not-a-virus.AdWare.Win32.AdLoad.cbys_7ed96b6b67

by malwarelabrobot on December 15th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.cbys (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7ed96b6b6716f335a2a846ae95c66e6d
SHA1: 1f3107af9690e39f82099b7aa7fb66888dfb0eb1
SHA256: e22a92221a93094ad747337b5f817c8d1d4b5760bd5decc9538a7ce1207e765c
SSDeep: 49152:B1nULKB0btfWI7RsNa4gYAOZc4jlHKwF2t IK2/TaLBp4EU:BdtqsI7RsNa4sOZc4jlHKwk/U/U
Size: 2185519 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

run-setup.exe:1336
%original file name%.exe:2016
SevenZip_Setup.exe:928

The not-a-virus injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process run-setup.exe:1336 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SevenZip_Setup.exe (40528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)

The process %original file name%.exe:2016 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

The not-a-virus deletes the following file(s):

The process SevenZip_Setup.exe:928 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\timestamp[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (225 bytes)

Registry activity

The process run-setup.exe:1336 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 4F 43 35 D5 76 4E FB 22 20 1F 38 84 F0 7E FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:2016 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AF DB 99 FF 47 22 4A 03 B7 FD 4A B3 0E B7 BD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"run-setup.exe" = "run-setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process SevenZip_Setup.exe:928 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 26 87 27 30 D3 56 64 D0 78 42 19 EC 73 DE 63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
b9794225748afb2525ffac7bbbc7a387 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SevenZip_Setup.exe
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\NSISdl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 74526 74752 4.54396 a8692f5ba740240ef0f9a827376f76f9
.rdata 81920 7445 7680 3.46159 d4f36accffde0bf520f52486679ccf0d
.data 90112 96036 512 2.46008 b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT 188416 32 512 0.273198 439411041ee0b8261668525c5c132cd9
.rsrc 192512 16656 16896 3.23905 aa3a7d7ff24a928d00c7a73daacad998

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 439
01d8f21bdcf3f33cfd44b21cda45bbe1
080d7e74c49edc85c7f6ccf3d8616611
aaf4423dd074b8106e305632e6d64be2
65e4280f1ded384038fd30f88508d4e0
8a1b30a4c3845736d382278d30db1f66
3a154551bb5e5badfa1407a16c1444e9
9cbc3bd4f3109115c31cb030a37fc779
b35b2a682bd0b6418f0833a4a146fc3a
6743bd9e045b6ac6552dc0988afb1040
6a1633a9f055b93be88515fc88471c3c
bcb62e2c0201537a919a023fd8bd0c76
15d26afe16056a0c1e451902f8031d80
871e7d52b5615add0aaee0566123ee42
eb108dd5a482222f471803126004c75d
62b772f959ee84a244a1ebca4734a15c
8f16619a1e9f5140e494bf8047ccef14
23865ff029e65fae0db1f73c2df34b85
c0337f81961e826cdca238240015f9b0
abfce0d030f822bd164fcd00d6a59027
7a4fb066dec36bc6b6d9c138c197daf3
ca1f33580de7375b728d44371a497764
cd62699f7fd3baec87754c4004f891f9
3493e993a11d908fdd1143035cc9ab35
7c094695a717c8550be437979bd412bb
fdce746cd7ec071713f57ed7918b2a54

URLs

URL IP
hxxp://54.235.251.129/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
hxxp://54.235.251.129/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E
hxxp://imp.oi-imp4.com/impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=6&referrer=844 54.243.212.97
hxxp://imp.oi-imp4.com/impression.do/?event=loader_start&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1 54.243.212.97
hxxp://54.235.251.129/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla)
hxxp://imp.oi-imp4.com/impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=1013760&referrer=5266 54.243.212.97
hxxp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla)
hxxp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
hxxp://secure.oi-installer5.com/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) HTTP/1.1
User-Agent: d
Host: secure.oi-installer5.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 1013760
Content-Type: application/octet-stream
Expires: -1
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=SevenZip_Setup.exe
Access-Control-Allow-Origin: *
Set-Cookie: wakenet=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910; expires=Mon, 15-Dec-2014 12:43:00 GMT; path=/
Date: Sun, 14 Dec 2014 12:43:00 GMT
Connection: close
..x....ABAAAEAAA..AA.AAAAAAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAO^
.OA.H.`.@..`.)(2a13.&3 ,a" //.5a#$a34/a(/a...a,.%$oLLKeAAAAAAAb).t&H.'
&H.'&H.'/0]'*H.'..H''H.'8.K'9H.'8.]'.H.'&H.'.J.'/0M'.H.'8.Z'.H.'8.J''H
.'8.O''H.'.(")&H.'[email protected]@[email protected]
AQAAA.HAAA.AAQAAACAADAAAAAAADAAAAAAAAAQAAEAA.rQACA..AAQAAQAAAAQAAQAAAA
AAQAAAAAAAAAAA..JA.@AAA!MAQ.CAAAAAAAAAAAAAAAAAAANA..AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAI.KA.AAAAAAAAAAAA.HA.FAAE.JA.AAAAAAAAAAAAAAAAAAAo5$95A
AAhgHAAQAAAiHAAEAAAAAAAAAAAAAAaAA!o3% 5 AAY.CAA.HAA.CAAmHAAAAAAAAAAAAA
.AA.o% 5 AAA..AAA.JAAyAAA.JAAAAAAAAAAAAA.AA.o323"AAAQ.CAA!MAA.CAA.JAAA
AAAAAAAAAA.AA.o3$-."AA%.AAAANAA.AAA.OAAAAAAAAAAAAA.AA.AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..M....N.Q...>[email protected]
[email protected]@5F....EA.....EA....4U.4Q.4M.4I...
GA..I..Q......4U.4Q.4M.4I...GA..I..Q.......Q........qIA....I..........
.EA.........A4e A.....qIA..A4L.D...A....A.G.....qIA.G.......... A.....
qIA..E...2E...E.....qIA........... A.....qIA..E..7H...2E...E.6E..Z....
..b...qIA.......@...A......sIA.G.bpIA.............eE....I.O.-.......EA
.H..5P.......5I.Q @...S..H..5eIz0M2I..I.E..Cr...4Xy.U5U..qIAz1M2I..I.E
[email protected].$.
<<< skipped >>>


