File Name: TunerSetup.exe
File size: 371647 bytes
MD5...: e65bdeb13b51d56cb57c68e832e1c781
SHA1..: 1b7f3f9345d59759b4517fca5083a7671ab9d094
SHA256: 68b840b4d4ee24899ce7310eadba9b2b5a21f7006db142fa4e8356159f423a34
SHA512: eae648b1f973d483ae63411d757fb2343376087fbeea2826a6893d3ea2e55f40
840b92e199ffdd4505c88eb41f489788b787a3f8643cb42d17412826b63c02a1

Scanned on 05.12.2008 09:13:26 (CET)
VirusTotal Result: 10/31 (32.26%)
AntiVir 7.8.0.17 2008.05.11 TR/StartPage.acm
AVG 7.5.0.516 2008.05.11 Worm/Autoit.AYA
ClamAV 0.92.1 2008.05.12 Worm.Autorun-907
F-Secure 6.70.13260.0 2008.05.12 Worm.Win32.AutoRun.dqj
Ikarus T3.1.1.26.0 2008.05.12 Virus.Worm.Win32.AutoRun.dqj
Kaspersky 7.0.0.125 2008.05.12 Worm.Win32.AutoRun.dqj
NOD32v2 3091 2008.05.12 archive damaged
Sophos 4.29.0 2008.05.12 Mal/Generic-A
VBA32 3.12.6.5 2008.05.12 Worm.Win32.AutoRun.dqj
Webwasher-Gateway 6.6.2 2008.05.11 Trojan.StartPage.acm

***** Resources ****************************************************
--- Bitmap ---------------------------------------------------------
101
--- Icon -----------------------------------------------------------
1
2
3
4
5
6
7
8
9
10
--- Dialog ---------------------------------------------------------
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
--- String Table ---------------------------------------------------
7
8
9
10
--- RCData ---------------------------------------------------------
DVCLAL
--- Icon Group -----------------------------------------------------
100
--- XP Manifest ----------------------------------------------------
1


***** PE Header ****************************************************
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0004
Time/Date stamp: 45729E7C
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 05
Linker version (minor): 00
Size of code: 00013000
Size of initialized data: 00018800
Size of uninitialized data: 00000000
Address of entry point: 00001000
Base of code: 00001000
Base of data: 00014000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00032000
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00002000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010


***** PE Sections **************************************************
CRC-32: ?
MD5: ?
----- PE Sections --------------------------------------------------
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 00013000 00001000 00012E00 00000600 60000020
.data 00007000 00014000 00000A00 00013400 C0000040
.idata 00001000 0001B000 00001000 00013E00 40000040
.rsrc 000152F7 0001C000 00015400 00014E00 40000040


***** Import/Export table ******************************************
--- Export table ---------------------------------------------------
--- Import table (libraries: ------------------------------------
ADVAPI32.DLL (imports: 10)
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
SetFileSecurityA
SetFileSecurityW
KERNEL32.DLL (imports: 67)
CloseHandle
CompareStringA
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
DeleteFileA
DeleteFileW
DosDateTimeToFileTime
ExitProcess
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FreeLibrary
GetCPInfo
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetProcAddress
GetProcessHeap
GetStdHandle
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GlobalAlloc
HeapAlloc
HeapFree
HeapReAlloc
IsDBCSLeadByte
LoadLibraryA
LocalFileTimeToFileTime
MoveFileA
MoveFileExA
MultiByteToWideChar
ReadFile
SetCurrentDirectoryA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
Sleep
SystemTimeToFileTime
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcmpiA
lstrlenA
COMCTL32.DLL (imports: 1)
#17
COMDLG32.DLL (imports: 2)
CommDlgExtendedError
GetOpenFileNameA
GDI32.DLL (imports: 1)
DeleteObject
SHELL32.DLL (imports:
SHBrowseForFolderA
SHChangeNotify
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
USER32.DLL (imports: 52)
CharToOemA
CharToOemBuffA
CharUpperA
CopyRect
CreateWindowExA
DefWindowProcA
DestroyIcon
DestroyWindow
DialogBoxParamA
DispatchMessageA
EnableWindow
EndDialog
FindWindowExA
GetClassNameA
GetClientRect
GetDlgItem
GetDlgItemTextA
GetMessageA
GetParent
GetSysColor
GetSystemMetrics
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
IsWindow
IsWindowVisible
LoadBitmapA
LoadCursorA
LoadIconA
LoadStringA
MapWindowPoints
MessageBoxA
OemToCharA
OemToCharBuffA
PeekMessageA
PostMessageA
RegisterClassExA
SendDlgItemMessageA
SendMessageA
SetDlgItemTextA
SetFocus
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
ShowWindow
TranslateMessage
UpdateWindow
WaitForInputIdle
wsprintfA
wvsprintfA
OLE32.DLL (imports: 5)
CLSIDFromString
CoCreateInstance
CreateStreamOnHGlobal
OleInitialize
OleUninitialize

