Zoek.exe Version 4.0.0.5 Updated 26-October-2013 Tool run by Administrator on zo 03/11/2013 at 18:42:15,10. Microsoft Windows XP Professional 5.1.2600 Service Pack 3 x86 Running in: Normal Mode Internet Access Detected Launched: C:\Documents and Settings\Administrator\Desktop\zoek\zoek.exe Script used: C:\Documents and Settings\Administrator\Desktop\zoek\zoekscript.txt ==== System Restore Info ====================== 3/11/2013 18:42:47 Zoek.exe System Restore Point Created Succesfully. ==== Suspicious Entries Found ====================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "5985:TCP"="5985:TCP:*:Disabled:Windows Remote Management " "80:TCP"="80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In) " "3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009" "139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004" "445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005" "137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001" "138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002" ==== Creating Sample_20130311_1842.zip ====================== Process iexplore.exe killed Process rundll32.exe killed Copied file C:\WINDOWS\imsins.BAK to sample\imsins.BAK sample\imsins.BAK renamed to B8D4EA46487ABF5EB080126C804A40B2 C:\Documents and Settings\All Users\Desktop\sample_20130311_1842.zip created successfully ==== Deleting CLSID Registry Keys ====================== HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2581ed35-4120-4611-aff0-7bb38a0331be} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2581ed35-4120-4611-aff0-7bb38a0331be} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{463B0ED4-8AFA-404B-90E7-4063A0708050} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{463B0ED4-8AFA-404B-90E7-4063A0708050} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1AF5FA5-852C-4C90-812E-A7F75E011D87} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1AF5FA5-852C-4C90-812E-A7F75E011D87} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA3D98A6-868D-4E1B-BB78-0887230DA405} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{82E1477C-B154-48D3-9891-33D83C26BCD3} deleted successfully HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{82E1477C-B154-48D3-9891-33D83C26BCD3} deleted successfully HKEY_CLASSES_ROOT\CLSID\{2581ed35-4120-4611-aff0-7bb38a0331be} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2581ed35-4120-4611-aff0-7bb38a0331be} deleted successfully HKEY_CLASSES_ROOT\CLSID\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} deleted successfully HKEY_CLASSES_ROOT\CLSID\{463B0ED4-8AFA-404B-90E7-4063A0708050} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{463B0ED4-8AFA-404B-90E7-4063A0708050} deleted successfully HKEY_CLASSES_ROOT\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87} deleted successfully HKEY_CLASSES_ROOT\CLSID\{DA3D98A6-868D-4E1B-BB78-0887230DA405} deleted successfully HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA3D98A6-868D-4E1B-BB78-0887230DA405} deleted successfully HKEY_CLASSES_ROOT\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3} deleted successfully ==== Deleting CLSID Registry Values ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{82E1477C-B154-48D3-9891-33D83C26BCD3} deleted successfully ==== Deleting Services ====================== HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebCake Desktop Updater deleted successfully HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WebCake Desktop Updater deleted successfully ==== Registry Lines To Reset ACL ====================== HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Reset Succesfully ==== Registry Fix Code ====================== Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WebCake Desktop"=- ==== Deleting Files \ Folders ====================== C:\Program Files\LyricsContainer deleted C:\Program Files\Delta deleted "C:\WINDOWS\imsins.BAK" deleted "C:\Program Files\Betcat\WBDesktop.Updater.1.0.0.16.exe" deleted "C:\Documents and Settings\Administrator\Application Data\Betcat\WebCakeDesktop.exe" deleted "C:\Documents and Settings\Administrator\Application Data\Betcat\dat\Desktop.OS.dll" deleted "C:\Program Files\Betcat" not deleted "C:\Documents and Settings\Administrator\Application Data\Betcat" deleted "C:\Documents and Settings\Administrator\Application Data\Betcat\dat" deleted ==== Files Recently Created / Modified ====================== ====== C:\WINDOWS ==== ====== C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp ==== ====== Java Cache ===== 2013-11-03 15:01:35 415FC9732A3F4D89A0E01251CD66E136 646 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\17\49a00451-5cdcff27 