GET /o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet& HTTP/1.0
Host: secure.oi-installer5.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 437104
Content-Type: application/octet-stream
Expires: -1
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=SevenZip_Setup.exe
Access-Control-Allow-Origin: *
Set-Cookie: wakenet=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910; expires=Mon, 15-Dec-2014 12:42:56 GMT; path=/
Date: Sun, 14 Dec 2014 12:42:56 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......).R.m.<.m
.<.m.<.s...{.<.s.....<.d...j.<.m.=...<.s.....<.s.
..l.<.s...l.<.Richm.<.........PE..L....{.T...................
..........][email protected]............
...........................D?..P........K..............p..............
.............................P...@....................................
........text............................... ..`.rdata.................
.............@[email protected][email protected][email protected]...
....L...J..............@..@...........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......U..j.h.|B.d.....P........UC.3..E.P.E.d.......d.......hx.B..M..n
....E.....h..B..M..Z....E...E......}..u..E..E....M..M..E..h,.B..M..*..
..E...E......E......E......E........U.....U..M..g8..9E.......j..E.P..h
...Q.M........`.....`.....\....E....\...P.M..T....E....h....%.....M...
u?h0.B..U.R..$..........u.h4.B..M.Q..$..........t..E...E..E..V....}..~
..M. M..M../h8.B..U.R..$..........t..M.....M....E...........U.;...B.tQ
.E. E.P.M.Q.U.R.M........d........d....E...M..a....E...M..U....E..
<<< skipped >>>


GET /impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=6&referrer=844 HTTP/1.1
User-Agent: download manager
Host: imp.oi-imp4.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Dec 2014 12:43:00 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E HTTP/1.1
User-Agent: d
Host: secure.oi-installer5.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Date: Sun, 14 Dec 2014 12:42:59 GMT
Connection: close
Content-Length: 6
200 OK..



GET /impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=1013760&referrer=5266 HTTP/1.1
User-Agent: download manager
Host: imp.oi-imp4.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Dec 2014 12:43:05 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...



GET /impression.do/?event=loader_start&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1 HTTP/1.1
User-Agent: download manager
Host: imp.oi-imp4.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Dec 2014 12:43:00 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.b...?@....... .t.....IEND.B`...

The not-a-virus connects to the servers at the folowing location(s):

run-setup.exe_1336:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe"
ip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
.reloc
WS2_32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
.vN {
({,{<{*;
.OQv]y
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
SevenZip_Setup.exe
SEVENZ~1.EXE
SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\ii_start.txt
evenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
ip_Setup.exe
taller5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
"D:\run-setup.exe"
run-setup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
D:\run-setup.exe
hXXp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

SevenZip_Setup.exe_928:

.text
`.rdata
@.data
.rsrc
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
InternetOpenUrlA
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
WININET.dll
KERNEL32.dll
USER32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
zcÁ
Program: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe
77:,,.99;::<779::<((*
334//1;;=88:557<<>
__`**,99;=<>((*
..0556;;=002
** 76754453252152/51-71-1,)::<
)) 88:557668--/
##ˆ:55788:&&(
--.77999:'')
)),99:;;=--/
...yxxx
.lG!V
=U.bc=
.ECCC
;w.mmm
VVV.inkscape.org
43.jdbX
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security>
</security><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><asmv3:application><asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings"><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></asmv3:windowsSettings></asmv3:application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
hXXp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://secure.oi-installer5.com/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E ^^^^^^^^^^^^
min.0.0.19
hXXp://secure.oinstaller6.com/o/7zip/setup.exe?&subid=self&tmpvar=00000000&mode=dlshift&adprovider=default
hXXp://imp.oi-imp4.com/impression.do/?event=
wininet.dll
Kernel32.dll
ntdll.dll
msvcrt.dll
10&referrer=%d
min_ldrf_exes
min_ldrf_exef
min_ldrf_rsrc_url
bs.exe
KERNEL32.DLL
mscoree.dll
2.4.8.1
2.4.8.1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    run-setup.exe:1336
    %original file name%.exe:2016
    SevenZip_Setup.exe:928

  2. Delete the original not-a-virus file.
  3. Delete or disinfect the following files created/modified by the not-a-virus:

    %Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (671 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SevenZip_Setup.exe (40528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\timestamp[1].htm (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (225 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now