Worm.Win32.Vobfus.11.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b0cecc77f91eb1718a9e5fb0725d5f5e
SHA1: 3854f4d4b101fc4b35a3ec99a10a837976fe6e43
SHA256: 6bd6d24b22b17120f1440d2d2c316b92a960a03bbde5c8a110f4a267c3d2f128
SSDeep: 24576:hZDwtOGEv87H4AUj8lI4qucbH0OHVqhWvvw42fTNO:hZUti87L9IzbHxterN
Size: 1201664 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2001-08-17 23:52:32
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-Dropper creates the following process(es):No processes have been created.The Trojan-Dropper injects its code into the following process(es):
%original file name%.exe:916
SMPCSetup.exe:644
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:916 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX (3662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin.dsm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwinvnc.exe (11578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm (837 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll (1618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvndat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe (7621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mm2.res (3251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe (7682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\settings.ini (568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe (43164 bytes)
The process SMPCSetup.exe:644 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CNY5CM45.txt (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\appheader[1].htm (831 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OYD0TT1K.txt (586 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AMD4JD22.txt (726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZJIN0MBG.txt (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FMOHOQGB.txt (726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ga[1].js (26980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logo-showmypc-210-50[1].gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101820161019\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017\index.dat (16 bytes)
The Trojan-Dropper deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CNY5CM45.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OYD0TT1K.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AMD4JD22.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZJIN0MBG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
Registry activity
The process %original file name%.exe:916 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
The process SMPCSetup.exe:644 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CachePrefix" = ":2016101820161019:"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101820161019"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
"CachePrefix" = ":2016101020161017:"
"CacheLimit" = "8192"
[HKCU\Software\VB and VBA Program Settings\SmpcApp\Common]
"astart" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101820161019]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\SMPCSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-Dropper deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]
The Trojan-Dropper deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
41ae075a833527788ddd1e0e2e18e611 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin.dsm |
64f63dc9be64060c6610db7e5c2fffb5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm |
9484c04258830aa3c2f2a70eb041414c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX |
6253d9b18f68d94ab6bddc88359fe96a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe |
2e5356f7c8938730dd5a639893d325f1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll |
59441e8b447089451e760c2a4cc429db | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe |
4b51dc9de8d7e59096a9511a609303a1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe |
87e700bd9fc23ed4286ac473e3979785 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwinvnc.exe |
d11b196e109aa0c210010f309170469a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan-Dropper file.
- Delete or disinfect the following files created/modified by the Trojan-Dropper:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSWINSCK.OCX (3662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin.dsm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smwinvnc.exe (11578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm (837 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\VNCHooks.dll (1618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smpcvndat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\spcplink.exe (7621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mm2.res (3251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\smvnview.exe (7682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\settings.ini (568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SMPCSetup.exe (43164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CNY5CM45.txt (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\appheader[1].htm (831 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OYD0TT1K.txt (586 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AMD4JD22.txt (726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZJIN0MBG.txt (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FMOHOQGB.txt (726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ga[1].js (26980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logo-showmypc-210-50[1].gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101820161019\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017\index.dat (16 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2600.0000
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2600.0000 (xpclient.010817-1148)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.00.2600.0000Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.2600.0000 (xpclient.010817-1148)File Description: Win32 Cabinet Self-Extractor Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 34330 | 34816 | 4.5722 | 57485786991146c66bf74c720b6df8d2 |