2013-11-03 15:01:32 415FC9732A3F4D89A0E01251CD66E136 646 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\19\3d7894d3-4c746080 2013-11-03 15:01:23 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-155e7c9c ====== C:\WINDOWS\system32 ===== 2013-11-03 15:01:01 B01416804D89B5EC1D206E6DF542DFAB 145408 ----a-w- C:\WINDOWS\System32\javacpl.cpl 2013-11-03 15:01:01 9223A2810B73069F4A03A636052EF14A 264616 ----a-w- C:\WINDOWS\System32\javaws.exe 2013-11-03 15:00:55 DC1342498BEE7EF1646E9D63138B69CC 175016 ----a-w- C:\WINDOWS\System32\javaw.exe 2013-11-03 15:00:55 9BF46C7F21E75FA0BB03AA93368CC66C 94632 ----a-w- C:\WINDOWS\System32\WindowsAccessBridge.dll 2013-11-03 15:00:55 658633D255FEF154EA1CB8705B4468C5 174504 ----a-w- C:\WINDOWS\System32\java.exe ====== C:\WINDOWS\system32\drivers ===== ====== C:\WINDOWS\Tasks ====== 2013-11-03 14:50:27 8A2EFE898AC7CAC808572C031B60CAB5 280 ----a-w- C:\WINDOWS\Tasks\BitGuard.job ====== C:\WINDOWS\Temp ====== ======= C:\Program Files ===== 2013-11-03 16:54:56 -------- d-----w- C:\Program Files\trend micro 2013-11-03 15:01:04 -------- d-----w- C:\Program Files\Common Files\Java 2013-11-03 15:00:42 -------- d-----w- C:\Program Files\Java ======= C: ===== ====== C:\Documents and Settings\Administrator\Application Data ====== 2013-11-03 15:01:22 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sun ====== C:\Documents and Settings\Administrator ====== ====== C: exe-files == 2013-11-03 16:54:57 9A2347903D6EDB84C10F288BC0578C1C 388608 ----a-w- C:\Program Files\trend micro\Administrator.exe 2013-11-03 16:54:35 69CA82A7482A00D8EE063D2B97FC4338 781383 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3GNBKJRH\RSIT[1].exe 2013-11-03 15:01:01 9223A2810B73069F4A03A636052EF14A 264616 ----a-w- C:\WINDOWS\system32\javaws.exe 2013-11-03 15:00:55 DC1342498BEE7EF1646E9D63138B69CC 175016 ----a-w- C:\WINDOWS\system32\javaw.exe 2013-11-03 15:00:55 658633D255FEF154EA1CB8705B4468C5 174504 ----a-w- C:\WINDOWS\system32\java.exe 2013-11-03 15:00:47 CE10E75E10EB6952A7D813FA587EC632 15784 ----a-w- C:\Program Files\Java\jre7\bin\ktab.exe 2013-11-03 15:00:47 CC27986F45EF9FD700BC347355B002B3 15784 ----a-w- C:\Program Files\Java\jre7\bin\rmid.exe 2013-11-03 15:00:47 CBFE91C51D4FA69FE9D140ABEB7E51DC 15784 ----a-w- C:\Program Files\Java\jre7\bin\kinit.exe 2013-11-03 15:00:47 80A79264302910C7C24BA7E44267EFEF 182696 ----a-w- C:\Program Files\Java\jre7\bin\jqs.exe 2013-11-03 15:00:47 7F55715977ECF32633857F16980F008E 52648 ----a-w- C:\Program Files\Java\jre7\bin\jp2launcher.exe 2013-11-03 15:00:47 7814B0A3E6FE8FFF31B7108D16FC4591 15784 ----a-w- C:\Program Files\Java\jre7\bin\keytool.exe 2013-11-03 15:00:47 738AF811C60870FB218D47C628D350AA 15784 ----a-w- C:\Program Files\Java\jre7\bin\rmiregistry.exe 2013-11-03 15:00:47 707BFE32E04720B9D50562669A30F86C 49064 ----a-w- C:\Program Files\Java\jre7\bin\ssvagent.exe 2013-11-03 15:00:47 5FA3FFE74E893E8A9443C2CF3DFA7A64 15784 ----a-w- C:\Program Files\Java\jre7\bin\pack200.exe 2013-11-03 15:00:47 5721DA732075E01569A287767CBCFA5A 15784 ----a-w- C:\Program Files\Java\jre7\bin\klist.exe 2013-11-03 15:00:47 555651269833A415E1F9E594E8DD829F 146344 ----a-w- C:\Program Files\Java\jre7\bin\unpack200.exe 2013-11-03 15:00:47 54A30377949D4984EE72C5510C58B83D 16296 ----a-w- C:\Program Files\Java\jre7\bin\tnameserv.exe 2013-11-03 15:00:47 464358DE0429ABB319DFE3F5E5C85F77 15784 ----a-w- C:\Program Files\Java\jre7\bin\orbd.exe 2013-11-03 15:00:47 3FB1EAAB3CD35126D1F3B9A0A5B7B2DC 15784 ----a-w- C:\Program Files\Java\jre7\bin\policytool.exe 2013-11-03 15:00:47 15EBB4D4B54FCE42D8CB116145BB7EBA 15784 ----a-w- C:\Program Files\Java\jre7\bin\servertool.exe 2013-11-03 15:00:46 DC1342498BEE7EF1646E9D63138B69CC 175016 ----a-w- C:\Program Files\Java\jre7\bin\javaw.exe 2013-11-03 15:00:46 A9743D2D69B80800FEA5F24E7C4B02B3 48040 ----a-w- C:\Program Files\Java\jre7\bin\jabswitch.exe 2013-11-03 15:00:46 9223A2810B73069F4A03A636052EF14A 264616 ----a-w- C:\Program Files\Java\jre7\bin\javaws.exe 2013-11-03 15:00:46 83D790AA563347A026771D50E3D07A9B 66984 ----a-w- C:\Program Files\Java\jre7\bin\javacpl.exe 2013-11-03 15:00:46 658633D255FEF154EA1CB8705B4468C5 174504 ----a-w- C:\Program Files\Java\jre7\bin\java.exe 2013-11-03 15:00:46 2F7EBCD8FB6557997F0583508FFFE6B1 15784 ----a-w- C:\Program Files\Java\jre7\bin\java-rmi.exe 2013-11-02 14:47:50 E66E725E10B9CB8A6F5C74D7CA9E98A9 2864096 ----a-w- C:\Documents and Settings\All Users\Application Data\BitGuard\2.7.1769.27\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\uninstall.exe 2013-11-02 14:47:30 E66E725E10B9CB8A6F5C74D7CA9E98A9 2864096 ----a-w- C:\Documents and Settings\All Users\Application Data\BitGuard\2.7.1769.27\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe === C: other files == 2013-11-03 17:43:02 D23A631CDE7462DDE041F208205503FB 1105 ----a-w- C:\Documents and Settings\All Users\Desktop\sample_20130311_1842.zip 2013-11-03 15:00:47 0A35B7026416325DE4A3EEC131F6EE2C 18636 ----a-w- C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip ==== Startup Registry Enabled ====================== [HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" "RTHDCPL"="RTHDCPL.EXE" "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe /StartedFromRunKey" "NvCplDaemon"="RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" "NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login" "nwiz"="C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet" "SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="c:\\docume~1\\alluse~1\\applic~1\\bitguard\\271769~1.27\\{c16c1~1\\bitguard.dll " ==== Task Scheduler Jobs ====================== C:\WINDOWS\tasks\Adobe Flash Player Updater.job --a------ C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [09/10/2013 13:12] C:\WINDOWS\tasks\BitGuard.job --a------ C:\WINDOWS\system32\sc.exe [06/02/2009 11:39] C:\WINDOWS\tasks\EPUpdater.job --a------ C:\DOCUME1\ADMINI1\APPLIC1\BABSOL1\Shared\BabMaint.exe [] C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [12/06/2013 20:27] C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [12/06/2013 20:27] C:\WINDOWS\tasks\LyricsContainer Update.job --a------ C:\Program Files\LyricsContainer\LrcsCtrUpdr.exe [] ==== Firefox Extensions Registry ====================== [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [14/07/2011 17:06] [HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions] "{cd288a68-7b21-4f14-b789-82cc44992259}"="C:\Program Files\LyricsContainer\133.xpi" [] ==== Chrome Look ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions abfmigjiaapipflmopkaaooigcjjdojh - C:\Program Files\LyricsContainer\133.crx[] eooncjejnppfjjklapaamhcdmjbilmde - C:\Documents and Settings\Administrator\Application Data\BabSolution\CR\Delta.crx[23/05/2013 11:15] fjoijdanhaiflhibkljeklcghcmmfffh - C:\Program Files\Betcat\WebCakeLayers.crx[] LyricsContainer - Administrator - Default\Extensions\abfmigjiaapipflmopkaaooigcjjdojh Google Docs - Administrator - Default\Extensions\aohghmighlieiainnegkcijnfilokake Google Drive - Administrator - Default\Extensions\apdfllckaahabafndbhieahigkjlhalf YouTube - Administrator - Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo Google Search - Administrator - Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf Delta Toolbar - Administrator - Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde WebCake - Administrator - Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh Google Wallet - Administrator - Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda Gmail - Administrator - Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia ==== Set IE to Default ====================== Old Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://kaatje.ketnet.be/" "bProtector Start Page"="http://www.delta-search.com/?babsrc=HP_ss&mntrId=6458001E0B9DF5EF&affID=119556&tt=250613_gr5&tsp=4926" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs] "Tabs"="http://www.delta-search.com/?babsrc=NT_ss&mntrId=6458001E0B9DF5EF&affID=119556&tt=250613_gr5&tsp=4926" "bProtectTabs"="http://www.delta-search.com/?babsrc=NT_ss&mntrId=6458001E0B9DF5EF&affID=119556&tt=250613_gr5&tsp=4926" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{5D02474F-08B1-47DC-BC24-556DFB94CF24}" New Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" "bProtector Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs] "Tabs"="res://ieframe.dll/tabswelcome.htm" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" ==== All HKCU SearchScopes ====================== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} Delta Search Url="http://www.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=6458001E0B9DF5EF&affID=119556&tt=250613_gr5&tsp=4926" {5D02474F-08B1-47DC-BC24-556DFB94CF24} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}" ==== Deleting CLSID Registry Keys ====================== ==== Deleting CLSID Registry Values ====================== HKEY_USERS\S-1-5-21-1828693745-1477894102-373245962-500\Software\Mozilla\Firefox\Extensions\{cd288a68-7b21-4f14-b789-82cc44992259} deleted successfully ==== After Reboot ====================== ==== Deleting Files / Folders ====================== "C:\Program Files\Betcat" not found ==== EOF on zo 03/11/2013 at 19:21:11,32 ======================