Trojan-Dropper.Win32.Vtimrun_b0cecc77f9

by malwarelabrobot on October 19th, 2016 in Malware Descriptions.

Worm.Win32.Vobfus.11.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b0cecc77f91eb1718a9e5fb0725d5f5e
SHA1: 3854f4d4b101fc4b35a3ec99a10a837976fe6e43
SHA256: 6bd6d24b22b17120f1440d2d2c316b92a960a03bbde5c8a110f4a267c3d2f128
SSDeep: 24576:hZDwtOGEv87H4AUj8lI4qucbH0OHVqhWvvw42fTNO:hZUti87L9IzbHxterN
Size: 1201664 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2001-08-17 23:52:32
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):
No processes have been created.
The Trojan-Dropper injects its code into the following process(es):

%original file name%.exe:916
SMPCSetup.exe:644

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:916 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX (3662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin.dsm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwinvnc.exe (11578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm (837 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll (1618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvndat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe (7621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mm2.res (3251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe (7682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\settings.ini (568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe (43164 bytes)

The process SMPCSetup.exe:644 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CNY5CM45.txt (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\appheader[1].htm (831 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OYD0TT1K.txt (586 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AMD4JD22.txt (726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZJIN0MBG.txt (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FMOHOQGB.txt (726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ga[1].js (26980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logo-showmypc-210-50[1].gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101820161019\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017\index.dat (16 bytes)

The Trojan-Dropper deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CNY5CM45.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OYD0TT1K.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AMD4JD22.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZJIN0MBG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)

Registry activity

The process %original file name%.exe:916 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

The process SMPCSetup.exe:644 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CachePrefix" = ":2016101820161019:"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101820161019"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CachePrefix" = ":2016101020161017:"
"CacheLimit" = "8192"

[HKCU\Software\VB and VBA Program Settings\SmpcApp\Common]
"astart" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
41ae075a833527788ddd1e0e2e18e611 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin.dsm
64f63dc9be64060c6610db7e5c2fffb5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm
9484c04258830aa3c2f2a70eb041414c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX
6253d9b18f68d94ab6bddc88359fe96a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe
2e5356f7c8938730dd5a639893d325f1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll
59441e8b447089451e760c2a4cc429db c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe
4b51dc9de8d7e59096a9511a609303a1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe
87e700bd9fc23ed4286ac473e3979785 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwinvnc.exe
d11b196e109aa0c210010f309170469a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2600.0000
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2600.0000 (xpclient.010817-1148)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 34330 34816 4.5722 57485786991146c66bf74c720b6df8d2
.data 40960 7140 1024 2.90032 730893b14fc930a187215e7fb53bc0a5
.rsrc 49152 1159044 1159168 5.37694 85e4355b00bf02d2a7ab9e40e4425746

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://showmypc.com/app/appheader.html?version=2963&lang=ENG 173.255.253.123
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://s3-1.amazonaws.com/images/logo-showmypc-210-50.gif
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=978049365&utmhn=showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=525x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=23.0 r0&utmhid=1559595622&utmr=-&utmp=/app/appheader.html?version=2963&lang=ENG&utmht=1476780331282&utmac=UA-3896280-1&utmcc=__utma=253651531.90838974.1476780331.1476780331.1476780331.1;+__utmz=253651531.1476780331.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=78433703&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://s3.showmypc.com/images/logo-showmypc-210-50.gif 54.231.98.195
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=978049365&utmhn=showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=525x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=23.0 r0&utmhid=1559595622&utmr=-&utmp=/app/appheader.html?version=2963&lang=ENG&utmht=1476780331282&utmac=UA-3896280-1&utmcc=__utma=253651531.90838974.1476780331.1476780331.1476780331.1;+__utmz=253651531.1476780331.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=78433703&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ 74.125.232.226
hxxp://www.google-analytics.com/ga.js 74.125.232.226


