Host Name IP Address
www.zzgame.co.kr
www.zzgame.co.kr 220.90.213.158
114.207.112.169 114.207.112.169
Download URLs
http://220.90.213.158/SPMgrs/SPMgrs.svc (www.zzgame.co.kr)
http://114.207.112.169/MSSPMGR/NVCC.exe (114.207.112.169)
http://220.90.213.158/SPMgrs/initi.dll (www.zzgame.co.kr)
http://114.207.112.169/count_log/log/boot.php?p=SPMgrs&m=00-00-00-00-00-00 (114.207.112.169)
Outgoing connection to remote server: www.zzgame.co.kr TCP port 80
Outgoing connection to remote server: 114.207.112.169 TCP port 80
Outgoing connection to remote server: www.zzgame.co.kr TCP port 80
Outgoing connection to remote server: 114.207.112.169 TCP port 80
DNS Lookup
Host Name IP Address
www.zzgame.co.kr
www.zzgame.co.kr 220.90.213.158
Download URLs
http://220.90.213.158/MSSPMGR/NVCm.dll (www.zzgame.co.kr)
http://220.90.213.158/MSSPMGR/MSSPMGR.exe (www.zzgame.co.kr)
http://220.90.213.158/MSSPMGR/Po2MbRX.dll (www.zzgame.co.kr)
Outgoing connection to remote server: www.zzgame.co.kr TCP port 80
Outgoing connection to remote server: www.zzgame.co.kr TCP port 80
Outgoing connection to remote server: www.zzgame.co.kr TCP port 80
DNS Lookup
Host Name IP Address
www.zzgame.co.kr
www.zzgame.co.kr 220.90.213.158
Download URLs
http://220.90.213.158/MSSPMGR/MSSPMGR.svc (www.zzgame.co.kr)
http://114.207.112.169/count_log/log/boot.php?p=MSSPMGR&m=00-00-00-00-00-00 (114.207.112.169)
Outgoing connection to remote server: www.zzgame.co.kr TCP port 80
Outgoing connection to remote server: 114.207.112.169 TCP port 80
Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “SPMgrs” = c:SPMgrs.exe
HKEY_CURRENT_USERSoftwarespmgrs “installinfo” = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USERSoftwareNVCC “FromDate” = [REG_BINARY, size: 8 bytes]
HKEY_CURRENT_USERSoftwareNVCC “installinfo” = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USERSoftwarespmgrs “day” = 12.02.2010
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{75FA8033-3DB3-434F-A535-24C918F79F39} “” =
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{75FA8033-3DB3-434F-A535-24C918F79F39}InprocServer32 “” = C:WINDOWSsystem32NVCm.dll
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{75FA8033-3DB3-434F-A535-24C918F79F39}InprocServer32 “ThreadingModel” = Apartment
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MSSPMGR” = C:WINDOWSsystem32driversetcMSSPMGR.exe
HKEY_CURRENT_USERSoftwaremsspmgr “installinfo” = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MSSPMGR” = C:WINDOWSsystem32driversetcMSSPMGR.exe
HKEY_CURRENT_USERSoftwaremsspmgr “installinfo” = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USERSoftwaremsspmgr “day” = 12.02.2010
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “SPMgrs”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “AhnLab V3Lite Tray Process”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “AhnLab V3Lite Tray Process”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “NaverPCGreen”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “NaverPCGreen”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “ALYac”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “ALYac”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “NaverVaccine”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “NaverVaccine”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “VaccineSystem”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “VaccineSystem”
HKEY_CURRENT_USERSoftwareNVCC “FromDate”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “SmartSupporter-iscan”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “SmartSupporter-iscan”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “CSEARCH”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “CSEARCH”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “withmoa”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “withmoa”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “playegg”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “playegg”
HKEY_CURRENT_USERSoftwareNVCC “installinfo”
