Download Link: hxxp://setup.advancedcleaner.com/files/ ... taller.exe

File Name: ADCFreeInstaller.exe

VirusTotal Result: 23/32 (71.88%)
AntiVir 7.6.0.85 2008.04.11 SPR/Dldr.AdvancedCleaner.C.9
Avast 4.8.1169.0 2008.04.13 Win32:Adware-gen
AVG 7.5.0.516 2008.04.12 Potentially harmful program Downloader.NA
CAT-QuickHeal 9.50 2008.04.12 Downloader.AdvancedCleaner.c (Not a Virus)
DrWeb 4.44.0.09170 2008.04.12 Trojan.Winfixer
eSafe 7.0.15.0 2008.04.09 ????????????????????
eTrust-Vet 31.3.5692 2008.04.11 Win32/VMalum.CMGP
Ewido 4.0 2008.04.13 Not-A-Virus.Downloader.Win32.AdvancedCleaner.c
FileAdvisor 1 2008.04.13 Low threat detected
Fortinet 3.14.0.0 2008.04.13 Download/AdvancedCleaner
Ikarus T3.1.1.26 2008.04.13 not-a-virus:Downloader.Win32.AdvancedCleaner.c
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:Downloader.Win32.AdvancedCleaner.c
McAfee 5272 2008.04.11 Downloader.gen.a
NOD32v2 3021 2008.04.12 Win32/Adware.AdvancedCleaner
Norman 5.80.02 2008.04.12 W32/DLoader.FOGS
Panda 9.0.0.4 2008.04.12 Adware/AdvancedCleaner
Prevx1 V2 2008.04.13 Heuristic: Suspicious File With Bad Child Associations
Sophos 4.28.0 2008.04.13 AdvancedCleaner Downloader
Sunbelt 3.0.1041.0 2008.04.12 AdvancedCleaner
Symantec 10 2008.04.13 AdvancedCleaner
TheHacker 6.2.92.276 2008.04.12 Aplicacion/AdvancedCleaner.c
VBA32 3.12.6.4 2008.04.13 Hoax-Downloader.Win32.AdvClean
Webwasher-Gateway 6.6.2 2008.04.11 Riskware.Dldr.AdvancedCleaner.C.9

File Info:
File size: 121120 bytes
MD5...: 81cf9b2ff076e1bb16b8c4c2f2e9473c
SHA1..: 0e269e039d42b54450f69d79781badd16a1d3d4c
SHA256: abd96ab1a094c0497974690ede9d173de6db70a6531c78c97ecb4c21494bbd52
SHA512: 5b1906671d91a1da408077853f609abd0f7025763e085f1502aeb4c6dfbd52ae
0d4b46f3fa485818277b5a2c3e07731a1586abaf5379d41936e01a58b25a3985
PEiD..: -

PE Structure information:
Base Data:
Entry Point Address.: 0x406605
Time Date Stamp.....: 0x47023645 (Tue Oct 02 12:15:01 2007)
Machine Type.......: 0x14c (I386)]

PE Section
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8cc1 0x8e00 6.37 4fff12779ebea5671f7a28486c2adbdd
.rdata 0xa000 0x1424 0x1600 4.67 10d68122e5ebf4a565313a3a1dc4971f
.data 0xc000 0x6550 0x200 1.58 4d3e20875fbd622b34a6e189dd6deee8
.CRT 0x13000 0x4 0x200 0.06 4f1a9ed80abf6e61f00b69bea360239e
.rsrc 0x14000 0x11800 0x11800 5.96 ec22d3bb93b459c71fe95218dd06025d

