Zoek.exe Version 4.0.0.4 Updated 14-July-2013 Tool run by Sascha on zo 14/07/2013 at 21:55:15,79. Microsoft Windows 8 6.2.9200 x64 Running in: Normal Mode Internet Access Detected ==== System Restore Info ====================== 14/07/2013 21:55:41 Zoek.exe System Restore Point Created Succesfully. ==== Suspicious Entries Found ====================== SYMLINKS found in C:\Program Files\Windows Defender ==== Possible Rootkit Infection ====================== C:\Windows\assembly\GAC_32\Desktop.ini C:\Windows\assembly\GAC_64\Desktop.ini ==== Symlinks Removed ====================== Reparse point C:\Program Files\Windows Defender\SymSrv.yes succesfully deleted Reparse point C:\Program Files\Windows Defender\nl-NL succesfully deleted ==== Checking Systemdrive for Symlinks ====================== Volume in drive C is Acer Volume Serial Number is 349B-9669 Directory of C:\ 26/07/2012 09:22 Documents and Settings [C:\Users] 0 File(s) 0 bytes Directory of C:\ProgramData 26/07/2012 09:22 Application Data [C:\ProgramData] 26/07/2012 09:22 Desktop [C:\Users\Public\Desktop] 26/07/2012 09:22 Documents [C:\Users\Public\Documents] 26/07/2012 09:22 Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu] 26/07/2012 09:22 Templates [C:\ProgramData\Microsoft\Windows\Templates] 0 File(s) 0 bytes Directory of C:\Users 26/07/2012 09:22 All Users [C:\ProgramData] 26/07/2012 09:22 Default User [C:\Users\Default] 0 File(s) 0 bytes Directory of C:\Users\All Users 26/07/2012 09:22 Application Data [C:\ProgramData] 26/07/2012 09:22 Desktop [C:\Users\Public\Desktop] 26/07/2012 09:22 Documents [C:\Users\Public\Documents] 26/07/2012 09:22 Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu] 26/07/2012 09:22 Templates [C:\ProgramData\Microsoft\Windows\Templates] 0 File(s) 0 bytes Directory of C:\Users\Default 26/07/2012 09:22 Application Data [C:\Users\Default\AppData\Roaming] 26/07/2012 09:22 Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies] 26/07/2012 09:22 Local Settings [C:\Users\Default\AppData\Local] 26/07/2012 09:22 My Documents [C:\Users\Default\Documents] 26/07/2012 09:22 NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts] 26/07/2012 09:22 PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts] 26/07/2012 09:22 Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent] 26/07/2012 09:22 SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo] 26/07/2012 09:22 Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu] 26/07/2012 09:22 Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates] 0 File(s) 0 bytes Directory of C:\Users\Default\AppData\Local 26/07/2012 09:22 Application Data [C:\Users\Default\AppData\Local] 26/07/2012 09:22 History [C:\Users\Default\AppData\Local\Microsoft\Windows\History] 26/07/2012 09:22 Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files] 0 File(s) 0 bytes Directory of C:\Users\Default\Documents 26/07/2012 09:22 My Music [C:\Users\Default\Music] 26/07/2012 09:22 My Pictures [C:\Users\Default\Pictures] 26/07/2012 09:22 My Videos [C:\Users\Default\Videos] 0 File(s) 0 bytes Directory of C:\Users\Public\Documents 26/07/2012 09:22 My Music [C:\Users\Public\Music] 26/07/2012 09:22 My Pictures [C:\Users\Public\Pictures] 26/07/2012 09:22 My Videos [C:\Users\Public\Videos] 0 File(s) 0 bytes Directory of C:\Users\Sascha 28/03/2013 15:53 Application Data [C:\Users\Sascha\AppData\Roaming] 28/03/2013 15:53 Cookies [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Cookies] 28/03/2013 15:53 Local Settings [C:\Users\Sascha\AppData\Local] 28/03/2013 15:53 Menu Start [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Start Menu] 28/03/2013 15:53 Mijn documenten [C:\Users\Sascha\Documents] 28/03/2013 15:53 NetHood [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Network Shortcuts] 28/03/2013 15:53 Netwerkprinteromgeving [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Printer Shortcuts] 28/03/2013 15:53 Recent [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Recent] 28/03/2013 15:53 SendTo [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\SendTo] 28/03/2013 15:53 Sjablonen [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Templates] 0 File(s) 0 bytes Directory of C:\Users\Sascha\AppData\Local 28/03/2013 15:53 Application Data [C:\Users\Sascha\AppData\Local] 28/03/2013 15:53 Geschiedenis [C:\Users\Sascha\AppData\Local\Microsoft\Windows\History] 28/03/2013 15:53 Temporary Internet Files [C:\Users\Sascha\AppData\Local\Microsoft\Windows\Temporary Internet Files] 0 File(s) 0 bytes Directory of C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Start Menu 28/03/2013 15:53 Programma's [C:\Users\Sascha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs] 0 File(s) 0 bytes Directory of C:\Users\Sascha\Documents 28/03/2013 15:53 Mijn afbeeldingen [C:\Users\Sascha\Pictures] 28/03/2013 15:53 Mijn muziek [C:\Users\Sascha\Music] 28/03/2013 15:53 Mijn video's [C:\Users\Sascha\Videos] 0 File(s) 0 bytes Directory of C:\Windows\System32\config\systemprofile 02/06/2013 11:09 Application Data [C:\Windows\system32\config\systemprofile\AppData\Roaming] 02/06/2013 11:09 Cookies [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies] 02/06/2013 11:09 Local Settings [C:\Windows\system32\config\systemprofile\AppData\Local] 02/06/2013 11:09 Menu Start [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu] 02/06/2013 11:09 Mijn documenten [C:\Windows\system32\config\systemprofile\Documents] 02/06/2013 11:09 NetHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts] 02/06/2013 11:09 Netwerkprinteromgeving [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts] 02/06/2013 11:09 Recent [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent] 02/06/2013 11:09 SendTo [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo] 02/06/2013 11:09 Sjablonen [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates] 0 File(s) 0 bytes Directory of C:\Windows\System32\config\systemprofile\AppData\Local 02/06/2013 11:09 Application Data [C:\Windows\system32\config\systemprofile\AppData\Local] 02/06/2013 11:09 Geschiedenis [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History] 02/06/2013 11:09 Temporary Internet Files [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files] 0 File(s) 0 bytes Directory of C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu 02/06/2013 11:09 Programma's [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs] 0 File(s) 0 bytes Directory of C:\Windows\System32\config\systemprofile\Documents 02/06/2013 11:09 Mijn afbeeldingen [C:\Windows\system32\config\systemprofile\Pictures] 02/06/2013 11:09 Mijn muziek [C:\Windows\system32\config\systemprofile\Music] 02/06/2013 11:09 Mijn video's [C:\Windows\system32\config\systemprofile\Videos] 0 File(s) 0 bytes Directory of C:\Windows\SysWOW64\config\systemprofile 02/06/2013 11:09 Application Data [C:\Windows\system32\config\systemprofile\AppData\Roaming] 02/06/2013 11:09 Cookies [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies] 02/06/2013 11:09 Local Settings [C:\Windows\system32\config\systemprofile\AppData\Local] 02/06/2013 11:09 Menu Start [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu] 02/06/2013 11:09 Mijn documenten [C:\Windows\system32\config\systemprofile\Documents] 02/06/2013 11:09 NetHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts] 02/06/2013 11:09 Netwerkprinteromgeving [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts] 02/06/2013 11:09 Recent [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent] 02/06/2013 11:09 SendTo [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo] 02/06/2013 11:09 Sjablonen [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates] 0 File(s) 0 bytes Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local 02/06/2013 11:09 Application Data [C:\Windows\system32\config\systemprofile\AppData\Local] 02/06/2013 11:09 Geschiedenis [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History] 02/06/2013 11:09 Temporary Internet Files [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files] 0 File(s) 0 bytes Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu 02/06/2013 11:09 Programma's [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs] 0 File(s) 0 bytes Directory of C:\Windows\SysWOW64\config\systemprofile\Documents 02/06/2013 11:09 Mijn afbeeldingen [C:\Windows\system32\config\systemprofile\Pictures] 02/06/2013 11:09 Mijn muziek [C:\Windows\system32\config\systemprofile\Music] 02/06/2013 11:09 Mijn video's [C:\Windows\system32\config\systemprofile\Videos] 0 File(s) 0 bytes Total Files Listed: 0 File(s) 0 bytes 83 Dir(s) 535ÿ815ÿ933ÿ952 bytes free ==== Deleting CLSID Registry Keys ====================== HKEY_USERS\S-1-5-21-2238381935-3211259191-2922195587-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F} deleted successfully HKEY_USERS\S-1-5-21-2238381935-3211259191-2922195587-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F} deleted successfully HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D970ED5-3EDA-438D-BFFD-715931E2775B} deleted successfully HKEY_USERS\S-1-5-21-2238381935-3211259191-2922195587-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D970ED5-3EDA-438D-BFFD-715931E2775B} deleted successfully HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D970ED5-3EDA-438D-BFFD-715931E2775B} deleted successfully HKEY_USERS\S-1-5-21-2238381935-3211259191-2922195587-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D970ED5-3EDA-438D-BFFD-715931E2775B} deleted successfully HKEY_USERS\S-1-5-21-2238381935-3211259191-2922195587-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} deleted successfully HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F} deleted successfully ==== Deleting CLSID Registry Values ====================== HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Approved Extensions\{1D970ED5-3EDA-438D-BFFD-715931E2775B} deleted successfully ==== Deleting Services ====================== ==== FireFox Fix ====================== ProfilePath: C:\Users\Sascha\AppData\Roaming\Mozilla\Firefox\Profiles\a5sw9dkx.default ---- Lines browser.startup.page removed from prefs.js ---- user_pref("browser.startup.page", 3); ---- Lines browser.startup.page modified from prefs.js ---- ---- Lines browser.startup.page removed from user.js ---- ---- FireFox user.js and prefs.js backups ---- user_20131407_2201_.backup prefs_20131407_2201_.backup ==== Deleting Files \ Folders ====================== "C:\Windows\assembly\GAC_32\Desktop.ini" deleted "C:\Windows\assembly\GAC_64\Desktop.ini" deleted "C:\Users\Sascha\Downloads\adt-bundle-windows-x86_64-20130219.zip" deleted "C:\END" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b\@" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b\@" deleted "C:\$Recycle.Bin\S-1-5-21-2238381935-3211259191-2922195587-1001\$49211f22e94c00b724097290694f3e5b\@" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b" deleted "C:\$Recycle.Bin\S-1-5-21-2238381935-3211259191-2922195587-1001\$49211f22e94c00b724097290694f3e5b" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b\L" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b\U" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b\L" deleted "C:\$Recycle.Bin\S-1-5-18\$49211f22e94c00b724097290694f3e5b\U" deleted "C:\$Recycle.Bin\S-1-5-21-2238381935-3211259191-2922195587-1001\$49211f22e94c00b724097290694f3e5b\L" deleted "C:\$Recycle.Bin\S-1-5-21-2238381935-3211259191-2922195587-1001\$49211f22e94c00b724097290694f3e5b\U" deleted "C:\Program Files (x86)\MyPC Backup" deleted ==== Registry Search Results for "$49211f22e94c00b724097290694f3e5b" ====================== [HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32] @="C:\\$Recycle.Bin\\S-1-5-21-2238381935-3211259191-2922195587-1001\\$49211f22e94c00b724097290694f3e5b\\n." [HKEY_USERS\S-1-5-18\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32] @="C:\\$Recycle.Bin\\S-1-5-21-2238381935-3211259191-2922195587-1001\\$49211f22e94c00b724097290694f3e5b\\n." ==== Firefox Extensions ====================== ProfilePath: C:\Users\Sascha\AppData\Roaming\Mozilla\Firefox\Profiles\a5sw9dkx.default - Undetermined - C:\Program Files (x86)\IObit Apps Toolbar\FF - Advanced SystemCare Surfing Protection - %ProfilePath%\extensions\ascsurfingprotection@iobit.com ==== Firefox Plugins ====================== Profilepath: C:\Users\Sascha\AppData\Roaming\Mozilla\Firefox\Profiles\a5sw9dkx.default 0C8597DBC74AAF5179471BA013E3C6B4 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll - Shockwave Flash 2EE9DCAE1D70ABF4D058688DE35F8221 - C:\Windows\SysWOW64\npDeployJava1.dll - Java Deployment Toolkit 7.0.250.16 F13A0DF244CED22684AF1ECAAA5983BF - C:\ProgramData\Kortingzoeker\FFExtension20130413224656\plugins\npdf.dll - MoneyMillionaire plugin 0B31B0F8FA99CFD009C8FBEA9E20C9DE - C:\Users\Sascha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll - Facebook Video Calling Plugin 3A57A288F098188E92C6B0309CBC50B2 - C:\Windows\SysWOW64\npmproxy.dll - Microsoft® Windows® Operating System ==== Chrome Look ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions nfengeggddojhakldhlpjdlddgkkjkdd - C:\Program Files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\ASC_GhromePluginFor6.crx[22/04/2013 19:02] ==== Set IE to Default ====================== Old Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://acer13.msn.com" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{1D2991F5-7C73-4DFF-A028-C93E7A8C7646}" New Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://acer13.msn.com" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" ==== All HKCU SearchScopes ====================== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" {1D2991F5-7C73-4DFF-A028-C93E7A8C7646} Unknown Url="Not_Found" {6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}" ==== Deleting CLSID Registry Keys ====================== HKEY_USERS\S-1-5-21-2238381935-3211259191-2922195587-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1D2991F5-7C73-4DFF-A028-C93E7A8C7646} deleted successfully ==== Deleting CLSID Registry Values ====================== ==== Empty IE Cache ====================== C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Sascha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Sascha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\serviceprofiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully ==== Empty FireFox Cache ====================== C:\users\Sascha\AppData\Local\Mozilla\Firefox\Profiles\a5sw9dkx.default\Cache emptied successfully ==== Empty Chrome Cache ====================== No Chrome User Data found ==== Empty All Flash Cache ====================== Flash Cache Emptied Successfully ==== Empty All Java Cache ====================== Java Cache cleared successfully ==== After Reboot ====================== ==== Empty Temp Folders ====================== C:\Windows\Temp successfully emptied C:\Users\Sascha\AppData\Local\Temp successfully emptied ==== Empty Recycle Bin ====================== C:\$RECYCLE.BIN successfully emptied ==== EOF on zo 14/07/2013 at 22:17:04,87 ======================