.data | 40960 | 7140 | 1024 | 2.90032 | 730893b14fc930a187215e7fb53bc0a5 |
.rsrc | 49152 | 1159044 | 1159168 | 5.37694 | 85e4355b00bf02d2a7ab9e40e4425746 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://showmypc.com/app/appheader.html?version=2963&lang=ENG | 173.255.253.123 |
hxxp://www-google-analytics.l.google.com/ga.js | |
hxxp://s3-1.amazonaws.com/images/logo-showmypc-210-50.gif | |
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=978049365&utmhn=showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=525x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=23.0 r0&utmhid=1559595622&utmr=-&utmp=/app/appheader.html?version=2963&lang=ENG&utmht=1476780331282&utmac=UA-3896280-1&utmcc=__utma=253651531.90838974.1476780331.1476780331.1476780331.1;+__utmz=253651531.1476780331.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=78433703&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ | |
hxxp://s3.showmypc.com/images/logo-showmypc-210-50.gif | 54.231.98.195 |
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=978049365&utmhn=showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=525x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=23.0 r0&utmhid=1559595622&utmr=-&utmp=/app/appheader.html?version=2963&lang=ENG&utmht=1476780331282&utmac=UA-3896280-1&utmcc=__utma=253651531.90838974.1476780331.1476780331.1476780331.1;+__utmz=253651531.1476780331.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=78433703&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ | 74.125.232.226 |
hxxp://www.google-analytics.com/ga.js | 74.125.232.226 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /app/appheader.html?version=2963&lang=ENG HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: showmypc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 18 Oct 2016 08:45:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1859
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head><smpcok></smpcok>.<style>.a.linksmall {color:green;text-decoration:underline;font-size: 11px;}.a.linksmallred {color:green;text-decoration:underline;font-size: 11px;}.a.colorlink {color:green;text-decoration:underline;font-size: 12px;}.a.linkclear {color:green;text-decoration:none;font-size: 12px;}.</style>.<script language="JavaScript">.<!--.var message="Function Disabled!";...function catchError() { return true; }.window.onerror = catchError;..function clickIE4(){.if (event.button==2){.return false;.}.}.function clickNS4(e){.if (document.layers||document.getElementById&&!document.all){.if (e.which==2||e.which==3){.return false;.}.}.}.try.{..if (document.layers){...document.captureEvents(Event.MOUSEDOWN);...document.onmousedown=clickNS4;..}..else if (document.all&&!document.getElementById){...document.onmousedown=clickIE4;..}..document.oncontextmenu=new Function("return false").}.catch(e){}.// -->.</script>.</head>.<body topmargin="0" leftmargin="0" scroll="no">.<table border="0" cellspacing="0" cellpadding="0">.<tr>.<td valign="bottom">..<a href="hXXp://showmypc.com?ref=header" target="_new"><img src="hXXp://s3.showmypc.com/images/logo-showmypc-210-50.gif" border="0"></a>.</td>.<td valign="bottom">..</td>...<td valign="middle">......<a href="hXXp://download3.showmypc.com/ShowMyPC3500.exe" class="linksmallred">Get Latest Version 3500</a>.....</td>..</tr&
<<< skipped >>>
GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://showmypc.com/app/appheader.html?version=2963&lang=ENG
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 18 Oct 2016 07:57:27 GMT
Expires: Tue, 18 Oct 2016 09:57:27 GMT
Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 16022
Age: 2888
Cache-Control: public, max-age=7200
...........}kW....w~........pk..f......ZZ(O.,.!$$!q.....gft...>{....%.G..>..fF~2........;>..i...&.9.....v*.|x.|$....L.....y. 5.....!..R*i..........>..mAf.o..@.0L.....1....w.v<_-.|aa.......F.p,....yA.....Q.{'...kyA....^.S...'o.2......5K..2o'~.....F#....*.7...c.#.l.P. >.L.j.4....h...L~-....JW.Z..bm.I.9....s..;...=..Ue...b....r.................).......dO.c....v.f...^:....=.}.N'.-4.5m|h..tb.6v..W..r$.@.8................v......e...T.t.h.c:..(....~.e0.].....{Y.p.....K.@L..JZ.q.s.8...T...9..1r...u.KS..(xa!..{0!..5.4.^...7..."..........J8... .....O....t...q...|...a......a.V.q.5.e.([2..F[.........E...W.|....5a...0..0...Ma.ML.....d....3.....=/.z`....i....ku#.4.b.Ra.^.:.-.j.*..L.......A.;...Q.{2i.....}l..H.....T...Y._.Q!q ..V.y...9.@.R..8..!x!...p.e4...'$c......x....'..AF&*i.../..@...!..zx..bq.{<..9...~..]...cW.Q....@A...........U..}. .ihA..n..KK0:....b....@.D..U.....b.I>...-=...|..E.._.W.pS..5....4.Ma..|.B......w...b>X. ...a....gV.1...ra!ZX.).,...[..*[.....)s8.. .....X8.c..D6'ai.6..Q.u10..N...p...>V.............!V.......p#.....#.j...b......C....^........#..>E.`.........y.....%..M.D.e...Y.HB.....a.G(.b.P.=.......'...&.T._.B..C......T....8..Ra.5.o.*...!.o..t ....`"@...='..<.Z.n..}`...m...TY...-...&".!.p....j...H....z........|....H.....*...4"...K.0D8..2...`.O..R......../`2.6.F.W..,...2.....I..Y....o...8..yA].....G.....8..8[..U.*x..).]...=.\...0<.pu....7%.e?".P..f../.C??.h..8|Y.....W.j...^.O(.O.....3W\Q....~.N.G.Z.3.OO..W.....7i(....c...!.Az....*...*..pdo.c4.k.%..}.......". ..f...{_.z..
<<< skipped >>>
GET /r/__utm.gif?utmwv=5.6.7&utms=1&utmn=978049365&utmhn=showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=525x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=23.0 r0&utmhid=1559595622&utmr=-&utmp=/app/appheader.html?version=2963&lang=ENG&utmht=1476780331282&utmac=UA-3896280-1&utmcc=__utma=253651531.90838974.1476780331.1476780331.1476780331.1;+__utmz=253651531.1476780331.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=78433703&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1
Accept: */*
Referer: hXXp://showmypc.com/app/appheader.html?version=2963&lang=ENG
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Tue, 18 Oct 2016 08:45:35 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Tue, 18 Oct 2016 08:45:35 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..GIF89a.............,...........D..;..
