1C1AC3A773287DDB7BBDAF36696D453	W32.Rahack.W [Symantec] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Net-Worm.Win32.Allaple [Ikarus]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\NetMeeting\netmeet.htm
%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm
%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm
%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm
%Windir%\pchealth\helpctr\System\errors\connection.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm
%Windir%\pchealth\helpctr\System\panels\blank.htm
%Windir%\pchealth\helpctr\System\panels\NavBar.htm
%Windir%\pchealth\helpctr\System\rc\rcRequest.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAChatClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAStatusBar.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rcscreen6_head.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\ErrorMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RCFileXfer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\voicefirewallmsg.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Common\VOIPMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar1.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar2.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAChatServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\SettingServer.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\rcBuddy.htm
%Windir%\pchealth\helpctr\System\sysinfo\msinfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysComponentInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysEvtLogInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysHealthInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysinfosum.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysRemoteInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysServicesInfo.htm
%Windir%\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\AboutWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\Learn.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\LearnInternet.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\learnWU.htm
%Windir%\pchealth\helpctr\System\UpdateCtr\updatecenter.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	131,072 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
MSWindows	Network Windows Service	"Stopped"	"%System%\urdvxc.exe" /service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}\LocalServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qkezbwtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}]

(Default) = "zlbtrheqznllwnez"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rvwwbqje.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}]

(Default) = "sjenknbssrbbnheh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\jrtqcssx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048BF78C-E618-0789-65EC-7B42EEBABDDC}]

(Default) = "khntljkllvnlwnnr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\jbnxjtkn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A0F1486-35D6-89D7-D882-CA1A59862B6E}]

(Default) = "twbnlhhrllnlkwse"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\kkrtrbns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B44EB36-CB81-9FE3-EB6F-ED253BC824C5}]

(Default) = "stjqhzzejjvbsebk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}]

(Default) = "cxzsrrqbhzbbnnbn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32]

(Default) = [pathname with a string SHARE]\czjevcet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}]

(Default) = "eqsxbljjlsehwhcl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xjshnvvh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}]

(Default) = "jeseechknrtrtjxb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\bjlkjrls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{110F9774-FAAC-0A3E-8A58-182D5A948013}]

(Default) = "nbtxblzlkrqcsttk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\cntbrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{118AD934-6512-CF10-DF50-2B2755D07C2F}]

(Default) = "xvlbneqertntkjkt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\rrbvcsbb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1329366B-3CA3-C056-4832-FDA8BAC1351F}]

(Default) = "wshlescehsxlkrrh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jhtkcrqk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}]

(Default) = "lsebjbvsvzbxqcjw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}\LocalServer32]

(Default) = "%ProgramFiles%\NetMeeting\rsewzjqn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB5D22A-38E3-3CDD-6FC2-017E4B687843}]

(Default) = "rvvclelrevhztrbx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\zxtlktls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}]

(Default) = "vbztcesjnxlerrjx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jehkxqtn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}]

(Default) = "ctzscrtshknrjsse"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32]

(Default) = "C:\Inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}]

(Default) = "nlcslthzeererwcc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\sysinfo\rbcjjwqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326CE86B-F468-EA85-5628-FD4D0FFDBB85}]

(Default) = "bktnwtbxtnsjlzlr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}]

(Default) = "kvrxrkswhbtsjlnj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32]

(Default) = "%System%\urdvxc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}]

(Default) = "bsrskebjewlvtqlt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\vxwqhwzs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363304E6-ADDF-9355-8F4C-D71315751C40}]

(Default) = "rkjeevslcnhcztbt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jcjcvqtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}]

(Default) = "wewxnrksqklktkcc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\wbjbjelb.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37128C75-4B63-71FC-DD33-D9492FBB2EFB}]

(Default) = "westblbbkvszhhhl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ccthwjlr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A4B53AC-423A-E7CA-C4DA-B78A959F8C03}]

(Default) = "hejjtjlrhketsjnl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\tnslrrhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AE1D8CD-A6F7-40FE-B888-56FCBA8BCA46}]

(Default) = "vccqtlntkjswqseq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\ttzvrbzr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C1D709C-0F4D-5DA4-2232-7AFD13C0C23F}]

(Default) = "hrxhrketlxqteqrk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32]

(Default) = [pathname with a string SHARE]\qjllsjhl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}]

(Default) = "ezrktlsrrkrcvkvz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\tjqlrkhx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}]

(Default) = "hnrjwktcrrclezhk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\ehlbrqvs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46FFC275-F95A-DD9C-490B-4A7903F8E16C}]

(Default) = "hjbjqrwnhhvbtbjs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\CompatCtr\hrtbebze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{490CDDA9-7D56-3D09-CC3C-5136306CC8A0}]

(Default) = "tjrxzhsterwkhjkh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\Howto\tbzrsrxv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}]

(Default) = "hzzkbnrtqwnnxllj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\tsektjkj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}]

(Default) = "sqjsnlrlzhlhnzbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\nxhtnbrt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E4B1243-6951-DA75-041E-CEB3D83811A0}]

(Default) = "lbchxnvbslwvckbw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\trkhkjxz.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F82FDE5-2426-891D-5E88-22E06725D2A6}]

(Default) = "lsnnjnlrelrezrxn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32]

(Default) = "C:\tvsknrse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}]

(Default) = "rrxcxnbnecqwlznq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\srzectxw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B27C6B-4485-B5DC-7ACC-40C9603EF49C}]

(Default) = "hqcnkbsbvshtnhee"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32]

(Default) = [pathname with a string SHARE]\bhrhnkht.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}]

(Default) = "hzqnejrcnwlnkekj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\ErrMsg\vlvxqrek.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F8EF1A-30C4-77DB-B4A1-F7FB92D83438}]

(Default) = "nweehlvqtsskehks"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\UpdateCtr\lwklbvze.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B974BBE-61BD-D89A-783C-6F06BBE18E40}]

(Default) = "wnrtstnlhwtlcest"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\wesnhzec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{616F8160-B381-7FEA-D13A-58E0EF4C12E8}]

(Default) = "ejkkscnsezrrhlhq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ktensxxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}]

(Default) = "ekvvqcxjskqbcnnw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nxxhexkh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}]

(Default) = "tzbjrwjnrshrktqz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32]

(Default) = [pathname with a string SHARE]\bcwvzwbh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}]

(Default) = "hwtnztelbekrzvnz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\snrlrkcn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64F1CF06-0CDB-2C1E-9F31-AB06848B06CA}]

(Default) = "thxlbswbzzzhtqlj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\panels\nntlskwn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B4E7F8-6512-EF00-DF46-2E62C2F0A63F}]

(Default) = "jkrtxxbrelbrltrt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}]

(Default) = "kehznjrnltzvntle"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jclbnjhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}]

(Default) = "jqhxthbjvtwrxwns"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32]

(Default) = [pathname with a string SHARE]\bnbtzwxt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}]

(Default) = "nhxlqhrrwrrxjtjw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\elbkcznj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}]

(Default) = "rsljhxxvlkrxbkxh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}\LocalServer32]

(Default) = "%Windir%\pchealth\helpctr\System\Remote Assistance\Common\seshhtth.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79910627-6A00-CDCE-579B-2C3D5BA84B34}]

(Default) = "rbrzhrlkllresqrv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}\LocalServer32]

(Default) = [pathname with a string SHARE]\xrljqjzn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}]

(Default) = "jljzrbtnbvqznenq"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

To mark the presence in the system, the following Mutex object was created:

jhdheddfffffhjk5trh

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.