Adware.Win32.Downware_0ed34b18c7

by malwarelabrobot on November 5th, 2016 in Malware Descriptions.

not-a-virus:HEUR:AdWare.NSIS.TornTV.gen (Kaspersky), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0ed34b18c7bc8271e9eec2ee5837499a
SHA1: aa9d2cc5273963a13db2c4de1f5ce9512c85f594
SHA256: befd95c8b949ec29410b1968389c9a80de890f581577dbe7b01acca8233cd273
SSDeep: 6144: si1gI9EmFfO91A1Qg8CYuoHqWnPZ2j9NiLNowOv:s1dPfOy8CunPZC9sypv
Size: 262912 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7 SP1 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):
No processes have been created.
The Adware injects its code into the following process(es):

%original file name%.exe:3864

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3864 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\MainPackFA2703[1].htm (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\decline.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\inetc3.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7456.tmp (13974 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept3.bmp (784 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\gCo (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj7445.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\gC0 (0 bytes)

Registry activity

The process %original file name%.exe:3864 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\1ClickDownload]
"UID" = "284555269"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\1ClickDownload]
"LastInstall0" = "30553785"

[HKLM\SOFTWARE\Microsoft\Tracing\0ed34b18c7bc8271e9eec2ee5837499a_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\NSISdl.dll
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\System.dll
9d8ce05f532dc7b5742831ec8a63c2d8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\inetc3.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 372736 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 520192 16592 16896 4.13874 8091b1378d82973015f802c93eb88bab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 215
69a0a458647b3436892cf9f2f126c252
d6bb4e899911be9bc3d76d10954fc4a1
0cceb43bf4bfbdc58f5a90bffb0d6012
28dcf471727a78755bf75fbe4f3e9521
1bbd5b7272e0348684edbbea962ee5f2
1561a9303536298eeaea4ab712749930
8494573d9cde8480e3342f57b3de1911
75098bd8427ac62d0d2935a1e9839d4c
c2f62500fc6c049cad54bfec31ab5d45
79296123cb3a983f2897ea58411de5e3
8ebc38cc84268e080308d72125e87f87
f221cfbb2bb8351b73de8c0cab165414
5fc7622692ec13a3893315fe73120b75
eb1a83a5875666814ffcec89c3ad9d23
aebda7c9ddaac919bc3f9ab3183ea289
b227a9bfb9825c2b8c59297230aaeac3
492632b789c2a9a5e35c360f5ee95780
9e2bbae241e56c984f398c5f657ea4bc
22ccc6edb6b978cf5de0a9894bab032b
fb68c49d954bcbeac53780483cb51cde
b2bf087539b9641f1a4e2f5df7930dc0
a0eeacd32ace94bb1913e15138e8e9e1
acea608203043a43077b17286f1248a0
810d1532145dcec36b117cae2bf7e911
c75f787090d58b9c7b899a784943fd31

URLs

URL IP
hxxp://files.download1click.ws/MainPackFA2703.exe 64.70.19.203
data.downloadstarter.net 146.148.42.217


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /MainPackFA2703.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: files.download1click.ws
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Fri, 04 Nov 2016 16:36:35 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 544
Connection: keep-alive
<html>.<head>..<title>WEBSITE.WS - Your Internet Add
ress For Life™</title>.</head>.<frameset rows="10
0%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.world
site.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" sc
rolling="auto">..<noframes>...<p> Your browser does not
 support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-
orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://www
.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraff
ic</a>.</p>..</noframes>.</frameset>.</html
>HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Fri, 04 Nov 2016 16:36
:35 GMT..Content-Type: text/html; charset=ISO-8859-1..Content-Length: 
544..Connection: keep-alive..<html>.<head>..<title>W
EBSITE.WS - Your Internet Address For Life™</title>.</h
ead>.<frameset rows="100%,*" border="0" frameborder="0">..<
;frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=ad
vanced&sponsor=idntraffic" scrolling="auto">..<noframes>...&l
t;p> Your browser does not support frames. Continue to <a href="
hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&spons
or=idntraffic">hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?v
iew=advanced&sponsor=idntraffic</a>.</p>..</noframes>
;.</frameset>.</html>..
<<< skipped >>>

The Adware connects to the servers at the folowing location(s):

%original file name%.exe_3864:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
Gw2.Hw
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp
/(œ
.YwTY.@
<.Fl2
Windows
3.tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
\1ClickDownload\1ClickDownloader.exe
W3AS,IEC_61131-3_Programming_Industrial_Automation_Systems.exe,
284555269
,IEC_61131-3_Programming_Industrial_Automation_Systems.exe,
\%original file name%.exe
2845552
59532869
184878273
ownload.sweetpacks.com/simsdm/bundle/
ram Files\Internet Explorer\iexplore.exe
-3_Programming_Industrial_Automation_Systems.exe
601.17514
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\Desktop
%Program Files%\1ClickDownload
nsj74E3.tmp
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsj7445.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://data.downloadstarter.net/
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe
hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe
hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
1258947784
3090437
troom,magnet:?xt=urn:btih:6JFWZHSCSI3HBOMDDDWKY44LDVMRW3AS,IEC_61131-3_Programming_Industrial_Automation_Systems.exe,
ocmainpack.exe
302318784
285541566
335873218
436537173
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
302646458
302646452
336200892
302646446
302646450
336200886
302646456
352978092
336200880
1309279403
688522406
IEC_61131-3_Programming_Industrial_Automation_Systems.exe
30553785
VVV.oneclickdownloader.com
sbiectrl.exe
vmtoolsd.exe
prl_cc.exe
coherence.exe
VirtualBox.exe
VBoxSVC.exe
DrWeb
%Program Files%\1ClickDownload\IEC_61131-3_Programming_Industrial_Automation_Systems.magnet
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_3864_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    %Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\MainPackFA2703[1].htm (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\anon.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\1clogo.bmp (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept1.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\decline.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\skip.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\save.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept2.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\NSISdl.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\inetc3.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7456.tmp (13974 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj74E3.tmp\accept3.bmp (784 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now