GET /images/logo-showmypc-210-50.gif HTTP/1.1
Accept: */*
Referer: hXXp://showmypc.com/app/appheader.html?version=2963&lang=ENG
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s3.showmypc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: UChFuaNe6kMqImkQFTv95JLjoB9DMZe6U8VEBnAEWiGeM0Z3p8b5CjcL4uj5U0vw7GyLDqCXSZM=
x-amz-request-id: 5EF2F34287BEA3DF
Date: Tue, 18 Oct 2016 08:45:36 GMT
Last-Modified: Fri, 13 Jan 2012 20:36:03 GMT
ETag: "f11f9152cbccafb7623088ef6a2dd0e3"
x-amz-meta-s3fox-filesize: 3934
x-amz-meta-s3fox-modifiedtime: 1326484442667
Accept-Ranges: bytes
Content-Type: image/gif
Content-Length: 3934
Server: AmazonS3
GIF89a..2.w..!.......,......2...r.......w.C..z.............h%...........D.-.3\.e.87.:..{.................w...Iv..J...l.v6...]. ..:....u!......g.Gm.n......4.Tk.3.....k.m....y.6..x...[.B..h.uH....b2..[......V.8U....XXz5..d`.$~.c.X..T3..r...s.>....{T.{*..i.......m2S....c...&{7.Z*Dj....N.g.R".k0...q...L).M.....W'....u5.jG>d....G.98`......W.]2....S*...In".x%.......@*....|-...@f........_$.H4....D.......d.5Y......s/w.Z......\....UX....g.zg......:a...rn.E....q ......Z..O.>...-W.....]&=b.....W5..........N4...Ru.Nq*........E..........P.......X. .h1_.#..I......M..W..L..>c.....b>......Bm....d.gb.%a.$...h./d.(X...o1<c.......a.%...`.?.{.~.M....w .|6o.8@.4]....s....r?.a7...K~5.]C...m.Op.R..a..vc.&.~.....pQ.g)..a.............j<e.[...w.PP.....O}.Z. ..Y.T&......?e...w...6^....>j...............`b.&..,.o7......Q..H......*\......#J.H.....3j...... C..I....(S.\.....0c..I..../........@...)....H..$.....Po",F....X.j......`...K.l..S..].....p..=.....x...k........@X...0.c(....}.. .K..e.|.^....g.YBgA.&J.:..$X.......\.M.6....>...7'!...6}..j?~:.h.c.>..X.=.j...I...N..@..x...B...#>f.......8.,8qu...w....c.....X.w.a..o.daH.O.W....bW..l..*.. ..x..BV...[...5M&.X...m. .*0..!.4..aV."..[.p3N)5. ....e....RD.L.ucVg...!e..J).."F3\6....h.V.3Ru...(9O.l..$VF....`..F.)@.....).95.2.......*..GU$....U.P.ëu.-$(....M3MVO,..Z]T@.<..`*Wi(!...$.y..XE..'.x5K......^....CTB'U.,".Vi....N0._..... ....V...L......TI0..I(..U.(.n...q..N.B.U........G.. .J.U....H.....,....]u....s...... ....3..2..Vu..*..7@ V.z..B.&D..t5K.LD.l.&lAN1OHC.U .3j
<<< skipped >>>
Map
The Trojan-Dropper connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_916:
.text
.text
.data
.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
ku2.iu
ku2.iu
advapi32.dll
advapi32.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
t8SShs7
t8SShs7
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\
~~}}}|||3
~~}}}|||3
smpcvc.exe
smpcvc.exe
MSRC4Plugin.dsm
MSRC4Plugin.dsm
MSRC4Plugin_NoReg.dsm
MSRC4Plugin_NoReg.dsm
settings.ini
settings.ini
SMPCSetup.exe
SMPCSetup.exe
spcplink.exe
spcplink.exe
TIPOFDAY.TXT
TIPOFDAY.TXT
VNCHooks.dll
VNCHooks.dll
smvnview.exe
smvnview.exe
smwinvnc.exe
smwinvnc.exe
mm2.res
mm2.res
MSWINSCK.OCX
MSWINSCK.OCX
%srAK@e
%srAK@e
7)`%F
7)`%F
D$-0}$%%
D$-0}$%%
f1J%C
f1J%C
$.sYt
$.sYt
N.FCdcniF
N.FCdcniF
KG.FuK
KG.FuK
q%uf%%
q%uf%%
..WR2;VS
..WR2;VS
UMÃ…
UMÃ…
%s[(*n
%s[(*n
%d{dA ?}$
%d{dA ?}$
n-I%c
n-I%c
^X>8%f
^X>8%f
%/t.II
%/t.II
m.eJz
m.eJz
{.Xmu!
{.Xmu!
E/.Jh
E/.Jh
S.FoO
S.FoO
h.SGG
h.SGG
nYH?%c
nYH?%c
=%s2`\ mE
=%s2`\ mE
`BL.gxK=
`BL.gxK=
^%UF5
^%UF5
ur.Zt
ur.Zt
g.uD8
g.uD8
Z|~.Cp
Z|~.Cp
85.EI
85.EI
dA.JV&;Gu
dA.JV&;Gu
':%dZ
':%dZ
~4%c$
~4%c$
A%c-t
A%c-t
Vl.CS
Vl.CS
u(>%X
u(>%X
zD.kL
zD.kL
#4D.fe
#4D.fe
.rbM$
.rbM$
%U7 g
%U7 g
LW.ba$.;
LW.ba$.;
.mx0L
.mx0L
'.|.yg
'.|.yg
.alHN#
.alHN#
|6B.Ur
|6B.Ur
Mi.IT
Mi.IT
a%S|W\
a%S|W\
!N.JNP[9Si
!N.JNP[9Si
ZM.DK|
ZM.DK|
K %]%fhu
K %]%fhu
.hs.&
.hs.&
4d#.zD
4d#.zD
s.ly
s.ly
N%dvy
N%dvy
.hY%Xh
.hY%Xh
rBA%FPL
rBA%FPL
%UlVcSt
%UlVcSt
a%s
a%s
&.VIB
&.VIB
.BPp%
.BPp%
%s@{|
%s@{|
.QsPy
.QsPy
c.Pg=w
c.Pg=w
FFO%X
FFO%X
nBvyO%.U
nBvyO%.U
b%fuBU%
b%fuBU%
7%U3e
7%U3e
OIP%C
OIP%C
[.oMA
[.oMA
.Ya$b
.Ya$b
.eb-;
.eb-;
U.jjCb
U.jjCb
.ODjF^
.ODjF^
*F.nR
*F.nR
|.WFA
|.WFA
Y5e%sl&
Y5e%sl&
i.TisS
i.TisS
Û\MA
Û\MA
6.EW{
6.EW{
"SMPCSetup.exe"
"SMPCSetup.exe"
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
6.00.2600.0000 (xpclient.010817-1148)
6.00.2600.0000 (xpclient.010817-1148)
WEXTRACT.EXE
WEXTRACT.EXE
Windows
Windows
Operating System
Operating System
6.00.2600.0000
6.00.2600.0000
%original file name%.exe_916_rwx_01001000_00001000:
ku2.iu
ku2.iu
advapi32.dll
advapi32.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
SMPCSetup.exe_644:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
MSWINSCK.OCX
MSWINSCK.OCX
MSWinsockLib.Winsock
MSWinsockLib.Winsock
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
CmdOutput
CmdOutput
frmLoginService
frmLoginService
frmLogin
frmLogin
ModuleWindows
ModuleWindows
ws2_32.dll
ws2_32.dll
URLDownloadToFileA
URLDownloadToFileA
iphlpapi.dll
iphlpapi.dll
urlmon
urlmon
SHFileOperationA
SHFileOperationA
wininet.dll
wininet.dll
HttpQueryInfoA
HttpQueryInfoA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
LabelSSHPassword
LabelSSHPassword
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
LabelSSHServer
LabelSSHServer
TextSSHPassword
TextSSHPassword
