File Name: toolbar.exe VirusTotal Result: 20/32 (62.50%) AntiVir 7.6.0.85 2008.04.11 ADSPY/Softomat.E.10 vast 4.8.1169.0 2008.04.11 Win32:Adware-gen AVG 7.5.0.516 2008.04.11 Adware Generic.ICM BitDefender 7.2 2008.04.11 Adware.Softomate.E lamAV 0.92.1 2008.04.11 Adware.Toolbar-40 DrWeb 4.44.0.09170 2008.04.11 Adware.SideSearch F-Prot 4.4.2.54 2008.04.11 W32/FinmFM.A@adw Fortinet 3.14.0.0 2008.04.11 Adware/Softmate Ikarus T3.1.1.26.0 2008.04.11 not-a-virus:AdWare.Win32.Mostofate.e Kaspersky 7.0.0.125 2008.04.11 not-a-virus:AdWare.Win32.Mostofate.e McAfee 5272 2008.04.11 potentially unwanted program Generic Toolbar Norman 5.80.02 2008.04.11 Softomate.QC Panda 9.0.0.4 2008.04.11 Adware/ActiveSearch Prevx1 V2 2008.04.11 Adware Generic.ICM Rising 20.39.32.00 2008.04.11 AdWare.Win32.Mostofate.e Sophos 4.28.0 2008.04.11 SearchIt Sunbelt 3.0.1032.0 2008.04.08 FindFM Toolbar (v) Symantec 10 2008.04.11 Adware.CramToolbar VBA32 3.12.6.4 2008.04.06 AdWare.Win32.Mostofate.e Webwasher-Gateway 6.6.2 2008.04.11 Ad-Spyware.Softomat.E.10 File Info: File size: 328704 bytes MD5...: de6b90e94a0fc21b06e75e6c961b8c91 SHA1..: 1be0a6ed94ff5c16ac1ddd3d4c0a41024d6a5187 SHA256: 1658804e3994f375533269647ba8275ec66309f287009a74df9f1ae27f5ee193 SHA512: 4d8be1ef3b42eecbd3fb53f184ff666554c823584f7982333336b931855a2a1b c637814ae877af30274bb1f6bf59eaddb3157e6875ca4725c4c53334c6d4b227 PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 3AB6FA4D Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 011F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00006000 Size of initialized data: 00001000 Size of uninitialized data: 00013000 Address of entry point: 00019200 Base of code: 00014000 Base of data: 0001A000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0001B000 Size of headers: 00001000 Checksum: 0005B768 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 00013000 00001000 00000000 00000400 E0000080 UPX1 00006000 00014000 00005400 00000400 E0000040 .rsrc 00001000 0001A000 00000E00 00005800 C0000040 Import table (libraries: 6) KERNEL32.DLL (imports: 3) LoadLibraryA GetProcAddress ExitProcess ADVAPI32.dll (imports: 1) RegCloseKey GDI32.dll (imports: 1) SetROP2 ole32.dll (imports: 1) CoInitialize SHELL32.dll (imports: 1) ShellExecuteA USER32.dll (imports: 1) GetDC Process Description: Process ID 1840 Filename C:\file.exe Filesize 328704 bytes MD5 de6b90e94a0fc21b06e75e6c961b8c91 Start Reason AnalysisTarget File System Activities: Open File: C:\file.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp Get File Attributes: C:\WINDOWS\Fonts\Tahoma.ttf Flags: (SECURITY_ANONYMOUS) New Files/Folder Created: Folder: C:\Sandbox\Administrator\Test\drive\C\Program Files\FindFM Toolbar Files: 3,382 1a.bmp 9,456 basis.xml 519 error.html 36,150 icons.bmp 67 inst.bat 52 newversion.txt 102 toolbar.crc 593,920 toolbar.dll 1,121 toolbar.inf 53 version.txt Folder: C:\Sandbox\Administrator\Test\drive\C\Program Files\FindFM Toolbar\Cache Folder: C:\Sandbox\Administrator\Test\user\current\Local Settings\Temporary Internet Files\Content.IE5\I5WZAXEX Read INI File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] ZipSize = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Delete = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] NoGUI = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Debug = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Name = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Exec = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] DefaultPath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Intro = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] AutoExtract = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] OpenFolder = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] URL = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Author = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE1.tmp [FE] Shortcut0 = Registry Reads: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "" When executed, creates the toolbar FindFM Toolbar in IE. inst.bat registers the dll toolbar.dll @echo Installing IE Toolbar @start regsvr32.exe /s toolbar.dll tolbar.inf content: [version] signature="$CHICAGO$" AdvancedINF=2.0 [Add.Code] toolbar.dll=toolbar.dll basis.xml=basis.xml version.txt=version.txt 1a.bmp=1a.bmp icons.bmp=icons.bmp error.html=error.html toolbar.crc=toolbar.crc [toolbar.dll] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=yes [basis.xml] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=no [version.txt] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=no [1a.bmp] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=no [icons.bmp] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=no [error.html] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=no [toolbar.crc] file-win32-x86=thiscab clsid={B3724F64-674A-4bcb-8285-6158D3E8792F} FileVersion=0,1,0,1 RegisterServer=no