HKEY_CURRENT_USERSoftwarespmgrs “day”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MSSPMGR”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “AhnLab V3Lite Tray Process”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “AhnLab V3Lite Tray Process”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “NaverPCGreen”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “NaverPCGreen”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “ALYac”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “ALYac”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “NaverVaccine”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “NaverVaccine”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “VaccineSystem”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “VaccineSystem”
HKEY_CURRENT_USERSoftwaremsspmgr “day”
File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
C:WINDOWS$NtUninstallKB952287$spuninstmss6.tmp
c:SPMgrs.svc
C:WINDOWS$NtUninstallKB952287$spuninstmss9.tmp
c:windowstempNVCC.exe
C:WINDOWS$NtUninstallKB952287$spuninstmssC.tmp
C:WINDOWSHelpiniti.dll
C:WINDOWSHelpNksGCymSn.dll
C:WINDOWSHelpdeleteself.bat
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
C:WINDOWSTempMSTF.tmp
C:WINDOWSsystem32NVCm.dll
C:WINDOWSTempMST12.tmp
C:WINDOWSsystem32driversetcMSSPMGR.exe
C:WINDOWSTempMST15.tmp
C:WINDOWSHelpPo2MbRX.dll
C:WINDOWSHelpnnQnMEPRa.dll
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
C:WINDOWSTempMST19.tmp
C:WINDOWSsystem32driversetcMSSPMGR.svc
Opened Files .PIPEROUTER
.PIPElsarpc
c:autoexec.bat
.Ip
c:SPMgrs.svc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
c:windowstemp
C:WINDOWSHelp
.PIPEwkssvc
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32driversetc
C:WINDOWSHelpdeleteself.bat
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
.Ip
C:WINDOWSsystem32driversetcMSSPMGR.svc
.PIPEwkssvc
Deleted Files
C:WINDOWSHelpNksGCymSn.dll
C:WINDOWSHelpdeleteself.bat
c:windowstempNVCC.exe
C:WINDOWSsystem32driversetcMSSPMGR.svc
Chronological Order Delete File:
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: c:_SPMgrs.exe
Find File: c:
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:SPMgrs.svc
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Find File: C:WINDOWS$NtUninstallKB952287$spuninst
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS$NtUninstallKB952287$ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS$NtUninstallKB952287$spuninst Flags: (SECURITY_ANONYMOUS)
Create File: C:WINDOWS$NtUninstallKB952287$spuninstmss6.tmp
Move File: C:WINDOWS$NtUninstallKB952287$spuninstmss6.tmp to c:SPMgrs.svc
Open File: c:SPMgrs.svc (OPEN_EXISTING)
Get File Attributes: c:windowstemp Flags: (SECURITY_ANONYMOUS)
Find File: c:windowstempNVCC.exe
Create File: C:WINDOWS$NtUninstallKB952287$spuninstmss9.tmp
Move File: C:WINDOWS$NtUninstallKB952287$spuninstmss9.tmp to c:windowstempNVCC.exe
Find File: C:WINDOWSHelp
Get File Attributes: C:WINDOWSHelp Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSHelpiniti.dll
Create File: C:WINDOWS$NtUninstallKB952287$spuninstmssC.tmp
Move File: C:WINDOWS$NtUninstallKB952287$spuninstmssC.tmp to C:WINDOWSHelpiniti.dll
Move File: C:WINDOWSHelpiniti.dll to C:WINDOWSHelpNksGCymSn.dll
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: c:windowstemp ()
Find File: C:WINDOWSTempNVCC.exe
Create File: C:WINDOWSHelpdeleteself.bat
Open File: C:WINDOWSHelp ()
Find File: C:WINDOWSHelpdeleteself.bat
Find File: C:WINDOWSsystem32smartsupport_iscan.exe
Find File: C:Program FilescsearchcSearchUpmon.exe
Find File: C:Program FilesWithMoa Softwarewithmoaup.exe
Find File: c:windowssystem32mscmds.dll
Find File: c:windowssystem32iecmds.dll
Find File: c:windowssystem32linedw.dll
Find File: c:windowssystem32middlew.dll
Find File: c:windowssystem32VPCR.dll
Find File: c:windowssystem32shells.dll
Find File: c:windowssystem32yahooshell.dll
Find File: c:windowssystem32yutil.dll
Find File: c:windowssystem32yshell.dll
Find File: c:windowssystem32shared.dll
Find File: c:windowssystem32tabb.dll
Find File: c:windowssystem32ipl.dll
Find File: c:windowssystem32xpu.dll
Find File: c:windowssystem32vxer.dll
Find File: c:windowssystem32NBKey.dll
Find File: c:windowssystem32acon.dll
Find File: c:windowssystem32seal.dll