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /app/appheader.html?version=2963&lang=ENG HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: showmypc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 18 Oct 2016 08:45:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1859
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head><smpcok></smpcok>.<style>.a.
linksmall {color:green;text-decoration:underline;font-size: 11px;}.a.l
inksmallred {color:green;text-decoration:underline;font-size: 11px;}.a
.colorlink {color:green;text-decoration:underline;font-size: 12px;}.a.
linkclear {color:green;text-decoration:none;font-size: 12px;}.</sty
le>.<script language="JavaScript">.<!--.var message="Funct
ion Disabled!";...function catchError() { return true; }.window.onerro
r = catchError;..function clickIE4(){.if (event.button==2){.return fal
se;.}.}.function clickNS4(e){.if (document.layers||document.getElement
ById&&!document.all){.if (e.which==2||e.which==3){.return false;.}.}.}
.try.{..if (document.layers){...document.captureEvents(Event.MOUSEDOWN
);...document.onmousedown=clickNS4;..}..else if (document.all&&!docume
nt.getElementById){...document.onmousedown=clickIE4;..}..document.onco
ntextmenu=new Function("return false").}.catch(e){}.// -->.</scr
ipt>.</head>.<body topmargin="0" leftmargin="0" scroll="no
">.<table border="0" cellspacing="0" cellpadding="0">.<tr&
gt;.<td valign="bottom">..<a href="hXXp://showmypc.com?ref=he
ader" target="_new"><img src="hXXp://s3.showmypc.com/images/logo
-showmypc-210-50.gif" border="0"></a>.</td>.<td vali
gn="bottom">..</td>...<td valign="middle">......<a h
ref="hXXp://download3.showmypc.com/ShowMyPC3500.exe" class="linksmallr
ed">Get Latest Version 3500</a>.....</td>..</tr&
<<< skipped >>>


GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://showmypc.com/app/appheader.html?version=2963&lang=ENG
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 18 Oct 2016 07:57:27 GMT
Expires: Tue, 18 Oct 2016 09:57:27 GMT
Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 16022
Age: 2888
Cache-Control: public, max-age=7200
...........}kW....w~........pk..f......ZZ(O.,.!$$!q.....gft...>{...
.%.G..>..fF~2........;>..i...&.9.....v*.|x.|$....L.....y. 5.....
!..R*i..........>[email protected]<_-.|aa.......F.p,...
.yA.....Q.{'...kyA....^.S...'o.2......5K..2o'~.....F#....*.7...c.#.l.P
. >.L.j.4....h...L~-....JW.Z..bm.I.9....s..;...=..Ue...b....r......
...........).......dO.c....v.f...^:....=.}.N'.-4.5m|h..tb.6v..W..r$.@.
8................v......e...T.t.h.c:..(....~.e0.].....{[email protected]
Z.q.s.8...T...9..1r...u.KS..(xa!..{0!..5.4.^...7..."..........J8... ..
...O....t...q...|...a......a.V.q.5.e.([2..F[.........E...W.|....5a...0
..0...Ma.ML.....d....3.....=/.z`....i....ku#.4.b.Ra.^.:.-.j.*..L......
.A.;...Q.{2i.....}l..H.....T...Y._.Q!q [email protected]..!x!...p.e4...
'$c......x....'..AF&*i.../..@...!..zx..bq.{<..9...~..]...cW.Q....@A
...........U..}. .ihA..n..KK0:[email protected]>...-=...|..E.
._.W.pS..5....4.Ma..|.B......w...b>X. ...a....gV.1...ra!ZX.).,...[.
.*[.....)s8.. .....X8.c..D6'ai.6..Q.u10..N...p...>V.............!V.
......p#.....#.j...b......C....^........#..>E.`.........y.....%..M.
D.e...Y.HB.....a.G(.b.P.=.......'...&.T._.B..C......T....8..Ra.5.o.*..
.!.o..t ....`"@...='..<.Z.n..}`...m...TY...-...&".!.p....j...H....z
........|....H.....*...4"...K.0D8..2...`.O..R......../`2.6.F.W..,...2.
....I..Y....o...8..yA].....G.....8..8[..U.*x..).]...=.\...0<.pu....
7%.e?".P..f../.C??.h..8|Y.....W.j...^.O(.O.....3W\Q....~.N.G.Z.3.OO..W
.....7i(....c...!.Az....*...*..pdo.c4.k.%..}.......". ..f...{_.z..
<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.7&utms=1&utmn=978049365&utmhn=showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=525x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=23.0 r0&utmhid=1559595622&utmr=-&utmp=/app/appheader.html?version=2963&lang=ENG&utmht=1476780331282&utmac=UA-3896280-1&utmcc=__utma=253651531.90838974.1476780331.1476780331.1476780331.1;+__utmz=253651531.1476780331.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=78433703&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1