TextSSHPort
TextSSHPort
TextSSHServer
TextSSHServer
LabelSSHPort
LabelSSHPort
ButtonSSHTest
ButtonSSHTest
TextSSHUserName
TextSSHUserName
WebBrowser1
WebBrowser1
C:\Windows\system32\ieframe.oca
C:\Windows\system32\ieframe.oca
ShowKeyboardInfo
ShowKeyboardInfo
SupportRemoteUsers
SupportRemoteUsers
ShowParallelPortInfo
ShowParallelPortInfo
ShowPortConnectorInfo
ShowPortConnectorInfo
ShowSerialPortConfigurations
ShowSerialPortConfigurations
ReportProblem
ReportProblem
DebugReport
DebugReport
TextRemotePassword
TextRemotePassword
LabelRemotePassword
LabelRemotePassword
FrameSSH
FrameSSH
ShowSerialPortInfo
ShowSerialPortInfo
psapi.dll
psapi.dll
IsLegacyPassword
IsLegacyPassword
WriteExeProperty
WriteExeProperty
ReadExeProperty
ReadExeProperty
VerifySSH
VerifySSH
ForceSSHLogin
ForceSSHLogin
InviteUsersViaWeb
InviteUsersViaWeb
StartServerWithCurrentSSHPort
StartServerWithCurrentSSHPort
SSHHostConnection
SSHHostConnection
SSHHostConnectionKeepAlive
SSHHostConnectionKeepAlive
SetHostKeyAndGetPort
SetHostKeyAndGetPort
SetAutoLogin
SetAutoLogin
VtxtPassword
VtxtPassword
cmdOK
cmdOK
cmdCancel
cmdCancel
cmdOK_Click
cmdOK_Click
TextLoginStatus
TextLoginStatus
kernel32.dll
kernel32.dll
LabelNickName
LabelNickName
cmdSend
cmdSend
cmdDeselect
cmdDeselect
z>-DcC:\Windows\system32\MSWINSCK.oca
z>-DcC:\Windows\system32\MSWINSCK.oca
cmdKick
cmdKick
cmdDisconnect
cmdDisconnect
cmdConnect
cmdConnect
cmdHost
cmdHost
menuPrivateMsg
menuPrivateMsg
SendMsgOnUserClick
SendMsgOnUserClick
RememberSSHSettings
RememberSSHSettings
ClearSSHSettings
ClearSSHSettings
RegCloseKey
RegCloseKey
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
EnumWindows
EnumWindows
EnumChildWindows
EnumChildWindows
cmdNextTip
cmdNextTip
winmm.dll
winmm.dll
C:\Windows\system32\MSVBVM60.DLL\3
C:\Windows\system32\MSVBVM60.DLL\3
.Label4
.Label4
CreateEXEAssociation
CreateEXEAssociation
RegCreateKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyA
RegEnumKeyA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegDeleteKeyA
RegDeleteKeyA
KeyExists
KeyExists
CreateKey
CreateKey
DeleteKey
DeleteKey
CreateAdditionalEXEAssociations
CreateAdditionalEXEAssociations
ClassKey
ClassKey
SectionKey
SectionKey
ValueKey
ValueKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
VBA6.DLL
VBA6.DLL
CreatePipe
CreatePipe
__vbaStopExe
__vbaStopExe
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
Free service provided by ShowMyPC.com Press escape to exit this mode.
Free service provided by ShowMyPC.com Press escape to exit this mode.
Password
Password
ShowMyPC Web
ShowMyPC Web
~~}}}|||3
~~}}}|||3
Debug Report
Debug Report
Send Report
Send Report
Login
Login
txtPassword
txtPassword
&Password:
&Password:
Meeting Password:
Meeting Password:
Get password from presenter
Get password from presenter
Password:
Password:
00:00:00
00:00:00
Update Nick Name
Update Nick Name
Join
Join
Nick Name
Nick Name
SSH Encrypted
SSH Encrypted
div.tableContainer {
div.tableContainer {
html>body div.tableContainer {
html>body div.tableContainer {
div.tableContainer table {
div.tableContainer table {
html>body div.tableContainer table {
html>body div.tableContainer table {
thead.fixedHeader tr {
thead.fixedHeader tr {
/* this enables overflow to work on TBODY element. All other non-IE, non-Mozilla browsers */
/* this enables overflow to work on TBODY element. All other non-IE, non-Mozilla browsers */
html>body thead.fixedHeader tr {
html>body thead.fixedHeader tr {
thead.fixedHeader th {
thead.fixedHeader th {
thead.fixedHeader a, thead.fixedHeader a:link, thead.fixedHeader a:visited {
thead.fixedHeader a, thead.fixedHeader a:link, thead.fixedHeader a:visited {
thead.fixedHeader a:hover {
thead.fixedHeader a:hover {
html>body tbody.scrollContent {
html>body tbody.scrollContent {
/* hXXp://VVV.alistapart.com/articles/zebratables/ */
/* hXXp://VVV.alistapart.com/articles/zebratables/ */
tbody.scrollContent td, tbody.scrollContent tr.normalRow td {
tbody.scrollContent td, tbody.scrollContent tr.normalRow td {
tbody.scrollContent tr.alternateRow td {
tbody.scrollContent tr.alternateRow td {
/* hXXp://VVV.w3.org/TR/REC-CSS2/selector.html#adjacent-selectors */
/* hXXp://VVV.w3.org/TR/REC-CSS2/selector.html#adjacent-selectors */
html>body thead.fixedHeader th {
html>body thead.fixedHeader th {
html>body thead.fixedHeader th th {
html>body thead.fixedHeader th th {
html>body thead.fixedHeader th th th {
html>body thead.fixedHeader th th th {
html>body tbody.scrollContent td {
html>body tbody.scrollContent td {
html>body tbody.scrollContent td td {
html>body tbody.scrollContent td td {
html>body tbody.scrollContent td td td {
html>body tbody.scrollContent td td td {
Build with my SSH Server
Build with my SSH Server
Test my SSH Server
Test my SSH Server
SSH Server:
SSH Server:
Port:
Port:
, #&')*)
, #&')*)
-0-(0%()(
-0-(0%()(
Password for remote users
Password for remote users
Schedule using Web
Schedule using Web
Support Remote Users
Support Remote Users
File Transfer (Web based)...
File Transfer (Web based)...
Keyboard Info
Keyboard Info
Parallel Port Info
Parallel Port Info
Port Connector
Port Connector
Serial Port Configurations
Serial Port Configurations
Serial Port
Serial Port
Report a Problem...
Report a Problem...
HOME_URL
HOME_URL
mtpass
mtpass
supportID
supportID
hostkey
hostkey
LoginSucceeded
LoginSucceeded
AutoLogin
AutoLogin
meetingTypeSupport
meetingTypeSupport
sendPrivateMsg
sendPrivateMsg
sKey
sKey
sKeyNames
sKeyNames
iKeyCount
iKeyCount
sExePath
sExePath
bSupportPrint
bSupportPrint
bSupportNew
bSupportNew
bSupportInstall
bSupportInstall
eKey
eKey
sSectionKey
sSectionKey
sValueKey
sValueKey
FTPS
FTPS
g*\A\\ghar\home\home\vagish\ShowMyPC\current\FinalSMPCssh.vbp
g*\A\\ghar\home\home\vagish\ShowMyPC\current\FinalSMPCssh.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
smvi.exe
smvi.exe
Aw.ex
Aw.ex
Ainvnc.exe
Ainvnc.exe
AO~4.CSSsortstyletable.css
AO~4.CSSsortstyletable.css
AEspcplink-old.ex
AEspcplink-old.ex
SOQ5JA~D.BATspc
SOQ5JA~D.BATspc
srvPane.batPFx
srvPane.batPFx
temp.htmlQTM3p
temp.htmlQTM3p
temp.spc
temp.spc
AOFDAY.TXT
AOFDAY.TXT
users.jpg
users.jpg
TIPOFDAY.TXT
TIPOFDAY.TXT
smwinvnc.exe
smwinvnc.exe
smvnview.exe
smvnview.exe
winvnc4.exe
winvnc4.exe
vncultra.exe
vncultra.exe
mmi.res
mmi.res
hXXps://secure.showmypc.com/schedule/remotedb.php
hXXps://secure.showmypc.com/schedule/remotedb.php
hXXp://service1.showmypc.com/connectnow.php
hXXp://service1.showmypc.com/connectnow.php
hXXp://showmypc.com/ShowMyPCHelp.php?version=
hXXp://showmypc.com/ShowMyPCHelp.php?version=
hXXp://showmypc.com/app/appheader.html?version=
hXXp://showmypc.com/app/appheader.html?version=
no-pop-msg
no-pop-msg
hXXps://assured.showmypc.com/app/appheaderpr.html
hXXps://assured.showmypc.com/app/appheaderpr.html
hXXps://assured.showmypc.com/live/invite-users/index.php
hXXps://assured.showmypc.com/live/invite-users/index.php
hXXps://assured.showmypc.com/mac/meetnow.html
hXXps://assured.showmypc.com/mac/meetnow.html
up-msg
up-msg
pop-msg
pop-msg
f#p.x.gi52
f#p.x.gi52
WindowState
WindowState
\servicelog.txt
\servicelog.txt
smpcchat.ini
smpcchat.ini
[Joined]
[Joined]
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
hXXp://VVV.vb2themax.com/vbmaximizer/files/vbm_demo.zip
hXXp://VVV.vb2themax.com/vbmaximizer/files/vbm_demo.zip
c:\vbm_demo.zip
c:\vbm_demo.zip
hXXp://showmypc.com/ShowMyPCHelp.php?version=2963
hXXp://showmypc.com/ShowMyPCHelp.php?version=2963
Please visit hXXp://showmypc.com for help or update information.
Please visit hXXp://showmypc.com for help or update information.
supportView
supportView
Share Password
Share Password
showmypc.com
showmypc.com
Do you wish to update exe with new ID.
Do you wish to update exe with new ID.
explorer.exe
explorer.exe
Cannot connect, Check SSH settings file.
Cannot connect, Check SSH settings file.
hXXp://localhost:
hXXp://localhost:
/ok.html
/ok.html
Testing SSH Connection...
Testing SSH Connection...
SSH Connection OK.
SSH Connection OK.
SSH Connection Error.
SSH Connection Error.
\res.txt
\res.txt
SSH Test Failed
SSH Test Failed
_MSG_DISCON
_MSG_DISCON
_MSG_WARNING
_MSG_WARNING
spcplink.exe -v -ssh -2 -P
spcplink.exe -v -ssh -2 -P
Test Complete. If Command Window is open, the SSH test passed, failed if it is closed.
Test Complete. If Command Window is open, the SSH test passed, failed if it is closed.
