zonetf.com(gbot hosted in United States Scranton Network Operations Center Inc)

By Pig, February 5, 2011

DNS Lookup
Host Name IP Address
iphonefirmware.com 174.121.193.76
127.0.0.1 127.0.0.1
zonetf.com 96.9.169.85
onloneservermonitoring.com 64.191.90.101
www.google.com 209.85.149.106
www.yahoo.com 87.248.122.122
Opened listening TCP connection on port: 55980
Outgoing connection to remote server: iphonefirmware.com TCP port 80
Outgoing connection to remote server: zonetf.com TCP port 80
Outgoing connection to remote server: onloneservermonitoring.com TCP port 80
Outgoing connection to remote server: zonetf.com TCP port 80
Outgoing connection to remote server: zonetf.com TCP port 80
Outgoing connection to remote server: onloneservermonitoring.com TCP port 80
Outgoing connection to remote server: www.google.com TCP port 80
Outgoing connection to remote server: www.yahoo.com TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “conhost” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftconhost.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “Version”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet Explorer “Version”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards10 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards14 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards15 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards16 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards17 “Title”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “ServiceName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Description”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards2 “Title”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkCards

File Changes by all processes
New Files C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftconhost.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenCDB2.9CF
DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
Opened Files c:gbot.exe
.{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
.{1BE68DBD-1099-491C-9BCE-62B99CC6D22C}
.{961DDB9A-5851-427D-8C35-0802698511F8}
.{858E15A6-D897-45C5-A55B-59055F6D8214}
.{AD8D680D-B689-41E2-963F-23220358DB6F}
.{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471}
C:Dokumente und EinstellungenAdministratorAnwendungsdatenCDB2.9CF
.PIPElsarpc
c:autoexec.bat
.PIPEROUTER
.Ip
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftconhost.exe
.{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
.{1BE68DBD-1099-491C-9BCE-62B99CC6D22C}
.{961DDB9A-5851-427D-8C35-0802698511F8}
.{858E15A6-D897-45C5-A55B-59055F6D8214}
.{AD8D680D-B689-41E2-963F-23220358DB6F}
.{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471}
Deleted Files
Chronological Order Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoft Flags: (SECURITY_ANONYMOUS)
Open File: c:gbot.exe (OPEN_EXISTING)
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftconhost.exe
Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdaten Flags: (SECURITY_ANONYMOUS)
Open File: .{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_EXISTING)
Open File: .{1BE68DBD-1099-491C-9BCE-62B99CC6D22C} (OPEN_EXISTING)
Open File: .{961DDB9A-5851-427D-8C35-0802698511F8} (OPEN_EXISTING)
Open File: .{858E15A6-D897-45C5-A55B-59055F6D8214} (OPEN_EXISTING)
Open File: .{AD8D680D-B689-41E2-963F-23220358DB6F} (OPEN_EXISTING)
Open File: .{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471} (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenCDB2.9CF (OPEN_EXISTING)
Create/Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenCDB2.9CF (OPEN_ALWAYS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMozilla*.*
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenOpera*.*
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftconhost.exe (OPEN_EXISTING)
Open File: .{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_EXISTING)
Open File: .{1BE68DBD-1099-491C-9BCE-62B99CC6D22C} (OPEN_EXISTING)
Open File: .{961DDB9A-5851-427D-8C35-0802698511F8} (OPEN_EXISTING)
Open File: .{858E15A6-D897-45C5-A55B-59055F6D8214} (OPEN_EXISTING)
Open File: .{AD8D680D-B689-41E2-963F-23220358DB6F} (OPEN_EXISTING)
Open File: .{8C4ACC8C-8348-4D0D-BAEB-1039D63BB471} (OPEN_EXISTING)

infos about hosting:
http://whois.domaintools.com/96.9.169.85

Categories: Uncategorized