Accept: */*
Referer: hXXp://showmypc.com/app/appheader.html?version=2963&lang=ENG
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Tue, 18 Oct 2016 08:45:35 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 18 Oct 2016 08:45:35 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /images/logo-showmypc-210-50.gif HTTP/1.1
Accept: */*
Referer: hXXp://showmypc.com/app/appheader.html?version=2963&lang=ENG
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s3.showmypc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: UChFuaNe6kMqImkQFTv95JLjoB9DMZe6U8VEBnAEWiGeM0Z3p8b5CjcL4uj5U0vw7GyLDqCXSZM=
x-amz-request-id: 5EF2F34287BEA3DF
Date: Tue, 18 Oct 2016 08:45:36 GMT
Last-Modified: Fri, 13 Jan 2012 20:36:03 GMT
ETag: "f11f9152cbccafb7623088ef6a2dd0e3"
x-amz-meta-s3fox-filesize: 3934
x-amz-meta-s3fox-modifiedtime: 1326484442667
Accept-Ranges: bytes
Content-Type: image/gif
Content-Length: 3934
Server: AmazonS3
GIF89a..2.w..!.......,......2...r.......w.C..z.............h%.........
..D.-.3\.e.87.:..{.................w...Iv..J...l.v6...]. ..:....u!....
..g.Gm.n......4.Tk.3.....k.m....y.6..x...[.B..h.uH....b2..[......V.8U.
...XXz5..d`.$~.c.X..T3..r...s.>....{T.{*..i.......m2S....c...&{7.Z*
Dj....N.g.R".k0...q...L).M.....W'....u5.jG>d....G.98`......W.]2....
S*...In".x%.......@*....|-...@f........_$.H4....D.......d.5Y......s/w.
Z......\....UX....g.zg......:a...rn.E....q ......Z..O.>...-W.....]&
=b.....W5..........N4...Ru.Nq*........E..........P.......X. .h1_.#..I.
.....M..W..L..>c.....b>......Bm....d.gb.%a.$...h./d.(X...o1<c
.......a.%...`.?.{.~.M....w .|[email protected]]....s....r?.a7...K~5.]C...m.Op.R
..a..vc.&.~.....pQ.g)..a.............j<e.[...w.PP.....O}.Z. ..Y.T&.
.....?e...w...6^....>j...............`b.&..,.o7......Q..H......*\..
....#J.H.....3j...... C..I....(S.\.....0c..I..../........@...)....H..$
.....Po",F....X.j......`...K.l..S..][email protected].
c(....}.. .K..e.|.^....g.YBgA.&J.:..$X.......\.M.6....>...7'!...6}.
.j?~:.h.c.>[email protected]...#>f.......8.,8qu...w....c
.....X.w.a..o.daH.O.W....bW..l..*.. ..x..BV...[...5M&.X...m. .*0..!.4.
.aV."..[.p3N)5. ....e....RD.L.ucVg...!e..J).."F3\6....h.V.3Ru...(9O.l.
.$VF....`..F.)@.....).95.2.......*..GU$....U.P.ëu.-$(....M3MVO,..Z]T
@.<..`*Wi(!...$.y..XE..'.x5K......^....CTB'U.,".Vi....N0._..... ...
.V...L......TI0..I(..U.(.n...q..N.B.U........G.. .J.U....H.....,....]u
....s...... ....3..2..Vu..*..7@ V.z..B.&D..t5K.LD.l.&lAN1OHC.U .3j
<<< skipped >>>

The Trojan-Dropper connects to the servers at the folowing location(s):

%original file name%.exe_916:

