Trojan-Dropper.Win32.Vtimrun_8dc79bc10c

by malwarelabrobot on March 1st, 2017 in Malware Descriptions.

Worm.Win32.Vobfus.11.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8dc79bc10cbb62c4860443a08d219452
SHA1: 84fa3a94c68450b8e92b920a824ab4e776b80226
SHA256: e0771e1a71533f4e8f4045ce0a3e17e2cf5f1bffd5103ae19c20dd76fdfe9517
SSDeep: 49152:KZLn3WAmzGk8bQfBBfOvMWc02BPzbSH8Uyo1D6mpmAA21SH6kc2h5qqRl/gxEzjE:KZz3WHBNLm8021Vc1DVpC2P26qzusdWb
Size: 3052544 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Heaventools Software
Created at: 2004-08-04 09:01:37
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

%original file name%.exe:3400
SMPCSetup.exe:260

The Trojan-Dropper injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3400 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX (3183 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smhtc (840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sas.dll (903 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smht.exe (44593 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\i_obtnstr_JPN (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\i_vbtnstr_JPN (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvndat (1911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe (11009 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll (1414 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe (7706 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetupSrv.exe (52216 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCHelper.exe (16026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ijl11.dll (2882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mm2.res (3261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\screenhooks.dll (1498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwg.exe (7163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\i_sbtnstr_JPN (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\tvnserver.exe (13977 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\settings.ini (3031 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe (71643 bytes)

The process SMPCSetup.exe:260 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[2] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\down[1] (748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)

The Trojan-Dropper deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (0 bytes)

Registry activity

The process %original file name%.exe:3400 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

The process SMPCSetup.exe:260 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\VB and VBA Program Settings\SmpcApp\Common]
"astart" = ""

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
9484c04258830aa3c2f2a70eb041414c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX
d62408c656f54abb00b65498b6fbd1be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCHelper.exe
fbd475c35b6185001a00f9e044034cff c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe
fbd475c35b6185001a00f9e044034cff c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetupSrv.exe
2e5356f7c8938730dd5a639893d325f1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll
a0ce0247d48fecaac607edb1e2d87fd8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ijl11.dll
60c3820c4f56c77e3e8bece9d7a51842 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sas.dll
362ba3b724eb94eef488f6865d1b54e6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\screenhooks.dll
49f5ad4781a082789e2aa531e38193b2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smht.exe
0ceb92bc938674df03d1ad51f8ece6e1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe
52541baa5793f240603b6afa1b908ae5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe
491e99207bba55d1bbb03346b0ae3a4e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwg.exe
63c46d69f98b1bbf21a782e75308d9a6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe
ba1a4c2adecb2228a9728b99a957c088 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\tvnserver.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.2180
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 39212 39424 4.55052 17a6fbe18a834b6f3462304415675d36
.data 45056 7140 1024 2.94449 99858e86526942a66950c7139f78a725
.rsrc 53248 3010656 3011072 5.53866 e6264e2ef45e5f43d568cf796348de39

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan-Dropper connects to the servers at the folowing location(s):

%original file name%.exe_3400:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
COMCTL32.dll
VERSION.dll
advapi32.dll
advpack.dll
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
GetWindowsDirectoryA
ExitWindowsEx
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\
~~}}}|||3
smpcvc.exe
settings.ini
SMPCSetup.exe
spcplink.exe
TIPOFDAY.TXT
VNCHooks.dll
smvnview.exe
tvnserver.exe
mm2.res
MSWINSCK.OCX
smht.exe
ijl11.dll
SMPCHelper.exe
smwg.exe
sas.dll
screenhooks.dll
SMPCSetupSrv.exe
.nF&&
Fq=%f`{c
.XW%V
q(\.gah
.rL#5
<V%SiN
>.rpby
GWs.PS
}(? 7.VNs
ur.CS
gg.uG
)Vt%FG
D%6s2
9.nHX3
S;.MTY
fB.lj
.uN.f1
TO9h%U
@.kzn
R!.Prc:2
Tcp)q
N-o%S
.oUZK
w@U4FTPT3
/83d%x
19~7|.st
r1.DDR
Rr%CV
2!.VieQ/
U#.GU
F%X&eb%
.BqGV
Z.Wc]}
mb.cye
4.oGs: B=
I:\IJ
cW.jNe
Bt[%X
Lurl~!D
CmDW
|.pRH
xv7Ð
.hRtB
%4o7
%f*(A\a
GFkQI%u
44h%F
.po-*
Rz%UF
{=2/_..ZU__..O<^
.xsO<
><%xb#
.UBiV
N/%Xw
r*W;%X
SUrLO
K.Yd)
.VQ?]#
]MW_NT
LTV%D
e&Si
d.ZX$
{1.dq
4.CzL
$9
% .zgeI
jVR.bI
n[6.NP
.Ls6bHQj
%U2OJ{
F0.Vw2,
P&.ADB
.EgX_
"YH%S(
%f%8n
qA{j.gV&q
.oHo\
'g.qR
_.WKs4
<.EK$
^4m%s[9I
\F.de
AiB.bM1
T.MAb;(f
..yk^
#%7Xh
?.MXU
R7@%UO
|ZEs%UdR
WKE.lD<
&v2{yO%D
.zkU~
4we%f#
W^üG
;z>~%C
zf%SU
Tcp #
.nj>6
a%US%mQ%
I%sNPnD
A= %C
%Xy,Rf
%Xf~3
.AWmb
%Si=.
yUK>.Ix
i%s"r
.iHu.%
".fh1
]%XW$
nG%d/
A^r:.YR
%%s)`>Ah
%DntA
EwEB
ZTI.FID@
b%d 2
(.Zy(9
.pn?pB
[UmSgz
CR%SJ
.Lhopf 
J.maY
?M]%S
5%F$N
huco.dvK
.oCXLK#<
sshy]
".jQY 
}?H%u
.jdl-
JIMSG
:dH.pS.
.DE_}QO
!wEbl
jh.bQ4`
=ÿO
`h.xA
`E-W}
J4{.zGO
.lWG="
 >%Usw
"o'%X
F2Hg%s
%fO>b
]$%D,
%C) F *
|-Q}k
d8S.jX
g"%SH Bv
;.QPrh
*Pe%f
&iM%x
lm.uO
.oT>q
.xu3#UE
g%\.WX
fi~ie%f
C@{%ds'
-GD}f
#.lZN
%s/>BA#
AM.DV
^?qY.eR
.fT2aYX
Us.Dyh:
0Bg.hv
Q.CW`
.VtP|
W>=.loa
-h}uI
.Nv)2l)
#.hyR5
.uaeO
;%DS,
g%d!'
%X2Tj
s.Sj}
}B/
.xk4U
g.Zo4
'B.tC7]
r.QWX
%fjU*
#v.Ik
M9
[T.eJ
4%x*K
55M,T.WvB,
$.klH
O,>%U
Z%2U:
.EvMs
%XgB=s
/-=;%<4%
z=5.Jx
U.aI"}!
_}.yG
7}-.hq
qc.Tqr
s%x#k
r.gyY
.hDm]p9%
s&Iu-P}
.Myzi
KCfdW%fG
"w.nK
$e{%Us
IJ.GE
OPR%c
#%Sn.
p~.ageN!
%Sjzm
he.ypO
e.Zc81
-.lE0N
z]*.SDC
%U%o%
J=[.TW
/ÞP
7S& @.Sn
D)Z?'%F
%xVF~
\-.ys%(
.YL.,X8mv
%x bq
.Rh %
o"OM
xb.xx
keyu
u~'.FN
 D%ds
J\.KC
j$k=
.sx!*
>%4Uu
*b.uQx
"SMPCSetup.exe"
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C:<Cmd> -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
WEXTRACT.EXE
Windows
Operating System
6.00.2900.2180

SMPCSetup.exe_260:

.text
`.data
.rsrc
MSVBVM60.DLL
shdocvw.dll
SHDocVwCtl.WebBrowser
WebBrowser
MSWINSCK.OCX
MSWinsockLib.Winsock
CmdOutput
ModuleWindows
frmLogin
frmLoginService
FormSSHSettings
ModMsgDisp
cMsgDisp
frmLogin1
ws2_32.dll
iphlpapi.dll
urlmon
URLDownloadToFileA
SHFileOperationA
wininet.dll
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
comdlg32.dll
shell32.dll
ShellExecuteA
advapi32.dll
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
PrepareDotSSHFolder
.httpConCheck
 .%System%\winhttp.dll
WinHttp
httpConCheck1
winHttpReqObj
DebugReport
SupportRemoteUsers
TextRemotePassword
LabelRemotePassword
WebBrowserFooter2
%WinDir%\System32\shdocvw.oca
WebBrowser1
ShowKeyboardInfo
ShowParallelPortInfo
ShowSerialPortInfo
ShowPortConnectorInfo
ShowSerialPortConfigurations
ReportProblem
psapi.dll
IsLegacyPassword
WriteExeProperty
ReadExeProperty
StartMeetingAfterGettingPorts
ReadSSHSettings
ForceSSHLogin
SendTerminateMsg
InviteUsersViaWeb
StartServerWithCurrentSSHPort
SwitchToBackUpSSH
SSHHostConnection
SetupHTTPtunnel
StartClientProcessAfterGettingPorts
VerifyViewerSSH
SSHViewerConnection
GenerateHostKey
GetServerFromHostKey
VBA6.DLL
CreateAdditionalEXEAssociations
ValueKey
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
SectionKey
RegDeleteKeyA
RegOpenKeyA
ClassKey
%System%\msvbvm60.dll\3
RegCreateKeyExA
RegEnumKeyExA
CreateEXEAssociation
RegEnumKeyA
RegQueryInfoKeyA
KeyExists
CreateKey
DeleteKey
__vbaStopExe
CreatePipe
EnumWindows
EnumChildWindows
TextSSHServer
kernel32.dll
WebBrowserMyList
TextLoginStatus
cmdOK
cmdCancel
cmdOK_Click
ETextURL
LabelURL
txtPassword
user32.dll
StartMeetingWithNicePass
SetSchPasswordOnServer
SetCustomPass
cmdKick
%System%\MSWINSCK.oca
cmdHost
cmdConnect
menuPrivateMsg
cmdDisconnect
LabelNickName
cmdSend
cmdDeselect
SendMsgOnUserClick
TextProxyPass
TextPort
FrameSSH
LabelSSHPassword
LabelSSHPort
LabelSSHServer
ButtonSSHTest
CheckUseHttp
TextSSHPort
TextSSHPassword
TextSSHUserName
RememberSSHSettings
ClearSSHSettings
winmm.dll
CryptDeriveKey
CryptDestroyKey
GetNamedPipeInfo
olepro32.dll
msvbvm60.dll
%WinDir%\System32\stdole2.tlb
msvfw32.dll
ijl11.dll
Password
Login
~~}}}|||3
&Password:
ShowMyPC Web
Debug Report
Send Report
Meeting Password:
Get password from presenter
Password:
Use Windows Remote Desktop
00:00:00
Use HTTP Proxy Server
HTTP Proxy Server
Use SOCKS username/password
Port:
Private SSH Server
HTTP / Proxy
Use HTTP to Connect (For Restrictive Firewalls)
Test Private SSH Server
SSH Server:
TextURL
Share URL
Update Nick Name
Join
Nick Name
SSH Encrypted
div.tableContainer {
html>body div.tableContainer {
div.tableContainer table {
html>body div.tableContainer table {
thead.fixedHeader tr {
/* this enables overflow to work on TBODY element. All other non-IE, non-Mozilla browsers */
html>body thead.fixedHeader tr {
thead.fixedHeader th {
thead.fixedHeader a, thead.fixedHeader a:link, thead.fixedHeader a:visited {
thead.fixedHeader a:hover {
html>body tbody.scrollContent {
/* hXXp://VVV.alistapart.com/articles/zebratables/ */
tbody.scrollContent td, tbody.scrollContent tr.normalRow td {
tbody.scrollContent tr.alternateRow td {
/* hXXp://VVV.w3.org/TR/REC-CSS2/selector.html#adjacent-selectors */
html>body thead.fixedHeader th {
html>body thead.fixedHeader th   th {
html>body thead.fixedHeader th   th   th {
html>body tbody.scrollContent td {
html>body tbody.scrollContent td   td {
html>body tbody.scrollContent td   td   td {
Password for remote users
Schedule using Web
Support Remote Users
File Transfer (Web based)...
Keyboard Info
Parallel Port Info
Port Connector
Serial Port Configurations
Serial Port
Report a Problem...
HOME_URL
callbackAfterGettingPorts
attemptNumToGetPort
httpConCheck
supportID
hostkey
sKeyNames
iKeyCount
sExePath
bSupportPrint
bSupportNew
bSupportInstall
eKey
sSectionKey
sValueKey
viewerServiceURL
LoginSucceeded
AutoLogin
meetingTypeSupport
remoteKey
sendPrivateMsg
uiMsg
o*\A\\smpcgate\H\vagish\ShowMyPC\current\FinalSMPCssh.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
WindowState
tvnserver.exe
smwinvnc.exe
smvnview.exe
winvncultra.exe
hXXp://service1.showmypc.com/connectnow.php
f#p.x.gi52
hXXp://showmypc.com/ShowMyPCHelp.php?version=
hXXp://download3.showmypc.com/app/appheader.html?version=
hXXps://assured.showmypc.com/app/appheaderpr.html
hXXps://assured.showmypc.com/live/invite-users/index.php
hXXps://assured.showmypc.com/live/invite-users/screenshot-mail.php
hXXps://assured.showmypc.com/mac/meetnow.html
hXXps://assured.showmyp.com/users/fixk.php?version=
hXXps://assured.showmypc.com/users/rsettings.php?vr=
hXXp://showmypc.com/users/rsettings.php?vr=
up-msg
pop-msg
no-pop-msg
SOFTWARE\Microsoft\Windows NT\CurrentVersion
smpcchat.ini
[Joined]
Srv.exe
Error occured during operation.
Unsupported value type
Failed to delete requested subkey!
Registry Key Delete
Failed to delete requested main key!
<iframe FRAMEBORDER=0 border=0 width=550 height=100 src=hXXp://showmypc.com/HardwareInfo1.html></iframe>
\temp.html
Keyboard - Win32_Keyboard
ProtocolSupported
Select * from Win32_Keyboard
Number of Function Keys
NumberOfFunctionKeys
Parallel ports - Win32_ParallelPort
Select * from Win32_ParallelPort
Protocol Supported
Port connector - Win32_PortConnector
Select * from Win32_PortConnector
Port Type
PortType
Serial port configuration - Win32_SerialPortConfiguration
Select * from Win32_SerialPortConfiguration
Serial ports - Win32_SerialPort
Select * from Win32_SerialPort
Supports DTRDSR
Supports16BitMode
Supports 16-Bit Mode
SupportsDTRDSR
Supports Elapsed Timeouts
SupportsElapsedTimeouts
Supports Int Timeouts
SupportsIntTimeouts
Supports Parity Check
SupportsParityCheck
Supports RLSD
SupportsRLSD
Supports RTSCTS
SupportsRTSCTS
Supports Special Characters
SupportsSpecialCharacters
Supports XOn XOff
SupportsXOnXOff
Supports XOn XOff Setting
SupportsXOnXOffSet
Supports Hot Plug
SupportsHotPlug
VccMixedVoltageSupport
VCC Mixed Voltage Support
VppMixedVoltageSupport
VPP Mixed Voltage Support
Maximum Memory Supported
MaxMemorySupported
Monochrome
Power Management Supported
PowerManagementSupported
SupportedSRAM
Supported SRAM
Maximum Baud Rate To SerialPort
MaxBaudRateToSerialPort
Port SubClass
PortSubClass
Responses Key Name
ResponsesKeyName
Select * from Win32_OperatingSystem
<H2>Operating systems</H2>
Windows Directory
WindowsDirectory
Operating systems
Windows Directory
hXXps://assured.showmypc.com/remotedb.php
hXXp://showmypc.com/remotedb.php
hXXp://download3.showmypc.com/app/about-us.html
hXXps://assured.showmypc.com/portxxxxxmlxxx-351.php
download3.showmypc.com
ns2.showmypc.com
\SMPCHelper.exe
\mmi.res
winvnc.exe
winvnc4.exe
hXXps://assured.showmypc.com/live/appsettings.php?ci=
connectnowurl
hXXp://showmypc.appspot.com/connectnow.php
Software\Microsoft\Windows\CurrentVersion\Policies\System
RegKey
&mtpass=
Please visit hXXp://showmypc.com for help or update information.
/chat/index.php?myroom=
showmypc.com
hXXp://showmypc.com/users/
\settings.ini
Getting Port 1
hXXps://assured.showmypc.com
hXXp://ns2.showmypc.com
Getting Port 2
hXXp://ns1.showmypc.com
Getting Port 3
UEMURL
InternetExplorer.Application
hXXp://showmypc.com/emailHandler.php?seq=
AutoPortSelect
PortNumber
RfbPort
AlwaysShared
?task=get&actionToPut=connect&keyToPut=
hXXps://assured.showmypc.com/users/rsettings.php?vr=3096
hXXp://showmypc.com/users/rsettings.php?vr=3096
hXXps://assured.
hXXp://
hXXp://localhost:
/ok.html
/ok.html?seq=
Windows 2000
hXXp://localhost:5800/?s=
?task=put&actionToPut=connect&keyToPut=
?task=del&actionToPut=connect&keyToPut=
hXXps://assured.showmypc.com/getClientStatus.php?ci=
\smpcvc.exe
\mm2.res
Error closing key.
WScript.Shell
Windows_NT
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Cannot enable Remote Desktop on Windows 2000, use VNC
smwg.exe --no-check-certificate -O
01/01/2009
HTTP/1.0
VVV.example
/index.asp
mypassword
HTTP/1.1
Windows 95
Windows 98
Windows Millennium
Windows NT 3.51
Windows NT 4.0
Windows XP
Windows 7
Msxml2.XMLHTTP
Microsoft.XMLHTTP
application/x-www-form-urlencoded
Msxml2.XMLHTTP.6.0
Msxml2.XMLHTTP.3.0
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\combo.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\ShowMyPCPremium.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\setall.bmp
\combo.exe
Getting Port
_MSG_ST_SVR
ENG_MSG_GN_ERR
hXXp://VVV.vb2themax.com/vbmaximizer/files/vbm_demo.zip
c:\vbm_demo.zip
hXXp://showmypc.com/ShowMyPCHelp.php?version=3096
supportView
Share Password
Do you wish to update exe with new ID.
explorer.exe
Cannot connect, Check SSH settings file.
spcplink.exe
Testing SSH Connection...
\res.txt
SSH Test Failed
_MSG_DISCON
_MSG_WARNING
_MSG_GN_ERR
Check UI or settings.ini file, SSHServer is missing
Check UI or settings.ini file, SSHUserName is missing
Check UI or settings.ini file, SSHPassword is missing
Check UI or settings.ini file, SSHPort is missing, using default 22
<sr>smpc.com</sr><ur></ur><au></au><pt>443</pt>
hXXps://secure.showmypc.com/transfer/index.php?cl=app&ver=
hXXp://download3.showmypc.com/app/appheader.html?version=3096
\explorer.exe
hXXps://showmypc.appspot.com/connectnow.php
generatepasscode
msgdesp
_MSG_LOGIN_FRM
_MSG_LBL_HOST
_MSG_LBL_PASS
_MSG_LBL_EMAIL
_MSG_LBL_TOP
_MSG_LBL_CK_SRV
_MSG_LBL_OK
_MSG_LBL_CANCEL
_MSG_FRM_SCH_MT
_MSG_LBL_HOST_EMAIL
_MSG_LBL_MT_PASS
_MSG_LBL_MT_INFO
_MSG_SHARE_APP
_MSG_REFRESH
_MSG_CLOSE
smvi.exe
LoginFrmCaption
LoginPasLabel
LoginTopCaption
HomeURL
smht.exe
SSH Protocol Version 2, AES 256
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3
hXXp://showmypc.com/ShowMyPCFeedBack.html?cl=app&ver=
outlook.exe
Outlook.Application
Password:
Or visit hXXp://
.showmypc.com
Password:
Reconnecting SSH...
Restarting SSH
Using HTTP...
\spcplink.exe
-N -C -v -ssh -2 -P
Starting SSH Connection...
\smsh.exe -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 443 -N
\smsh.exe
passcodegenerated
_MSG_UN_ERR
HTTP Connect...
Starting with current port
_MSG_GENER
_MSG_SHR_ST
hXXps://assured.showmypc.com/live/mailer.php?sa=1&et=
\smht.exe
-C -ssh -2 -P
Connecting via HTTP...
hostKey=
_MSG_ST_SSH
_MSG_SSHRST
PROXY_AUTH_PASSTHROUGH
PROXY_AUTH_PASS
PROXY_PORT
PORTMAP
443 ssh
80 ssh
hXXp://localhost:4080/ok.html?
_MSG_CONN
_MSG_WR_PASS
Check Version or Incorrect Password.
_MSG_ST_VIEW
_MSG_SSH_ERR
-C -v -ssh -2 -P
mstsc.exe /v:127.0.0.1:
host=127.0.0.1
Port =
password =
_MSG_VIEW_ST
hXXps://assured.showmypc.com/room.html?vr=
Warning, check password or get latest version from hXXp://showmypc.com
Would you like to send full report, it can take upto 30 secs
Generating report please wait...
hXXps://assured.showmypc.com/live/mailer.php
&de=1&sb=Debug Report (
Could not send report, please copy text and email it to support@showmypc.com
Report Sent
Password cannot be blank.
Meeting Password cannot less than 6 characters.
Check Password, Check Network or Meeting may not have started.
Use standard password.
_MSG_YOUR_EMAIL
WMEncEng.WMEncoder
Video files (*.wmv)|*.wmv|All files (*.*)|*.*
Windows Media Encoder might not be installed.
WMENC_HELP_URL
hXXp://showmypc.com/service/wmencoder.html
Password must be atleast 2 characters. No Spaces.
Password must be atleast 8 characters. No Spaces.
\mmit.res
New Password
smsh.exe
SMPCSetupSrv.exe
@reconnect.session
\smpcvc.exe
\SMPCSetupSrv.exe
\smwg.exe
\sas.dll
\screenhooks.dll
c:\cygwin
d:\cygwin
e:\cygwin
\cygcrypto-0.9.8.dll
\cygminires.dll
\cygwin1.dll
\cygz.dll
HttpPort
Please Save Password.
\ultravnc.ini
c:\.ssh
c:\cygwin\.ssh
d:\cygwin\.ssh
d:\.ssh
Invalid Password, try again!
sshremem
sshusr
sshaut
Check your network. Server not available. Check version or Contact support@showmypc.com
