DNS Lookup
Host Name IP Address
0 127.0.0.1
core3019.aquashoolonline.com
core3019.aquashoolonline.com 66.197.155.197
UDP Connections
Remote IP Address: 127.0.0.1 Port: 1070
Send Datagram: 542 packet(s) of size 1
Recv Datagram: 542 packet(s) of size 1
Download URLs
http://66.197.155.197/stat/action3.cgi?p=1&a=3019&system=7.0.5730|5.1.3|1031&id=A590474043D749CFCDB2 (core3019.aquashoolonline.com)
http://66.197.155.197/stget2.cgi?host=host&id=3019 (core3019.aquashoolonline.com)
Outgoing connection to remote server: core3019.aquashoolonline.com TCP port 80
Outgoing connection to remote server: core3019.aquashoolonline.com TCP port 80DNS Lookup
Host Name IP Address
time.windows.com 207.46.232.182
0 127.0.0.1
core3019.aquashoolonline.com
core3019.aquashoolonline.com 66.197.155.197
jn3019.onlineaquaorder.com
jn3019.onlineaquaorder.com 64.120.179.90
UDP Connections
Remote IP Address: 207.46.232.182 Port: 123
Send Datagram: packet(s) of size 48
Recv Datagram: packet(s) of size 48
Remote IP Address: 207.46.232.182 Port: 123
Send Datagram: packet(s) of size 48
Recv Datagram: packet(s) of size 48
Remote IP Address: 127.0.0.1 Port: 1075
Send Datagram: 50 packet(s) of size 1
Recv Datagram: 50 packet(s) of size 1
Remote IP Address: 207.46.232.182 Port: 123
Send Datagram: packet(s) of size 48
Recv Datagram: packet(s) of size 48
Remote IP Address: 207.46.232.182 Port: 123
Send Datagram: packet(s) of size 48
Recv Datagram: packet(s) of size 48
Download URLs
http://66.197.155.197/stat/action3.cgi?p=3&a=3019&system=7.0.5730|5.1.3|1031&id=A590474043D749CFCDB2 (core3019.aquashoolonline.com)
http://64.120.179.90/signup.cgi?ver=3&aff=3019&hwid=A590474043D749CFCDB2 (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/up.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/t.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/bg.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/cvv.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/dw.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/lfbg.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/cn.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/visamc.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/shadowlf.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/shadowrh.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/rhbg.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/signup.cgi?ver=3&aff=3019&hwid=A590474043D749CFCDB2 (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/up.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/bg.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/lfbg.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/t.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/cn.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/shadowlf.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/rhbg.jpg (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/visamc.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/cvv.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/dw.gif (jn3019.onlineaquaorder.com)
http://64.120.179.90/im/shadowrh.gif (jn3019.onlineaquaorder.com)
Outgoing connection to remote server: core3019.aquashoolonline.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Outgoing connection to remote server: jn3019.onlineaquaorder.com TCP port 80
Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Quick Time Updater” = C:Programmeqtime8_32.exe
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19090308-636D-4e9b-A1CE-A647B6F794BF} “” = ADC PlugIn
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19090308-636D-4e9b-A1CE-A647B6F794BF}InprocServer32 “” = C:Programmeshk_v10.dll
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19090308-636D-4e9b-A1CE-A647B6F794BF}InprocServer32 “ThreadingModel” = Apartment
HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellopencommand “” = C:Programmeconhost.exe “%1” %*
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “Version”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoDrives”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “RestrictRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoNetConnectDisconnect”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRecentDocsHistory”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoClose”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoDrives”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “RestrictRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoNetConnectDisconnect”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRecentDocsHistory”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoClose”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_CLASSES_ROOT “NetworkSharingHandler”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlProductOptions “ProductType”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerDefaultSecurity “SrvsvcDefaultShareInfo”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check9”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check10”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check11”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check12”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check13”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check14”
HKEY_CURRENT_USERSoftwareWireshark AntivirusWireshark Antivirusshark “check15”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “Version”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedLow”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup “IExploreLastModifiedHigh”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{B722BCCB-4E68-101B-A2BC-00AA00404770}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{000214E6-0000-0000-C000-000000000046}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}ProxyStubClsid32 “”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSecurityP3Global “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerAppCompatibility “DisableAppCompat”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{871C5380-42A0-1069-A2EA-08002B30309D}InProcServer32 “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_INTERNET_SHELL_FOLDERS “Wireshark Antivirus.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_INTERNET_SHELL_FOLDERS “*”
HKEY_LOCAL_MACHINESOFTWAREClassesHTTP “ShellFolder”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “MenuText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “MenuCustomize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5067A26B-1337-4436-8AFE-EE169C2DA79F} “MenuStatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{5067A26B-1337-4436-8AFE-EE169C2DA79F}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “ButtonText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “MenuText”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{77BF5300-1474-4EC7-9980-D32B190E9B07} “Default Visible”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “MenuText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “MenuCustomize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{e2e2dd38-d088-4134-82b7-f2ba38496583} “MenuStatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{e2e2dd38-d088-4134-82b7-f2ba38496583}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “clsid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Icon”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “ButtonText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Exec”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Script”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “MenuText”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “MenuCustomize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “MenuStatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerLowRegistryExtensionsCmdMapping “{FB5F1910-F110-11d2-BB9E-00C04F795683}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FB5F1910-F110-11d2-BB9E-00C04F795683} “Default Visible”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesRatings “Key”
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “No3DBorder”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “No3DBorder”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “UrlEncoding”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternational “AcceptLanguage”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “ProxyEnable”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsICWCONN1.EXE “Path”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURL Compatibility~/CONNWIZ.HTM “Compatibility Flags”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURL Compatibility~/CWIZINTR.HTM “Compatibility Flags”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerApplication Compatibility “Wireshark Antivirus.exe”
HKEY_CURRENT_USERControl PanelInternational “NumShape”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUrl History “DaysToKeep”
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “SmartDithering”
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “RtfConverterFlags”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “UseClearType”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Page_Transitions”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use_DlgBox_Colors”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Anchor Underline”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “CSS_Compat”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Expand Alt Text”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Display Inline Images”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Display Inline Videos”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Play_Background_Sounds”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Play_Animations”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Print_Background”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Use Stylesheets”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “SmoothScroll”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “XMLHTTP”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Show image placeholders”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Disable Script Debugger”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “DisableScriptDebuggerIE”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Move System Caret”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Force Offscreen Composition”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Enable AutoImageResize”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “UseThemes”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “UseHR”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Q300829”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Disable_Local_Machine_Navigate”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Cleanup HTCs”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Q331869”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “AlwaysAllowExecCommand”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternational “Default_CodePage”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternational “AutoDetect”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts “Default_IEFontSize”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts “Default_IEFontSizePrivate”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Anchor Color”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Anchor Color Visited”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Anchor Color Hover”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Always Use My Colors”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Always Use My Font Size”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Always Use My Font Face”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “Use Anchor Hover Color”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSettings “MiscFlags”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPolicies “Allow Programmatic Cut_Copy_Paste”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “DisableCachingOfSSLPages”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsCodePage “950”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEFontSize”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEFontSizePrivate”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEPropFontName”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInternationalScripts3 “IEFixedFontName”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “PopupMgr”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}InprocServer32 “”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “BlockUserInit”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “UseTimerMethod”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “UseHooks”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “AllowHTTPS”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerNew Windows “BlockControls”
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilter “Enabled”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “IEHardenWarnOnNav”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings “IEHardenWarnOnNav”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile x00000000{63800dac-e7ca-4df9-9a5c-20765055488d} “Enable”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{5130A009-5540-4FCF-97EB-AAD33FC0EE09} “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{7AE86BB7-262C-431E-9111-C974B6B7CAC3} “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{C6DEBC0A-F2B2-4F17-930E-CA9FAFF4CD04} “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCOM3 “COM+Enabled”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain “MaxRenderLine”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “UseMMX”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerFeed Discovery “Enabled”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{C6DEBC0A-F2B2-4F17-930E-CA9FAFF4CD04} “IconIndex”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{5130A009-5540-4FCF-97EB-AAD33FC0EE09} “IconIndex”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryItem{7AE86BB7-262C-431E-9111-C974B6B7CAC3} “IconIndex”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FF393560-C2A7-11CF-BFF4-444553540000}InProcServer32 “”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoDrives”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “RestrictRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoNetConnectDisconnect”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRecentDocsHistory”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoClose”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoDrives”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “RestrictRun”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoNetConnectDisconnect”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoRecentDocsHistory”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer “NoClose”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerURL Compatibility
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile x00000000
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryCategory{B95F181B-EA4C-4AF1-8056-7C321ABBB091}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}CategoryCategory{B95F181B-EA4C-4AF1-8056-7C321ABBB091}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}CategoryCategory{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFTIP{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}CategoryItem{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
File Changes by all processes
New Files C:Programmeqtime8_32.exe
DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
C:Programmewrs1196078_32.bat
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
C:Dokumente und EinstellungenAdministratorStartmenüProgrammeWireshark AntivirusWireshark Antivirus.lnk
C:Dokumente und EinstellungenAdministratorDesktopWireshark Antivirus.lnk
DeviceRasAcd
C:Programmeskynet.dat
C:Programmesh4.dat
C:Programmecsrss.exe
C:Programmesh3.dat
DeviceTcp
DeviceIp
DeviceIp
C:Programmeshk_v10.dll
C:Programmeconhost.exe
C:Programmenuar.old
C:Dokumente und EinstellungenAdministratorLokale EinstellungenAnwendungsdatenMicrosoftInternet ExplorerMSIMGSIZ.DAT
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Opened Files c:avs.exe
c:avs.exe
.{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
.{1BE68DBD-1099-491C-9BCE-62B99CC6D22C}
.{961DDB9A-5851-427D-8C35-0802698511F8}
.{858E15A6-D897-45C5-A55B-59055F6D8214}
.{802DC4F4-5DD3-4DF4-B198-88959BCE3DD8}
.{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471}
.PIPElsarpc
c:autoexec.bat
.PIPEROUTER
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:Programme
C:WINDOWSsystem32
C:Programmewshark.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:ProgrammeWireshark Antivirus
C:Programmewrs1196078_32.bat
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
.PIPEsrvsvc
.PIPEwkssvc
C:Programmesec.dat
C:Programmeskynet.dat
.{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
.{1BE68DBD-1099-491C-9BCE-62B99CC6D22C}
.{961DDB9A-5851-427D-8C35-0802698511F8}
.{858E15A6-D897-45C5-A55B-59055F6D8214}
.{802DC4F4-5DD3-4DF4-B198-88959BCE3DD8}
.{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471}
c:autoexec.bat
.PIPEROUTER
.Ip
C:Programmeshk_v10.dll
C:ProgrammeInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32xpsp3res.dll
C:WINDOWSsystem32de-DEieframe.dll.mui
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Deleted Files C:Programmeqtime8_32.exe
c:avs.exe
Chronological Order Open File: c:avs.exe (OPEN_EXISTING)
Open File: c:avs.exe (OPEN_EXISTING)
Create File: C:Programmeqtime8_32.exe
Open File: .{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_EXISTING)
Open File: .{1BE68DBD-1099-491C-9BCE-62B99CC6D22C} (OPEN_EXISTING)
Open File: .{961DDB9A-5851-427D-8C35-0802698511F8} (OPEN_EXISTING)
Open File: .{858E15A6-D897-45C5-A55B-59055F6D8214} (OPEN_EXISTING)
Open File: .{802DC4F4-5DD3-4DF4-B198-88959BCE3DD8} (OPEN_EXISTING)
Open File: .{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471} (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempwin3.tmp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Programmewshark.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:Programme ()
Find File: C:Programmewshark.exe
Delete File: C:Programmeqtime8_32.exe
Set File Attributes: c:avs.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Create File: C:Programmewrs1196078_32.bat
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Open File: C:Programmewshark.exe (OPEN_EXISTING)
Copy File: C:Programmewshark.exe to C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:ProgrammeWireshark Antivirus ()
Find File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Move File: C:Programmewshark.exe to
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:Programmewrs1196078_32.bat
Open File: C:Programmewrs1196078_32.bat (OPEN_EXISTING)
Get File Attributes: c:avs.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:avs.exe
Delete File: c:avs.exe
Open File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe (OPEN_EXISTING)
Copy File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe to C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:Programmedesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorEigene Dateiendesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAll UsersDokumentedesktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: .PIPEsrvsvc (OPEN_EXISTING)
Get File Attributes: C:Dokumente und EinstellungenAdministratorStartmenüProgrammeWireshark AntivirusWireshark Antivirus.lnk Flags: (SECURITY_ANONYMOUS)
Create File: C:Dokumente und EinstellungenAdministratorStartmenüProgrammeWireshark AntivirusWireshark Antivirus.lnk
Get File Attributes: C:Dokumente und EinstellungenAdministratorStartmenüdesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAll UsersStartmenüdesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAll UsersAnwendungsdatendesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatendesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorEigene DateienEigene Bilderdesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAll UsersDokumenteEigene Bilderdesktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: .PIPEwkssvc (OPEN_EXISTING)
Get File Attributes: C:Dokumente und EinstellungenAll UsersDokumenteEigene Musikdesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAll UsersDokumenteEigene Videosdesktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorDesktopWireshark Antivirus.lnk Flags: (SECURITY_ANONYMOUS)
Create File: C:Dokumente und EinstellungenAdministratorDesktopWireshark Antivirus.lnk
Open File: C:Programmesec.dat (OPEN_EXISTING)
Open File: C:Programmeskynet.dat (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create File: C:Programmeskynet.dat
Find File: C:WINDOWS*.*
Find File: C:WINDOWS$hf_mig$*.*
Find File: C:WINDOWS$hf_mig$KB898461*.*
Get File Attributes: C:Programmenuar.old Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Programmeex1.dat Flags: (SECURITY_ANONYMOUS)
Create File: C:Programmesh4.dat
Create File: C:Programmecsrss.exe
Create File: C:Programmesh3.dat
Open File: .{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_EXISTING)
Open File: .{1BE68DBD-1099-491C-9BCE-62B99CC6D22C} (OPEN_EXISTING)
Open File: .{961DDB9A-5851-427D-8C35-0802698511F8} (OPEN_EXISTING)
Open File: .{858E15A6-D897-45C5-A55B-59055F6D8214} (OPEN_EXISTING)
Open File: .{802DC4F4-5DD3-4DF4-B198-88959BCE3DD8} (OPEN_EXISTING)
Open File: .{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471} (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create File: C:Programmeshk_v10.dll
Open File: C:Programmeshk_v10.dll (OPEN_EXISTING)
Create File: C:Programmeconhost.exe
Find File: C:WINDOWS$hf_mig$KB898461update*.*
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempwin13.tmp Flags: (SECURITY_ANONYMOUS)
Create File: C:Programmenuar.old
Find File: C:WINDOWS$hf_mig$KB923561*.*
Find File: C:WINDOWS$hf_mig$KB923561SP3QFE*.*
Open File: C:ProgrammeInternet ExplorerIEXPLORE.EXE (OPEN_EXISTING)
Get File Attributes: C:ProgrammeSkypeToolbarsInternet Explorerfavicon.ico Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32xpsp3res.dll (OPEN_EXISTING)
Get File Attributes: C:ProgrammeMessengermsmsgs.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32de-DEieframe.dll.mui (OPEN_EXISTING)
Get File Attributes: C:Dokumente und EinstellungenAdministratorLokale EinstellungenAnwendungsdatenMicrosoft Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorLokale EinstellungenAnwendungsdatenMicrosoftInternet Explorer Flags: (SECURITY_ANONYMOUS)
Create/Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenAnwendungsdatenMicrosoftInternet ExplorerMSIMGSIZ.DAT (OPEN_ALWAYS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorLokale EinstellungenVerlaufdesktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe (OPEN_EXISTING)
Copy File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe to C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Open File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe (OPEN_EXISTING)
Copy File: C:ProgrammeWireshark AntivirusWireshark Antivirus.exe to C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
Steven K - August 10, 2010 at 8:04 pm
C:ProgrammeWireshark AntivirusWireshark Antivirus.exe
ahem i work on it, the rogue actually send a request to jn3019.onlineaquaorder.com, when you use the mail form:
POST /forum.cgi HTTP/1.1
Host: jn3019.onlineaquaorder.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 29
Connection: close
email=phoenixbytes@live.fr&message=testHTTP/1.1 200 OK
Date: Tue, 10 Aug 2010 19:55:09 GMT
Server: Apache/1.3.42 (Unix) PHP/5.3.2
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
0
"Host Name IP Address
time.windows.com 207.46.232.182"
same for wireshark and also time.nist.gov
Pig - August 11, 2010 at 12:06 pm
welcome to the board steven 🙂