.text
.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
COMCTL32.dll
VERSION.dll
 ku2.iu
advapi32.dll
advpack.dll
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh
t8SShs7
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
GetWindowsDirectoryA
ExitWindowsEx
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\
~~}}}|||3
smpcvc.exe
MSRC4Plugin.dsm
MSRC4Plugin_NoReg.dsm
settings.ini
SMPCSetup.exe
spcplink.exe
TIPOFDAY.TXT
VNCHooks.dll
smvnview.exe
smwinvnc.exe
mm2.res
MSWINSCK.OCX
%srAK@e
7)`%F
D$-0}$%%
f1J%C<
$.sYt
N.FCdcniF
KG.FuK
q%uf%%
..WR2;VS
UMÅ
%s[(*n
%d{dA ?}$
n-I%c
^X>8%f
%/t.II
m.eJz
{.Xmu!
E/.Jh
S.FoO
h.SGG
nYH?%c
=%s2`\ mE
`BL.gxK=
^%UF5
ur.Zt
g.uD8
Z|~.Cp
85.EI
dA.JV&;Gu
':%dZ
~4%c$
A%c-t
Vl.CS
u(>%X
zD.kL
#4D.fe
.rbM$
%U7 g
LW.ba$.;
.mx0L
'.|.yg
.alHN#
|6B.Ur
Mi.IT
a%S|W\
!N.JNP[9Si
ZM.DK|
K %]%fhu
.hs.&
4d#.zD
s<>.ly
N%dvy
.hY%Xh
rBA%FPL
%UlVcSt
a%s<u
&.VIB
.BPp%
%s@{|
.QsPy
c.Pg=w
FFO%X
nBvyO%.U
b%fuBU%
7%U3e
OIP%C
[.oMA
.Ya$b
.eb-;
U.jjCb
.ODjF^
*F.nR
|.WFA
Y5e%sl&
i.TisS
 Û\MA
6.EW{
"SMPCSetup.exe"
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C:<Cmd> -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
6.00.2600.0000 (xpclient.010817-1148)
WEXTRACT.EXE
Windows
Operating System
6.00.2600.0000

%original file name%.exe_916_rwx_01001000_00001000:

 ku2.iu
advapi32.dll
advpack.dll
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh

SMPCSetup.exe_644:

.text
`.data
.rsrc
MSVBVM60.DLL
MSWINSCK.OCX
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
CmdOutput
frmLoginService
frmLogin
ModuleWindows
ws2_32.dll
URLDownloadToFileA
iphlpapi.dll
urlmon
SHFileOperationA
wininet.dll
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
comdlg32.dll
shell32.dll
ShellExecuteA
LabelSSHPassword
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
LabelSSHServer
TextSSHPassword
TextSSHPort
TextSSHServer
LabelSSHPort
ButtonSSHTest
TextSSHUserName
WebBrowser1
C:\Windows\system32\ieframe.oca
ShowKeyboardInfo
SupportRemoteUsers
ShowParallelPortInfo
ShowPortConnectorInfo
ShowSerialPortConfigurations
ReportProblem
DebugReport
TextRemotePassword
LabelRemotePassword
FrameSSH
ShowSerialPortInfo
psapi.dll
IsLegacyPassword
WriteExeProperty
ReadExeProperty
VerifySSH
ForceSSHLogin
InviteUsersViaWeb
StartServerWithCurrentSSHPort
SSHHostConnection
SSHHostConnectionKeepAlive
SetHostKeyAndGetPort
SetAutoLogin
VtxtPassword
cmdOK
cmdCancel
cmdOK_Click
TextLoginStatus
kernel32.dll
LabelNickName
cmdSend
cmdDeselect
z>-DcC:\Windows\system32\MSWINSCK.oca
cmdKick
cmdDisconnect
cmdConnect
cmdHost
menuPrivateMsg
SendMsgOnUserClick
RememberSSHSettings
ClearSSHSettings
RegCloseKey
advapi32.dll
RegOpenKeyExA
EnumWindows
EnumChildWindows
cmdNextTip
winmm.dll
C:\Windows\system32\MSVBVM60.DLL\3
.Label4
CreateEXEAssociation
RegCreateKeyExA
RegEnumKeyExA
RegEnumKeyA
RegQueryInfoKeyA
RegDeleteKeyA
KeyExists
CreateKey
DeleteKey
CreateAdditionalEXEAssociations
ClassKey
SectionKey
ValueKey
RegCreateKeyA
RegOpenKeyA
VBA6.DLL
CreatePipe
__vbaStopExe
CryptDeriveKey
CryptDestroyKey
Free service provided by ShowMyPC.com Press escape to exit this mode.
Password
ShowMyPC Web
~~}}}|||3
Debug Report
Send Report
Login
txtPassword
&Password:
Meeting Password:
Get password from presenter
Password:
00:00:00
Update Nick Name
Join
Nick Name
SSH Encrypted
div.tableContainer {
html>body div.tableContainer {
div.tableContainer table {
html>body div.tableContainer table {
thead.fixedHeader tr {
/* this enables overflow to work on TBODY element. All other non-IE, non-Mozilla browsers */
html>body thead.fixedHeader tr {
thead.fixedHeader th {
thead.fixedHeader a, thead.fixedHeader a:link, thead.fixedHeader a:visited {
thead.fixedHeader a:hover {
html>body tbody.scrollContent {
/* hXXp://VVV.alistapart.com/articles/zebratables/ */
tbody.scrollContent td, tbody.scrollContent tr.normalRow td {
tbody.scrollContent tr.alternateRow td {
/* hXXp://VVV.w3.org/TR/REC-CSS2/selector.html#adjacent-selectors */
html>body thead.fixedHeader th {
html>body thead.fixedHeader th   th {
html>body thead.fixedHeader th   th   th {
html>body tbody.scrollContent td {
html>body tbody.scrollContent td   td {
html>body tbody.scrollContent td   td   td {
Build with my SSH Server
Test my SSH Server
SSH Server:
Port:
, #&')*)
-0-(0%()(
Password for remote users
Schedule using Web
Support Remote Users
File Transfer (Web based)...
Keyboard Info
Parallel Port Info
Port Connector
Serial Port Configurations
Serial Port
Report a Problem...
HOME_URL
mtpass
supportID
hostkey
LoginSucceeded
AutoLogin
meetingTypeSupport
sendPrivateMsg
sKey
sKeyNames
iKeyCount
sExePath
bSupportPrint
bSupportNew
bSupportInstall
eKey
sSectionKey
sValueKey
FTPS
g*\A\\ghar\home\home\vagish\ShowMyPC\current\FinalSMPCssh.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
smvi.exe
Aw.ex
Ainvnc.exe
AO~4.CSSsortstyletable.css
AEspcplink-old.ex
SOQ5JA~D.BATspc
srvPane.batPFx
temp.htmlQTM3p
temp.spc
AOFDAY.TXT
users.jpg
TIPOFDAY.TXT
smwinvnc.exe
smvnview.exe
winvnc4.exe
vncultra.exe
mmi.res
hXXps://secure.showmypc.com/schedule/remotedb.php
hXXp://service1.showmypc.com/connectnow.php
hXXp://showmypc.com/ShowMyPCHelp.php?version=
hXXp://showmypc.com/app/appheader.html?version=
no-pop-msg
hXXps://assured.showmypc.com/app/appheaderpr.html
hXXps://assured.showmypc.com/live/invite-users/index.php
hXXps://assured.showmypc.com/mac/meetnow.html
up-msg
pop-msg
f#p.x.gi52
WindowState
\servicelog.txt
smpcchat.ini
[Joined]
SOFTWARE\Microsoft\Windows NT\CurrentVersion
hXXp://VVV.vb2themax.com/vbmaximizer/files/vbm_demo.zip
c:\vbm_demo.zip
hXXp://showmypc.com/ShowMyPCHelp.php?version=2963
Please visit hXXp://showmypc.com for help or update information.
supportView
Share Password
showmypc.com
Do you wish to update exe with new ID.
explorer.exe
Cannot connect, Check SSH settings file.
hXXp://localhost:
/ok.html
Testing SSH Connection...
SSH Connection OK.
SSH Connection Error.
\res.txt
SSH Test Failed
_MSG_DISCON
_MSG_WARNING
spcplink.exe -v -ssh -2 -P
Test Complete. If Command Window is open, the SSH test passed, failed if it is closed.
SSHServer
_MSG_GN_ERR
Check UI or settings.ini file, SSHServer is missing
Check UI or settings.ini file, SSHUserName is missing
Check UI or settings.ini file, SSHPassword is missing
Check UI or settings.ini file, SSHPort is missing, using default 22
Do you want to build ShowMyPC client to work with your own SSH server. (
\settings.ini
SSHUserName
SSHPassword
SSHPort
iexpress.exe /N ./SMPCust.SED
ShowMyPCustom.exe
\ShowMyPCustom.exe
<sr>smpc.com</sr><ur></ur><au></au><pt>443</pt>
hXXps://secure.showmypc.com/transfer/index.php?cl=app&ver=
hXXp://showmypc.com/app/appheader.html?version=2963
\Explorer.exe
_MSG_LOGIN_FRM
