www.claudia-ferrer.com

By Pig, November 15, 2010

www.claudia-ferrer.com 200.98.197.72
Download URLs
http://200.98.197.72/site/javawhelper.jpg (www.claudia-ferrer.com)
http://200.98.197.72/site/huntermails.jpg (www.claudia-ferrer.com)
http://200.98.197.72/site/msgnlive.jpg (www.claudia-ferrer.com)

Outgoing connection to remote server: www.claudia-ferrer.com TCP port 80
Outgoing connection to remote server: www.claudia-ferrer.com TCP port 80
Outgoing connection to remote server: www.claudia-ferrer.com TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{ECA9A748-EC22-4405-9F94-19CADCD27081} “” =
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{ECA9A748-EC22-4405-9F94-19CADCD27081}InprocServer32 “” = C:WINDOWSsystem32javawhelper.dll
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{ECA9A748-EC22-4405-9F94-19CADCD27081}InprocServer32 “ThreadingModel” = Apartment
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “huntermails.exe” = C:WINDOWSsystem32huntermails.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “msgnlive.exe” = C:WINDOWSsystem32msgnlive.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “EnableLUA” = [REG_DWORD, value: 00000000]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREClasses.dll “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedLow”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedHigh”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{B722BCCB-4E68-101B-A2BC-00AA00404770}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{000214E6-0000-0000-C000-000000000046}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}ProxyStubClsid32 “”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSecurityP3Global “Enabled”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}1.1 “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUrl History “DaysToKeep”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerAppCompatibility “DisableAppCompat”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FF393560-C2A7-11CF-BFF4-444553540000}InProcServer32 “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedLow”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedHigh”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{B722BCCB-4E68-101B-A2BC-00AA00404770}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{000214E6-0000-0000-C000-000000000046}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}ProxyStubClsid32 “”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSecurityP3Global “Enabled”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}1.1 “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “EnableLUA”

File Changes by all processes
New Files DeviceRasAcd
C:WINDOWSsystem32javawhelper.jpg
C:WINDOWSsystem32javawhelper.dll
C:WINDOWSsystem32huntermails.jpg
C:WINDOWSsystem32huntermails.exe
C:WINDOWSsystem32msgnlive.jpg
C:WINDOWSsystem32msgnlive.exe
DeviceTcp
DeviceIp
DeviceIp
Opened Files C:WINDOWSsystem32javawhelper.jpg
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSsystem32huntermails.jpg
C:WINDOWSsystem32msgnlive.jpg
C:WindowsSystem32
.Ip
C:WINDOWSRegistrationR000000000007.clb
C:ProgrammeInternet ExplorerIEXPLORE.EXE
.PIPElsarpc
C:WINDOWSsystem32ieframe.dll
C:WINDOWSRegistrationR000000000007.clb
C:ProgrammeInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32ieframe.dll
.PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSSystem32
Deleted Files C:WINDOWSsystem32javawhelper.jpg
C:WINDOWSsystem32huntermails.jpg
C:WINDOWSsystem32msgnlive.jpg
Chronological Order Find File: c:visualizar.de-DE
Find File: c:visualizar.de
Find File: c:visualizar.DEU
Find File: c:visualizar.DE
Set File Attributes: c:visualizar.scr Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32javawhelper.dll Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create File: C:WINDOWSsystem32javawhelper.jpg
Open File: C:WINDOWSsystem32javawhelper.jpg (OPEN_EXISTING)
Create File: C:WINDOWSsystem32javawhelper.dll
Delete File: C:WINDOWSsystem32javawhelper.jpg
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32regsvr32.exe
Set File Attributes: C:WINDOWSsystem32javawhelper.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32huntermails.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:WINDOWSsystem32huntermails.jpg
Open File: C:WINDOWSsystem32huntermails.jpg (OPEN_EXISTING)
Create File: C:WINDOWSsystem32huntermails.exe
Find File: C:WINDOWSsystem32huntermails.exe
Delete File: C:WINDOWSsystem32huntermails.jpg
Set File Attributes: C:WINDOWSsystem32huntermails.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32msgnlive.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:WINDOWSsystem32msgnlive.jpg
Open File: C:WINDOWSsystem32msgnlive.jpg (OPEN_EXISTING)
Create File: C:WINDOWSsystem32msgnlive.exe
Find File: C:WINDOWSsystem32msgnlive.exe
Delete File: C:WINDOWSsystem32msgnlive.jpg
Set File Attributes: C:WINDOWSsystem32msgnlive.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WindowsSystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:WINDOWSsystem32huntermails.de-DE
Find File: C:WINDOWSsystem32huntermails.de
Find File: C:WINDOWSsystem32huntermails.DEU
Find File: C:WINDOWSsystem32huntermails.DE
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:ProgrammeInternet ExplorerIEXPLORE.EXE (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ieframe.dll (OPEN_EXISTING)
Get File Attributes: C:Dokumente und EinstellungenAdministratorLokale EinstellungenVerlaufdesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32msgnlive.de-DE
Find File: C:WINDOWSsystem32msgnlive.de
Find File: C:WINDOWSsystem32msgnlive.DEU
Find File: C:WINDOWSsystem32msgnlive.DE
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:ProgrammeInternet ExplorerIEXPLORE.EXE (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ieframe.dll (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32ieframe.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32liveLOG.txt Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSSystem32reg.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSSystem32 ()
Find File: C:WINDOWSsystem32reg.exe

Categories: Uncategorized
Previous post
Next post