Process ID 1352
Filename C:\file.exe
Filesize 371647 bytes
MD5 e65bdeb13b51d56cb57c68e832e1c781
Start Reason AnalysisTarget

New Files TunerSetup\drives.dat
TunerSetup\Icon.ico
TunerSetup\paths.dat
TunerSetup\svchost.exe
C:\CONFIG\svchost.exe
C:\CONFIG\drives.dat
C:\CONFIG\paths.dat
C:\CONFIG\Icon.ico
C:\CONFIG\spring\autorun.inf
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk
Opened Files C:\file.exe
C:\file.exe
TunerSetup
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat
C:\CONFIG\drives.dat
C:\WINDOWS\System32\shdocvw.dll
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs
\\.\PIPE\wkssvc
C:\CONFIG\driveList.txt
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk
Deleted Files
Chronological Order Open File: C:\file.exe (OPEN_EXISTING)
Open File: C:\file.exe (OPEN_EXISTING)
Find File: C:\file.exe
Get File Attributes: TunerSetup\drives.dat Flags: (SECURITY_ANONYMOUS)
Create File: TunerSetup\drives.dat
Set File Attributes: TunerSetup\drives.dat Flags: (SECURITY_ANONYMOUS)
Set File Attributes: TunerSetup Flags: (SECURITY_ANONYMOUS)
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\drives.dat
Set File Attributes: TunerSetup\drives.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Get File Attributes: TunerSetup\Icon.ico Flags: (SECURITY_ANONYMOUS)
Create File: TunerSetup\Icon.ico
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\Icon.ico
Set File Attributes: TunerSetup\Icon.ico Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Get File Attributes: TunerSetup\paths.dat Flags: (SECURITY_ANONYMOUS)
Create File: TunerSetup\paths.dat
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat
Set File Attributes: TunerSetup\paths.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Get File Attributes: TunerSetup\svchost.exe Flags: (SECURITY_ANONYMOUS)
Create File: TunerSetup\svchost.exe
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe
Set File Attributes: TunerSetup\svchost.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Get File Attributes: TunerSetup Flags: (SECURITY_ANONYMOUS)
Open File: TunerSetup (OPEN_EXISTING)
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\Administrator\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe ()
Find File: svchost.exe
Find File: C:\DOCUME~1
Find File: C:\DOCUME~1\ADMINI~1
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat (OPEN_EXISTING)
Get File Attributes: C:\CONFIG\drives.dat Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\CONFIG Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\svchost.exe to C:\CONFIG\svchost.exe
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\drives.dat Flags: (SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\drives.dat
Copy File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\drives.dat to C:\CONFIG\drives.dat
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat Flags: (SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat
Copy File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat to C:\CONFIG\paths.dat
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\icon.ico Flags: (SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\icon.ico
Copy File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\Icon.ico to C:\CONFIG\Icon.ico
Get File Attributes: C:\CONFIG\spring Flags: (SECURITY_ANONYMOUS)
Find File: C:\CONFIG
Set File Attributes: C:\CONFIG Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS)
Open File: C:\CONFIG\drives.dat (OPEN_EXISTING)
Get File Attributes: c:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: d:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: e:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: f:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: g:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: h:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: i:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: j:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: k:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: l:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: m:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: n:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: o:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: p:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: q:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: r:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: s:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: t:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: u:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: v:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: w:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: x:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: y:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: z:\TunerSetup.exe Flags: (SECURITY_ANONYMOUS)
Find File: C:\CONFIG\spring\TunerSetup.exe
Get File Attributes: C:\CONFIG\spring\autorun.inf Flags: (SECURITY_ANONYMOUS)
Create/Open File: C:\CONFIG\spring\autorun.inf (OPEN_ALWAYS)
Find File: C:\CONFIG\spring\autorun.inf
Set File Attributes: C:\CONFIG\spring\autorun.inf Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\shdocvw.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\CONFIG\svchost.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk Flags: (SECURITY_ANONYMOUS)
Create File: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk
Get File Attributes: C:\Documents and Settings\Administrator\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\My Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Program Files\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Music\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\CONFIG\driveList.txt (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk (OPEN_EXISTING)
Get File Attributes: C:\CONFIG\icon.ico Flags: (SECURITY_ANONYMOUS)

Changes HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "" = http://www.ultitech.blogspot.com/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "" = explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "" = present2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "" = C:\CONFIG\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "" = [REG_DWORD, value: 00000000]
Reads HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL ""