mypanelftp.co.cc

By Pig, November 15, 2010

mypanelftp.co.cc
mypanelftp.co.cc 91.215.170.45

Opened listening TCP connection on port: 27217Download URLs
http://91.215.170.45/banner.tif (mypanelftp.co.cc)
Data posted to URLs
http://91.215.170.45/vorota.php (mypanelftp.co.cc)

Outgoing connection to remote server: mypanelftp.co.cc TCP port 80
Outgoing connection to remote server: mypanelftp.co.cc TCP port 80
Outgoing connection to remote server: mypanelftp.co.cc TCP port 80
Outgoing connection to remote server: mypanelftp.co.cc TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “Guid” = 8aefce96-4618-42ff-a057-3536aa78233e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “EventMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryCount” = [REG_DWORD, value: 00000010]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “TypesSupported” = [REG_DWORD, value: 00000007]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{23343233-2C66-3B33-3432-343233343233}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoft “” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe,
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{420B2830-E718-11CF-893D-00A0C9054228}1.0 “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesssvchostDEBUG “Trace Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTGlobalDEBUG “Trace Level”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}{5D19E473-BE30-416B-B5C7-D8A091C41D2F}Connection “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{9D719E4E-0E1B-FC8C-68A6-E16CED23FACC} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRDPNPNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWebClientNetworkProvider “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceslanmanworkstationNetworkProvider “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{21323133-4B4A-686E-646B-6D6E69686A64}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit”

File Changes by all processes
New Files c:install_flash_player.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32sdra64.exe
Opened Files C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSsystem32scrrun.dll
.PIPEROUTER
.Ip
c:autoexec.bat
.Ip6
.pipe_AVIRA_2109
.pipe_AVIRA_2108
C:WINDOWSsystem32lowseclocal.ds
DeviceRdpDr
.PIPEwkssvc
.shadow
.PIPEDAV RPC SERVICE
.PIPElsarpc
C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32ntdll.dll
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
Deleted Files C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32sdra64.exe
Chronological Order Create/Open File: c:install_flash_player.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:WINDOWSsystem32scrrun.dll (OPEN_EXISTING)
Get File Attributes: c:install_flash_player.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:install_flash_player.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .Ip6 (OPEN_EXISTING)
Open File: .pipe_AVIRA_2109 (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Open File: C:WINDOWSsystem32lowseclocal.ds (OPEN_EXISTING)
Find File: C:WINDOWSsystem32lowsecuser.ds.lll
Find File: C:WINDOWSsystem32lowsecuser.ds
Move File: C:WINDOWSsystem32lowsecuser.ds to C:WINDOWSsystem32lowsecuser.ds.lll
Open File: DeviceRdpDr ()
Open File: .PIPEwkssvc (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32lowsec Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSsystem32lowseclocal.ds Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowseclocal.ds
Create File: C:WINDOWSsystem32lowseclocal.ds
Open File: .shadow (OPEN_EXISTING)
Open File: .PIPEDAV RPC SERVICE (OPEN_EXISTING)
Create/Open File: C:WINDOWSsystem32lowsecuser.ds.lll (OPEN_ALWAYS)
Set File Attributes: C:WINDOWSsystem32lowsecuser.ds.lll Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowsecuser.ds.lll
Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32sdra64.exe
Copy File: c:install_flash_player.exe to C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32sdra64.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ntdll.dll (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_READONLY SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)

Categories: Uncategorized