SSHServer
SSHServer
_MSG_GN_ERR
_MSG_GN_ERR
Check UI or settings.ini file, SSHServer is missing
Check UI or settings.ini file, SSHServer is missing
Check UI or settings.ini file, SSHUserName is missing
Check UI or settings.ini file, SSHUserName is missing
Check UI or settings.ini file, SSHPassword is missing
Check UI or settings.ini file, SSHPassword is missing
Check UI or settings.ini file, SSHPort is missing, using default 22
Check UI or settings.ini file, SSHPort is missing, using default 22
Do you want to build ShowMyPC client to work with your own SSH server. (
Do you want to build ShowMyPC client to work with your own SSH server. (
\settings.ini
\settings.ini
SSHUserName
SSHUserName
SSHPassword
SSHPassword
SSHPort
SSHPort
iexpress.exe /N ./SMPCust.SED
iexpress.exe /N ./SMPCust.SED
ShowMyPCustom.exe
ShowMyPCustom.exe
\ShowMyPCustom.exe
\ShowMyPCustom.exe
smpc.com443
smpc.com443
hXXps://secure.showmypc.com/transfer/index.php?cl=app&ver=
hXXps://secure.showmypc.com/transfer/index.php?cl=app&ver=
hXXp://showmypc.com/app/appheader.html?version=2963
hXXp://showmypc.com/app/appheader.html?version=2963
\Explorer.exe
\Explorer.exe
_MSG_LOGIN_FRM
_MSG_LOGIN_FRM
_MSG_LBL_HOST
_MSG_LBL_HOST
_MSG_LBL_PASS
_MSG_LBL_PASS
_MSG_LBL_EMAIL
_MSG_LBL_EMAIL
_MSG_LBL_TOP
_MSG_LBL_TOP
_MSG_LBL_CK_SRV
_MSG_LBL_CK_SRV
_MSG_LBL_OK
_MSG_LBL_OK
_MSG_LBL_CANCEL
_MSG_LBL_CANCEL
_MSG_FRM_SCH_MT
_MSG_FRM_SCH_MT
_MSG_LBL_HOST_EMAIL
_MSG_LBL_HOST_EMAIL
_MSG_LBL_MT_PASS
_MSG_LBL_MT_PASS
_MSG_LBL_MT_INFO
_MSG_LBL_MT_INFO
_MSG_SHARE_APP
_MSG_SHARE_APP
_MSG_REFRESH
_MSG_REFRESH
_MSG_CLOSE
_MSG_CLOSE
ShowMyPC.com
ShowMyPC.com
LoginFrmCaption
LoginFrmCaption
LoginPasLabel
LoginPasLabel
LoginTopCaption
LoginTopCaption
HomeURL
HomeURL
SSH Protocol Version 2, AES 256
SSH Protocol Version 2, AES 256
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3
hXXp://showmypc.com/ShowMyPCFeedBack.html?cl=app&ver=
hXXp://showmypc.com/ShowMyPCFeedBack.html?cl=app&ver=
&mtpass=
&mtpass=
WScript.Shell
WScript.Shell
outlook.exe
outlook.exe
Outlook.Application
Outlook.Application
Password:
Password:
Or visit hXXp://
Or visit hXXp://
.showmypc.com
.showmypc.com
Password:
Password:
Trying to restart SSH Connection
Trying to restart SSH Connection
Restarting SSH
Restarting SSH
\spcplink.exe -C -v -ssh -2 -P
\spcplink.exe -C -v -ssh -2 -P
Starting SSH Connection...
Starting SSH Connection...
Starting with current port
Starting with current port
_MSG_UN_ERR
_MSG_UN_ERR
Starting with current port
Starting with current port
Test with current port
Test with current port
_MSG_ST_SVR
_MSG_ST_SVR
_MSG_GENER
_MSG_GENER
_MSG_SHR_ST
_MSG_SHR_ST
spcplink.exe -C -v -ssh -2 -P
spcplink.exe -C -v -ssh -2 -P
:assured.showmypc.com:80
:assured.showmypc.com:80
:ns2.showmypc.com:80
:ns2.showmypc.com:80
hostKey=
hostKey=
_MSG_ST_SSH
_MSG_ST_SSH
_MSG_SSHRST
_MSG_SSHRST
AutoPortSelect
AutoPortSelect
PortNumber
PortNumber
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"Password"=hex:
"Password"=hex:
"HTTPConnect"=dword:00000000
"HTTPConnect"=dword:00000000
"AutoPortSelect"=dword:00000000
"AutoPortSelect"=dword:00000000
"PortNumber"=dword:00001af4
"PortNumber"=dword:00001af4
"HTTPPortNumber"=dword:00001a90
"HTTPPortNumber"=dword:00001a90
HTTPConnect
HTTPConnect
HTTPPortNumber
HTTPPortNumber
_MSG_CONN
_MSG_CONN
_MSG_WR_PASS
_MSG_WR_PASS
View Test SSH:
View Test SSH:
_MSG_ST_VIEW
_MSG_ST_VIEW
_MSG_SSH_ERR
_MSG_SSH_ERR
/password
/password
host=127.0.0.1
host=127.0.0.1
Port =
Port =
password =
password =
_MSG_VIEW_ST
_MSG_VIEW_ST
Warning, check password or make sure you have latest application from hXXp://showmypc.com
Warning, check password or make sure you have latest application from hXXp://showmypc.com
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
Windows 98
Windows 98
Windows 95
Windows 95
HTTP/1.1
HTTP/1.1
mypassword
mypassword
hXXp://
hXXp://
HTTP/1.0
HTTP/1.0
VVV.example
VVV.example
/index.asp
/index.asp
Windows Millennium
Windows Millennium
Windows NT 3.51
Windows NT 3.51
Windows NT 4.0
Windows NT 4.0
Windows 2000
Windows 2000
Windows XP
Windows XP
Microsoft.XMLHTTP
Microsoft.XMLHTTP
application/x-www-form-urlencoded
application/x-www-form-urlencoded
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\combo.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\combo.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\ShowMyPCPremium.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\ShowMyPCPremium.exe
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\setall.bmp
