grummerhens.net

By Pig, January 26, 2010

grummerhens.net
grummerhens.net 66.96.219.101
Opened listening TCP connection on port: 21366
Download URLs
http://66.96.219.101/13/cc.bin (grummerhens.net)
Outgoing connection to remote server: grummerhens.net TCP port 80
Outgoing connection to remote server: grummerhens.net TCP port 80
Outgoing connection to remote server: grummerhens.net TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe,
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “Guid” = 8aefce96-4618-42ff-a057-3536aa78233e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “EventMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryCount” = [REG_DWORD, value: 00000010]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “TypesSupported” = [REG_DWORD, value: 00000007]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesssvchostDEBUG “Trace Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTGlobalDEBUG “Trace Level”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}{5D19E473-BE30-416B-B5C7-D8A091C41D2F}Connection “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{7E323333-3234-6D27-6D34-3334644B6B6C}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “DefaultLaunchPermission”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MachineLaunchRestriction”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MachineAccessRestriction”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “ActivationFailureLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “CallFailureLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “InvalidSecurityDescriptorLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “DisableActivationSecurityCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpc “DCOM Security”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOMHTTP”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “IgnoreServerExceptions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “BreakOnSilencedServerExceptions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyAuthenticationService”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyAuthenticationLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyImpersonationLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyMutualAuthentication”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacySecureReferences”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “UseSharedWowVDM”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MaxActivationRetriesPerServer”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “PreferUnsecureActivation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “AllowMultipleTSSessions”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerLicensing Core “EnableConcurrentSessions”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{7E323333-3234-6D27-6D34-3334644B6B6C}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOID
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CertDllOpenStoreProv

File Changes by all processes
New Files C:WINDOWSsystem32sdra64.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32lowsecuser.ds.lll
Opened Files .PIPElsarpc
C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32ntdll.dll
c:autoexec.bat
.PIPEROUTER
.Ip
.Ip6
.pipe_AVIRA_2109
C:WINDOWSsystem32lowseclocal.ds
.pipe_AVIRA_2108
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.pipe_AVIRA_2108
c:autoexec.bat
.PIPElsarpc
Deleted Files C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32lowseclocal.ds
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32sdra64.exe
Copy File: c:distr.exe to C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32sdra64.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ntdll.dll (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_READONLY SECURITY_ANONYMOUS)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .Ip6 (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32lowsec Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: .pipe_AVIRA_2109 (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32lowseclocal.ds Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowseclocal.ds
Create File: C:WINDOWSsystem32lowseclocal.ds
Find File: C:WINDOWSsystem32lowsecuser.ds.lll
Open File: C:WINDOWSsystem32lowseclocal.ds (OPEN_EXISTING)
Find File: C:WINDOWSsystem32lowsecuser.ds
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Move File: C:WINDOWSsystem32lowsecuser.ds to C:WINDOWSsystem32lowsecuser.ds.lll
Create/Open File: C:WINDOWSsystem32lowsecuser.ds.lll (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftSystemCertificatesMyCertificates*
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftSystemCertificatesMyCRLs*
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftSystemCertificatesMyCTLs*
Open File: .PIPElsarpc (OPEN_EXISTING)

Categories: Uncategorized
Previous post
Next post