joined.
One or more connections are currently open. Disconnect before attempting to change the port settings.
.cRegistry
Failed to create registry Key: '
Failed to delete registry Key: '
Failed to open key '
',Key: '
Failed to set registry value Key: '
Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command
Make sure you have Windows Remote Desktop Enabled on Remote Machine.
surl
spcplink.exe -v -ssh -2 -P
hXXp://showmypc.com/service/how-to-install-service/index.html?cl=app&ver=
hXXps://assured.showmypc.com/service/readpclist.php?task=pclstgoog&ci=
hXXp://showmypc.com/service/readpclist.php?task=pclstgoog&ci=
Test Complete. If Command Window is open, the SSH test passed, failed if it is closed.
smpctestkey
\Test_Report_
.html
hXXp://showmypc.com/ok.html
assetauthkey
Verify Remote Port Manager
test.ini
<root><userdat><key1>smpcval1</key1></userdat></root>
\test.ini
Verify Get Parent Exe Name
Verify SSH to Host Connection
Verify Web Browser Control
hXXps://assured.showmypc.com/ok.html
Verify Get Windows Version Information
\ShowMyPCSSH.exe
hXXp://showmypc.com/ShowMyPCSSH.exe
Test Passed:
temp.jpg
Uploading Screen Shot to URL...
hXXps://showmypcup.appspot.com/up?ac=sht&t=u&iid=
hXXps://assured.showmypc.com/broadcast/screenshot.html?ac=sht&iid=
.cDIBSection
.mIntelJPEGLibrary
ADODB.Stream
MSXML2.XMLHTTP
hXXp://showmypc.appspot.com/up?iid=56406&t=u&img=
hXXp://showmypc.appspot.com/up
ADODB.Recordset
wscript.shell
Upload file using http And multipart/form-data
[cscript|wscript] fupload.vbs file url [fieldname]
url ... URL which can accept uploaded data
curl -k -F img=@
Content-Disposition: form-data; name="key"
users/vnarang/3.gif
hXXp://s3.showmypc.com/ok.html
Content-Disposition: form-data; name="AWSAccessKeyId"
Content-Disposition: form-data; name="file"; filename="3.gif"
hXXp:///
A*\A\\smpcgate\H\vagish\ShowMyPC\current\FinalSMPCssh.vbp
ShowMyPC.com Comments
ShowMyPC.com
6.01.0979
SMPCSetup.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3400
    SMPCSetup.exe:260

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX (3183 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smhtc (840 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sas.dll (903 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smht.exe (44593 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\i_obtnstr_JPN (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\i_vbtnstr_JPN (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvndat (1911 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe (11009 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll (1414 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe (7706 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetupSrv.exe (52216 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCHelper.exe (16026 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ijl11.dll (2882 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mm2.res (3261 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\screenhooks.dll (1498 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwg.exe (7163 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\i_sbtnstr_JPN (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\tvnserver.exe (13977 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\settings.ini (3031 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe (71643 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\errorPageStrings[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_48[1] (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\httpErrorPagesScripts[1] (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bullet[1] (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[2] (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\down[1] (748 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now