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\setall.bmp
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\extracted\
N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\extracted\
RegKey
RegKey
/chat/index.php?myroom=
/chat/index.php?myroom=
hXXp://showmypc.com/users/
hXXp://showmypc.com/users/
hXXps://assured.showmypc.com/portxxxxxmlxxx-351.php?ver=
hXXps://assured.showmypc.com/portxxxxxmlxxx-351.php?ver=
Getting PortX 1
Getting PortX 1
hXXps://assured.showmypc.com
hXXps://assured.showmypc.com
hXXp://ns2.showmypc.com
hXXp://ns2.showmypc.com
Getting PortX 2
Getting PortX 2
hXXp://ns1.showmypc.com
hXXp://ns1.showmypc.com
Getting PortX 3
Getting PortX 3
UEMURL
UEMURL
InternetExplorer.Application
InternetExplorer.Application
hXXp://showmypc.com/emailHandler.php?seq=
hXXp://showmypc.com/emailHandler.php?seq=
?task=get&actionToPut=connect&keyToPut=
?task=get&actionToPut=connect&keyToPut=
https
https
?task=put&actionToPut=connect&keyToPut=
?task=put&actionToPut=connect&keyToPut=
?task=del&actionToPut=connect&keyToPut=
?task=del&actionToPut=connect&keyToPut=
\smpcvc.exe
\smpcvc.exe
\mm2.res
\mm2.res
\temp.html
\temp.html
Keyboard - Win32_Keyboard
Keyboard - Win32_Keyboard
Select * from Win32_Keyboard
Select * from Win32_Keyboard
Number of Function Keys
Number of Function Keys
NumberOfFunctionKeys
NumberOfFunctionKeys
Parallel ports - Win32_ParallelPort
Parallel ports - Win32_ParallelPort
Select * from Win32_ParallelPort
Select * from Win32_ParallelPort
Protocol Supported
Protocol Supported
ProtocolSupported
ProtocolSupported
Port connector - Win32_PortConnector
Port connector - Win32_PortConnector
Select * from Win32_PortConnector
Select * from Win32_PortConnector
Port Type
Port Type
PortType
PortType
Serial port configuration - Win32_SerialPortConfiguration
Serial port configuration - Win32_SerialPortConfiguration
Select * from Win32_SerialPortConfiguration
Select * from Win32_SerialPortConfiguration
Serial ports - Win32_SerialPort
Serial ports - Win32_SerialPort
Select * from Win32_SerialPort
Select * from Win32_SerialPort
Supports 16-Bit Mode
Supports 16-Bit Mode
Supports16BitMode
Supports16BitMode
Supports DTRDSR
Supports DTRDSR
SupportsDTRDSR
SupportsDTRDSR
Supports Elapsed Timeouts
Supports Elapsed Timeouts
SupportsElapsedTimeouts
SupportsElapsedTimeouts
Supports Int Timeouts
Supports Int Timeouts
SupportsIntTimeouts
SupportsIntTimeouts
SupportsXOnXOffSet
SupportsXOnXOffSet
Supports Parity Check
Supports Parity Check
SupportsParityCheck
SupportsParityCheck
Supports RLSD
Supports RLSD
SupportsRLSD
SupportsRLSD
Supports RTSCTS
Supports RTSCTS
SupportsRTSCTS
SupportsRTSCTS
Supports Special Characters
Supports Special Characters
SupportsSpecialCharacters
SupportsSpecialCharacters
Supports XOn XOff
Supports XOn XOff
SupportsXOnXOff
SupportsXOnXOff
Supports XOn XOff Setting
Supports XOn XOff Setting
Supports Hot Plug
Supports Hot Plug
SupportsHotPlug
SupportsHotPlug
VccMixedVoltageSupport
VccMixedVoltageSupport
VCC Mixed Voltage Support
VCC Mixed Voltage Support
VppMixedVoltageSupport
VppMixedVoltageSupport
VPP Mixed Voltage Support
VPP Mixed Voltage Support
Maximum Memory Supported
Maximum Memory Supported
MaxMemorySupported
MaxMemorySupported
Monochrome
Monochrome
Power Management Supported
Power Management Supported
PowerManagementSupported
PowerManagementSupported
SupportedSRAM
SupportedSRAM
Supported SRAM
Supported SRAM
Maximum Baud Rate To SerialPort
Maximum Baud Rate To SerialPort
MaxBaudRateToSerialPort
MaxBaudRateToSerialPort
Port SubClass
Port SubClass
PortSubClass
PortSubClass
Windows Directory
Windows Directory
Responses Key Name
Responses Key Name
ResponsesKeyName
ResponsesKeyName
Select * from Win32_OperatingSystem
Select * from Win32_OperatingSystem
Operating systems
Operating systems
WindowsDirectory
WindowsDirectory
Operating systems
Operating systems
Windows Directory
Windows Directory
.cRegistry
.cRegistry
Failed to create registry Key: '
Failed to create registry Key: '
Failed to delete registry Key: '
Failed to delete registry Key: '
Failed to open key '
Failed to open key '
',Key: '
',Key: '
Failed to set registry value Key: '
Failed to set registry value Key: '
Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command
Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command
Failed to delete requested subkey!
Failed to delete requested subkey!
Registry Key Delete
Registry Key Delete
Failed to delete requested main key!
Failed to delete requested main key!