Find File: c:windowssystem32bean.dll
Find File: c:windowssystem32nextab.dll
Find File: c:windowssystem32tabs.dll
Find File: c:windowssystem32mgmsvc.dll
Find File: c:windowssystem32msvc.dll
Find File: c:windowssystem32isnap.dll
Find File: c:windowssystem32tabcontrol.dll
Find File: c:windowssystem32tabconsole.dll
Find File: c:windowssystem32kv.dll
Find File: c:windowssystem32kvsvc.dll
Find File: c:windowssystem32yahoosvc.dll
Find File: C:Program Filesplayeggwebgrade.exe
Find File: c:SPMgrs.exe
Find File: C:Program FilesInternet ExplorerConnection WizardSPMgrs.svc
Open File: .PIPEwkssvc (OPEN_EXISTING)
Find File: C:WINDOWSsystem32ipl.dll
Find File: C:WINDOWSsystem32tabs.dll
Find File: C:WINDOWSsystem32xpu.dll
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:WINDOWSsystem32
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32NVCm.dll
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Find File: C:WINDOWSTemp
Get File Attributes: C:WINDOWSTemp Flags: (SECURITY_ANONYMOUS)
Create File: C:WINDOWSTempMSTF.tmp
Move File: C:WINDOWSTempMSTF.tmp to C:WINDOWSsystem32NVCm.dll
Find File: C:WINDOWSsystem32
Find File: C:WINDOWS
Find File: C:
Get File Attributes: C:WINDOWSsystem32NVCm.dll Flags: (SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSsystem32NVCm.dll Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_COMPRESSED FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_COMPRESSED SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32driversetcMSSPMGR.exe
Find File: C:WINDOWSsystem32driversetc
Get File Attributes: C:WINDOWSsystem32drivers Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32driversetc Flags: (SECURITY_ANONYMOUS)
Create File: C:WINDOWSTempMST12.tmp
Move File: C:WINDOWSTempMST12.tmp to C:WINDOWSsystem32driversetcMSSPMGR.exe
Get File Attributes: C:WINDOWSsystem32driversetcMSSPMGR.exe Flags: (SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSsystem32driversetcMSSPMGR.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_COMPRESSED FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_COMPRESSED SECURITY_ANONYMOUS)
Find File: C:WINDOWSHelp
Get File Attributes: C:WINDOWSHelp Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSHelpPo2MbRX.dll
Create File: C:WINDOWSTempMST15.tmp
Move File: C:WINDOWSTempMST15.tmp to C:WINDOWSHelpPo2MbRX.dll
Move File: C:WINDOWSHelpPo2MbRX.dll to C:WINDOWSHelpnnQnMEPRa.dll
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32driversetc ()
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSHelpdeleteself.bat
Open File: C:WINDOWSHelpdeleteself.bat (OPEN_EXISTING)
Find File: c:attrib.*
Find File: c:attrib
Find File: C:WINDOWSsystem32attrib.*
Find File: C:WINDOWSsystem32attrib.COM
Find File: C:WINDOWSsystem32attrib.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32attrib.exe
Get File Attributes: C:WINDOWSHelpNksGCymSn.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSHelpNksGCymSn.dll
Delete File: C:WINDOWSHelpNksGCymSn.dll
Get File Attributes: C:WINDOWSHelpdeleteself.bat Flags: (SECURITY_ANONYMOUS)
Delete File: C:WINDOWSHelpdeleteself.bat
Delete File: c:windowstempNVCC.exe
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:WINDOWSsystem32driversetc_MSSPMGR.exe
Find File: C:WINDOWSsystem32driversetc
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32drivers Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32driversetc Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32driversetcMSSPMGR.svc
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Find File: C:WINDOWSTemp
Get File Attributes: C:WINDOWSTemp Flags: (SECURITY_ANONYMOUS)
Create File: C:WINDOWSTempMST19.tmp
Move File: C:WINDOWSTempMST19.tmp to C:WINDOWSsystem32driversetcMSSPMGR.svc
Open File: C:WINDOWSsystem32driversetcMSSPMGR.svc (OPEN_EXISTING)
Find File: C:WINDOWSsystem32driversetcMSSPMGR.exe
Delete File: C:WINDOWSsystem32driversetcMSSPMGR.svc
Open File: .PIPEwkssvc (OPEN_EXISTING)
Find File: C:WINDOWSHelp
Find File: C:WINDOWSHelpNksGCymSn.dll
Set File Attributes: C:WINDOWSHelpNksGCymSn.dll Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_COMPRESSED FILE_ATTRIBUTE_COMPRESSED SECURITY_ANONYMOUS)