( 9 imports )
> SHLWAPI.dll: StrStrW
> iphlpapi.dll: GetAdaptersInfo
> COMCTL32.dll: -
> WININET.dll: HttpOpenRequestW, HttpAddRequestHeadersW, HttpSendRequestW, InternetReadFile, InternetOpenW, InternetSetOptionW, InternetOpenUrlW, HttpQueryInfoW, InternetCloseHandle, InternetCrackUrlW, InternetGetCookieW, InternetConnectW
> KERNEL32.dll: GetSystemTime, GetPrivateProfileIntW, WideCharToMultiByte, GetVolumeInformationW, HeapAlloc, GetProcessHeap, HeapReAlloc, HeapFree, WriteFile, GetLastError, SetFilePointer, FlushFileBuffers, lstrcmpW, SetEndOfFile, GetFileAttributesW, CreateDirectoryW, GetPrivateProfileStringW, GetTickCount, Sleep, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, GetExitCodeProcess, WaitForSingleObject, FreeLibrary, LoadLibraryW, GetVersionExW, CreateThread, FreeResource, LockResource, LoadResource, SizeofResource, FindResourceW, Thread32Next, OpenThread, TerminateThread, Thread32First, CreateToolhelp32Snapshot, GetCurrentThreadId, GetCurrentProcessId, SetUnhandledExceptionFilter, CreateMutexW, ExitProcess, GetPrivateProfileSectionNamesW, GetTempPathW, lstrcpyW, ResumeThread, SetEvent, CreateEventW, MulDiv, MultiByteToWideChar, GetModuleHandleW, lstrlenA, lstrlenW, lstrcmpiW, UnmapViewOfFile, GetFileSize, CreateFileMappingW, MapViewOfFileEx, CreateFileW, ReadFile, CloseHandle, InterlockedExchange, lstrcatW
> USER32.dll: LoadCursorW, DialogBoxParamW, MessageBoxW, PostThreadMessageW, PeekMessageW, ReleaseCapture, SetCapture, LoadBitmapW, SetWindowRgn, DrawTextW, FillRect, ShowWindow, PostQuitMessage, GetClientRect, SetCursor, PtInRect, SetWindowLongW, EndDialog, GetWindowDC, ReleaseDC, ScreenToClient, SetWindowPos, GetDlgItem, LoadIconW, InvalidateRect, DefWindowProcW, PostMessageW, wsprintfW, SendMessageW, LoadStringW, GetWindowRect, GetParent
> GDI32.dll: DeleteDC, CreateFontIndirectW, BitBlt, DeleteObject, StretchBlt, SetBkMode, CreatePatternBrush, GetTextExtentPointW, SetStretchBltMode, SetDIBits, GetMapMode, SelectObject, CreateCompatibleBitmap, CreateBitmap, CreateCompatibleDC, DPtoLP, CombineRgn, CreateEllipticRgn, CreateRectRgn, GetDIBits, GetObjectW, SetTextColor, SetBkColor, SetMapMode
> ADVAPI32.dll: RegCloseKey, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW
> SHELL32.dll: ShellExecuteExW, Shell_NotifyIconW, ShellExecuteW, SHGetFolderPathW

Process Details:
Process ID 1320
Filename C:\ADCFreeInstaller.exe
Filesize 121120 bytes
MD5 81cf9b2ff076e1bb16b8c4c2f2e9473c
Start Reason AnalysisTarget

New Files Created:
\Device\Tcp6
\Device\Tcp
\Device\NetBT_Tcpip_{0265502B-722A-4F96-8FE9-FBF8CF07A39D}
\Device\RasAcd

Opened Files:
C:\Documents and Settings\Administrator\Application Data\Mozilla\registry.dat
C:\Documents and Settings\Administrator\Application Data\Opera\Opera\profile\cookies4.dat
\\.\PIPE\lsarpc
c:\autoexec.bat

Sequence of File System Activity:
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\NetBT_Tcpip_{0265502B-722A-4F96-8FE9-FBF8CF07A39D} (OPEN_ALWAYS)
Open File: C:\Documents and Settings\Administrator\Application Data\Mozilla\registry.dat (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Application Data\Opera\Opera\profile\cookies4.dat (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)

Mutexes:
Creates Mutex: UADC_0001_D10M0502
Creates Mutex: RasPbFile

Network Activity:
DNS Lookup:
inscan.advancedcleaner.com 85.17.4.104

Download URLs:
hxxp://85.17.4.104/?action=1&type=exe&p ... 1_D10M0502 (inscan.advancedcleaner.com)
Outgoing connection to remote server: inscan.advancedcleaner.com TCP port 80