_MSG_LBL_HOST
_MSG_LBL_PASS
_MSG_LBL_EMAIL
_MSG_LBL_TOP
_MSG_LBL_CK_SRV
_MSG_LBL_OK
_MSG_LBL_CANCEL
_MSG_FRM_SCH_MT
_MSG_LBL_HOST_EMAIL
_MSG_LBL_MT_PASS
_MSG_LBL_MT_INFO
_MSG_SHARE_APP
_MSG_REFRESH
_MSG_CLOSE
ShowMyPC.com
LoginFrmCaption
LoginPasLabel
LoginTopCaption
HomeURL
SSH Protocol Version 2, AES 256
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3
hXXp://showmypc.com/ShowMyPCFeedBack.html?cl=app&ver=
&mtpass=
WScript.Shell
outlook.exe
Outlook.Application
Password:
Or visit hXXp://
.showmypc.com
Password:
Trying to restart SSH Connection
Restarting SSH
\spcplink.exe -C -v -ssh -2 -P
Starting SSH Connection...
Starting with current port
_MSG_UN_ERR
Starting with current port
Test with current port
_MSG_ST_SVR
_MSG_GENER
_MSG_SHR_ST
spcplink.exe -C -v -ssh -2 -P
:assured.showmypc.com:80
:ns2.showmypc.com:80
hostKey=
_MSG_ST_SSH
_MSG_SSHRST
AutoPortSelect
PortNumber
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"Password"=hex:
"HTTPConnect"=dword:00000000
"AutoPortSelect"=dword:00000000
"PortNumber"=dword:00001af4
"HTTPPortNumber"=dword:00001a90
HTTPConnect
HTTPPortNumber
_MSG_CONN
_MSG_WR_PASS
View Test SSH:
_MSG_ST_VIEW
_MSG_SSH_ERR
/password
host=127.0.0.1
Port =
password =
_MSG_VIEW_ST
Warning, check password or make sure you have latest application from hXXp://showmypc.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
Windows 98
Windows 95
HTTP/1.1
mypassword
hXXp://
HTTP/1.0
VVV.example
/index.asp
Windows Millennium
Windows NT 3.51
Windows NT 4.0
Windows 2000
Windows XP
Microsoft.XMLHTTP
application/x-www-form-urlencoded
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\combo.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\ShowMyPCPremium.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\setall.bmp
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\extracted\
RegKey
/chat/index.php?myroom=
hXXp://showmypc.com/users/
hXXps://assured.showmypc.com/portxxxxxmlxxx-351.php?ver=
Getting PortX 1
hXXps://assured.showmypc.com
hXXp://ns2.showmypc.com
Getting PortX 2
hXXp://ns1.showmypc.com
Getting PortX 3
UEMURL
InternetExplorer.Application
hXXp://showmypc.com/emailHandler.php?seq=
?task=get&actionToPut=connect&keyToPut=
https
?task=put&actionToPut=connect&keyToPut=
?task=del&actionToPut=connect&keyToPut=
\smpcvc.exe
\mm2.res
<iframe FRAMEBORDER=0 border=0 width=550 height=100 src=hXXp://showmypc.com/HardwareInfo1.html></iframe>
\temp.html
Keyboard - Win32_Keyboard
Select * from Win32_Keyboard
Number of Function Keys
NumberOfFunctionKeys
Parallel ports - Win32_ParallelPort
Select * from Win32_ParallelPort
Protocol Supported
ProtocolSupported
Port connector - Win32_PortConnector
Select * from Win32_PortConnector
Port Type
PortType
Serial port configuration - Win32_SerialPortConfiguration
Select * from Win32_SerialPortConfiguration
Serial ports - Win32_SerialPort
Select * from Win32_SerialPort
Supports 16-Bit Mode
Supports16BitMode
Supports DTRDSR
SupportsDTRDSR
Supports Elapsed Timeouts
SupportsElapsedTimeouts
Supports Int Timeouts
SupportsIntTimeouts
SupportsXOnXOffSet
Supports Parity Check
SupportsParityCheck
Supports RLSD
SupportsRLSD
Supports RTSCTS
SupportsRTSCTS
Supports Special Characters
SupportsSpecialCharacters
Supports XOn XOff
SupportsXOnXOff
Supports XOn XOff Setting
Supports Hot Plug
SupportsHotPlug
VccMixedVoltageSupport
VCC Mixed Voltage Support
VppMixedVoltageSupport
VPP Mixed Voltage Support
Maximum Memory Supported
MaxMemorySupported
Monochrome
Power Management Supported
PowerManagementSupported
SupportedSRAM
Supported SRAM
Maximum Baud Rate To SerialPort
MaxBaudRateToSerialPort
Port SubClass
PortSubClass
Windows Directory
Responses Key Name
ResponsesKeyName
Select * from Win32_OperatingSystem
<H2>Operating systems</H2>
WindowsDirectory
Operating systems
Windows Directory
.cRegistry
Failed to create registry Key: '
Failed to delete registry Key: '
Failed to open key '
',Key: '
Failed to set registry value Key: '
Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command
Failed to delete requested subkey!
Registry Key Delete
Failed to delete requested main key!
ShowMyPC.com Remote Service
-register PortNumber=7900 Password=
Error occured during operation.
Password must be atleast 8 characters. No Spaces.
Password :
\mmit.res
Password : *********
WMEncEng.WMEncoder
Server not available. Check version or Contact [email protected]
Password cannot be blank.
Meeting Password cannot less than 6 characters.
Meeting may not have started, please wait, check password or network connection.
_MSG_YOUR_EMAIL
Video files (*.wmv)|*.wmv|All files (*.*)|*.*
Windows Media Encoder might not be installed.
WMENC_HELP_URL
hXXp://showmypc.com/service/wmencoder.html
Invalid Password, try again!
sshremem
sshusr
sshaut
joined.
One or more connections are currently open. Disconnect before attempting to change the port settings.
From any other computer, use the viewer provide to you by ShowMyPC.com
Goto hXXp://showmypc.com/service to access this computer remotely.
c:\zest.res
Error closing key.
hXXp://showmypc.com/live/mailer.php
&de=1&sb=Debug Report
Could not send report, please email it to [email protected]
hXXp:///
@*\A\\ghar\home\home\vagish\ShowMyPC\current\FinalSMPCssh.vbp
ShowMyPC.com Comments
6.01.0358
SMPCSetup.exe