ShowMyPC.com Remote Service
ShowMyPC.com Remote Service
-register PortNumber=7900 Password=
-register PortNumber=7900 Password=
Error occured during operation.
Error occured during operation.
Password must be atleast 8 characters. No Spaces.
Password must be atleast 8 characters. No Spaces.
Password :
Password :
\mmit.res
\mmit.res
Password : *********
Password : *********
WMEncEng.WMEncoder
WMEncEng.WMEncoder
Server not available. Check version or Contact support@showmypc.com
Server not available. Check version or Contact support@showmypc.com
Password cannot be blank.
Password cannot be blank.
Meeting Password cannot less than 6 characters.
Meeting Password cannot less than 6 characters.
Meeting may not have started, please wait, check password or network connection.
Meeting may not have started, please wait, check password or network connection.
_MSG_YOUR_EMAIL
_MSG_YOUR_EMAIL
Video files (*.wmv)|*.wmv|All files (*.*)|*.*
Video files (*.wmv)|*.wmv|All files (*.*)|*.*
Windows Media Encoder might not be installed.
Windows Media Encoder might not be installed.
WMENC_HELP_URL
WMENC_HELP_URL
hXXp://showmypc.com/service/wmencoder.html
hXXp://showmypc.com/service/wmencoder.html
Invalid Password, try again!
Invalid Password, try again!
sshremem
sshremem
sshusr
sshusr
sshaut
sshaut
joined.
joined.
One or more connections are currently open. Disconnect before attempting to change the port settings.
One or more connections are currently open. Disconnect before attempting to change the port settings.
From any other computer, use the viewer provide to you by ShowMyPC.com
From any other computer, use the viewer provide to you by ShowMyPC.com
Goto hXXp://showmypc.com/service to access this computer remotely.
Goto hXXp://showmypc.com/service to access this computer remotely.
c:\zest.res
c:\zest.res
Error closing key.
Error closing key.
hXXp://showmypc.com/live/mailer.php
hXXp://showmypc.com/live/mailer.php
&de=1&sb=Debug Report
&de=1&sb=Debug Report
Could not send report, please email it to support@showmypc.com
Could not send report, please email it to support@showmypc.com
hXXp:///
hXXp:///
@*\A\\ghar\home\home\vagish\ShowMyPC\current\FinalSMPCssh.vbp
@*\A\\ghar\home\home\vagish\ShowMyPC\current\FinalSMPCssh.vbp
ShowMyPC.com Comments
ShowMyPC.com Comments
6.01.0358
6.01.0358
SMPCSetup.exe
SMPCSetup.exe
taskhost.exe_2528:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
USER32.dll
USER32.dll
RPCRT4.dll
RPCRT4.dll
d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp
d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp
The likely culprit task is stuck on the same stack with %S.
The likely culprit task is stuck on the same stack with %S.
d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp
d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
taskhost.pdb
taskhost.pdb
_wcmdln
_wcmdln
_amsg_exit
_amsg_exit
InitOnceExecuteOnce
InitOnceExecuteOnce
SetProcessShutdownParameters
SetProcessShutdownParameters
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
ntdll.dll
ntdll.dll
GetProcessHeap
GetProcessHeap
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
bStartComTask() --> h=0x%x ret=%d
bStartComTask() --> h=0x%x ret=%d
StopComTask(0x%x) --> ret=%d
StopComTask(0x%x) --> ret=%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()
ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()
ComTaskMgrWnd(0x%x)::Shutdown(%ws)
ComTaskMgrWnd(0x%x)::Shutdown(%ws)
gCleanupSet()::Remove(0x%x)
gCleanupSet()::Remove(0x%x)
ComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x
ComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x
ComTaskHost(0x%x)::WaitForTaskStartCompletion()
ComTaskHost(0x%x)::WaitForTaskStartCompletion()
ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)
ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)
ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StopTaskWorker()
ComTaskHost(0x%x)::StopTaskWorker()
ComTaskHost(0x%x)::Shutdown()
ComTaskHost(0x%x)::Shutdown()
ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x
ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x
ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x
ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x
ITaskHandler::Start(0x%x,"%ws") --> 0x%x
ITaskHandler::Start(0x%x,"%ws") --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")
ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")
ComTaskHost(0x%x)::StartTaskWorker()
ComTaskHost(0x%x)::StartTaskWorker()
ComTaskHost(0x%x)::Stop --> 0x%x
ComTaskHost(0x%x)::Stop --> 0x%x
ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x
ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x
StartTaskThread(0x%x) bailed out because of shutdown
StartTaskThread(0x%x) bailed out because of shutdown
ComTaskHost(0x%x)::~ComTaskHost()
ComTaskHost(0x%x)::~ComTaskHost()
ComTaskHost(0x%x)::Start --> 0x%x
ComTaskHost(0x%x)::Start --> 0x%x
ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown
ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown
ComTaskHost(0x%x)::TaskCompleted(0x%x)
ComTaskHost(0x%x)::TaskCompleted(0x%x)
ComTaskHost(0x%x)::AddRef -> m_cRef = %d
ComTaskHost(0x%x)::AddRef -> m_cRef = %d
ComTaskHost(0x%x)::Release -> m_cRef = %d
ComTaskHost(0x%x)::Release -> m_cRef = %d
WinAppTerminator: found wnd 0x%x for pid %d.
WinAppTerminator: found wnd 0x%x for pid %d.
WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.
WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.
WinAppTerminator: EnumThreadWindows failed err=%d.
WinAppTerminator: EnumThreadWindows failed err=%d.
Host Process for Windows Tasks
Host Process for Windows Tasks
6.1.7601.17514 (win7sp1_rtm.101119-1850)
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskhost.exe
taskhost.exe
Windows
Windows
Operating System
Operating System
6.1.7601.17514
6.1.7601.17514