Prevx Research Division
ITUN~KA2.EXE
Currently being reviewedThe most common objects with the name of ITUN~KA2.EXE are considered safe.
You can use our free Prevx Scanner to thoroughly check your PC for spyware and other infections. It is free and takes less than 2 minutes to run. To start the scan just click the blue button.
File Behavior
ITUN~KA2.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Can communicate with other computer systems using HTTP protocols
- This process creates other processes on disk
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes Processes stored in Temporary Folders
- Creates system tray popups, messages, errors and security warnings
- Visits web sites on your PC without you knowing
ITUN~KA2.EXE has been the subject of the following behavior:
- Executed as a Process
- Deleted as a process from disk
- Has code inserted into its Virtual Memory space by other programs
- Created as a process on disk
- Created by processes which appear to be checking for interception by security products
- Executed from Temporary Folders
Country Of Origin
The filename ITUN~KA2.EXE was first seen on Aug 10 2008 in the following geographical regions of the Prevx community:
- on Aug 10 2008
- Germany on Aug 10 2008
File Name Aliases
ITUN~KA2.EXE can also use the following file names:
- LCMQYKE.TMP
- 33335988.EXE
- 07397011.EXE
Filesizes
This file has been seen with the following file size:
- 108,249 bytes
Vendor, Product and Version Information
This file has no vendor, product or version information specified in the file header.
File Type
The filename ITUN~KA2.EXE refers to an executable program.
File Activity
One or more files with the name ITUN~KA2.EXE creates, deletes, copies or moves the following files and folders:
- Deletes c:\docume~1\user\locals~1\temp\nsv7.tmp
- Creates c:\docume~1\user\locals~1\temp\nsl9.tmp
- Deletes c:\docume~1\user\locals~1\temp\nslB.tmp
- Creates c:\docume~1\user\locals~1\temp\nslb.tmp\System.dll
- Creates c:\docume~1\user\locals~1\temp\nslb.tmp\inetc.dll
- Creates c:\docume~1\user\locals~1\temp\fetch.tmp
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\1.exe
- Creates c:\docume~1\user\locals~1\temp\2.exe
- Creates c:\docume~1\user\locals~1\temp\3.exe
- Creates c:\docume~1\user\locals~1\temp\4.exe
- Creates c:\docume~1\user\locals~1\temp\5.exe
- Creates c:\docume~1\user\locals~1\temp\6.exe
- Deletes c:\docume~1\user\locals~1\temp\1.exe
- Deletes c:\docume~1\user\locals~1\temp\3.exe
- Deletes c:\docume~1\user\locals~1\temp\5.exe
- Deletes c:\docume~1\user\locals~1\temp\6.exe
- Deletes c:\docume~1\user\locals~1\temp\fetch.tmp
- Deletes c:\docume~1\user\locals~1\temp\nslb.tmp\inetc.dll
- Deletes c:\docume~1\user\locals~1\temp\nslb.tmp\System.dll
- Copies filec:\docume~1\user\locals~1\temp\1.exe to c:\docume~1\user\locals~1\temp\lsass.exe
- create folder C:\Program Files\altcmd
- Creates c:\program files\altcmd\altcmd32.dll
- Creates c:\program files\altcmd\altcmd.inf
- Creates c:\program files\altcmd\uninstall.bat
- Deletes c:\windows\system32\2.exe
- Moves c:\docume~1\user\locals~1\temp\2.exe to c:\windows\system32\2.exe
- Creates c:\docume~1\user\locals~1\temp\1A.bat
- create folder C:\Program Files\MyExpressSearch
- create folder C:\Program Files\MyExpressSearch\My Express Search Toolbar
- Deletes c:\docume~1\user\locals~1\temp\nsb20.tmp
- Creates c:\program files\myexpresssearch\my express search toolbar\basis.xml
- Creates c:\program files\myexpresssearch\my express search toolbar\icons.bmp
- Creates c:\program files\myexpresssearch\my express search toolbar\info.txt
- Creates c:\program files\myexpresssearch\my express search toolbar\mes tiny ass logo.bmp
- Creates c:\program files\myexpresssearch\my express search toolbar\my_express_search.crc
- Creates c:\program files\myexpresssearch\my express search toolbar\my_express_search.dll
- Creates c:\program files\myexpresssearch\my express search toolbar\tbhelper.dll
- Creates c:\program files\myexpresssearch\my express search toolbar\uninstall.exe
- Creates c:\program files\myexpresssearch\my express search toolbar\update.exe
- Creates c:\program files\myexpresssearch\my express search toolbar\version.txt
- Creates c:\program files\myexpresssearch\my express search toolbar\your_logo.png
- Copies filec:\program files\myexpresssearch\my express search toolbar\basis.xml to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\basis.xml
- Copies filec:\program files\myexpresssearch\my express search toolbar\icons.bmp to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\icons.bmp
- Copies filec:\program files\myexpresssearch\my express search toolbar\info.txt to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\info.txt
- Copies filec:\program files\myexpresssearch\my express search toolbar\mes tiny ass logo.bmp to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\mes tiny ass logo.bmp
- Copies filec:\program files\myexpresssearch\my express search toolbar\my_express_search.crc to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\my_express_search.crc
- Copies filec:\program files\myexpresssearch\my express search toolbar\uninstall.exe to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\uninstall.exe
- Copies filec:\program files\myexpresssearch\my express search toolbar\update.exe to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\update.exe
- Copies filec:\program files\myexpresssearch\my express search toolbar\version.txt to c:\documents and settings\user\local settings\temp\{6226ba26-c017-4007-928c-de9715c6fa67}\version.txt
Registry Activity
One or more files with the name ITUN~KA2.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar CurrentLayout value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar SendReports value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar Height [REG_DWORD, value: 00000016]
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar RTL value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar rtime [REG_DWORD, value: 48A28A80]
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar DeskbarMode value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar FirstRun value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN iexplore.exe value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar toolbar_id {1803B1B9-878A-4eaf-A88F-0FDA88FC15C4}
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar updateXML 1
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar SendReports value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar toolbar_version My Express Search Toolbar 1.0.0
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar firstTime 1
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar force_parse_events value:
- HKEY_CURRENT_USER\Software\TBSB06009\Toolbar TBShow 1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main CompatibilityFlags value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main FullScreen no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window_Placement [REG_BINARY, size: 44 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar Locked value:
Website Activity
One or more files with the name ITUN~KA2.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Remote server connection to ff9e3d .inf
- Remote server connection to codecsystem .co
- Remote server connection to myexpresssearch .co
- Remote server connection to admin .waverevenue .co
- Port 80 IP:66.197.149.41
- Port 80 IP:66.232.97.18
- Port 80 IP:64.191.125.245
- Port 80 IP:194.90.224.86
- Port 80 IP:62.90.134.24