taskhost.exe_2528:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
ole32.dll
OLEAUT32.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
USER32.dll
RPCRT4.dll
d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp
The likely culprit task is stuck on the same stack with %S.
d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp
Invalid parameter passed to C runtime function.
taskhost.pdb
_wcmdln
_amsg_exit
InitOnceExecuteOnce
SetProcessShutdownParameters
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
ntdll.dll
GetProcessHeap
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
bStartComTask() --> h=0x%x ret=%d
StopComTask(0x%x) --> ret=%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()
ComTaskMgrWnd(0x%x)::Shutdown(%ws)
gCleanupSet()::Remove(0x%x)
ComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x
ComTaskHost(0x%x)::WaitForTaskStartCompletion()
ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)
ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StopTaskWorker()
ComTaskHost(0x%x)::Shutdown()
ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x
ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x
ITaskHandler::Start(0x%x,"%ws") --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")
ComTaskHost(0x%x)::StartTaskWorker()
ComTaskHost(0x%x)::Stop --> 0x%x
ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x
StartTaskThread(0x%x) bailed out because of shutdown
ComTaskHost(0x%x)::~ComTaskHost()
ComTaskHost(0x%x)::Start --> 0x%x
ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown
ComTaskHost(0x%x)::TaskCompleted(0x%x)
ComTaskHost(0x%x)::AddRef -> m_cRef = %d
ComTaskHost(0x%x)::Release -> m_cRef = %d
WinAppTerminator: found wnd 0x%x for pid %d.
WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.
WinAppTerminator: EnumThreadWindows failed err=%d.
Host Process for Windows Tasks
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskhost.exe
Windows
Operating System
6.1.7601.17514


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX (3662 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin.dsm (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwinvnc.exe (11578 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm (837 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll (1618 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvndat (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe (7621 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mm2.res (3251 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe (7682 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\settings.ini (568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe (43164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CNY5CM45.txt (308 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\appheader[1].htm (831 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OYD0TT1K.txt (586 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AMD4JD22.txt (726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZJIN0MBG.txt (122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FMOHOQGB.txt (726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ga[1].js (26980 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logo-showmypc-210-50[1].gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101820161019\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017\index.dat (16 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now