TrojanDropper.Win32.Vtimrun_05c61b4def – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):No processes have been created.The Trojan-Dropper injects its code into the following process(es):

%original file name%.exe:172
SMPCSetup.exe:1076

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:172 makes changes in the file system.

The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\VNCHooks.dll (1836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smpcvndat (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\mm2.res (3516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smvnview.exe (9923 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\settings.ini (2538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\spcplink.exe (6390 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\i_vbtnstr_JPN (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ijl11.dll (3194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\i_sbtnstr_JPN (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SMPCSetup.exe (58525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MSRC4Plugin.dsm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smwg.exe (7324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smwinvnc.exe (13128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MSWINSCK.OCX (2650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\i_obtnstr_JPN (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm (600 bytes)

The process SMPCSetup.exe:1076 makes changes in the file system.

The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo-showmypc-210-50[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.base[1].css (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.progressbar[1].css (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\s[1] (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\en[1].png (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f[1].txt (8972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.tabs[1].js (6868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[3].txt (6433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\s[1].htm (143 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@download3.showmypc[1].txt (3677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.3.2[1].js (61513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ui.datepicker[1].css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[1].txt (15005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAUUOD6T.htm (3400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\zrt_lookup[1].html (2822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\appheader[1].htm (831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.dialog[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\x_button_blue2[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.all[1].css (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAH0KBL9 (12863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_4uxRUNeSH9c_Oxod8Ksh0O7XY50emxWlN7xg2zLfxk[1].js (3860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui.accordion[1].css (739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[3].txt (10854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\about-us[1].htm (879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mobile_unified_button_icon_white[1].png (283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].txt (8460 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@download3.showmypc[2].txt (4030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.tabs[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\googlelogo_color_112x36dp[1].png (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ui.theme[1].css (5665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[2].txt (7979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui.core[1].js (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zrt_lookup[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f[2].txt (9387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui.slider[1].css (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ga[1].js (1892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (1406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.core[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.resizable[1].css (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (11580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[1].png (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[2].txt (460 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\s[1] (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@download3.showmypc[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@download3.showmypc[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[1].txt (0 bytes)

Registry activity

The process %original file name%.exe:172 makes changes in the system registry.

The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 CD CE 9D 97 40 8F 4C 0F 87 1F 74 91 EA BE EA"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process SMPCSetup.exe:1076 makes changes in the system registry.

The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052120160522]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052120160522]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052120160522]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016052120160522\"
"CachePrefix" = ":2016052120160522:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052120160522]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 14 89 A1 8C AF 94 2D 96 72 BE 37 A7 4B CF 55"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\VB and VBA Program Settings\SmpcApp\Common]
"astart" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Dropper deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
41ae075a833527788ddd1e0e2e18e611	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\MSRC4Plugin.dsm
64f63dc9be64060c6610db7e5c2fffb5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm
9484c04258830aa3c2f2a70eb041414c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\MSWINSCK.OCX
ef785cc629542a683097301f075b8f1b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\SMPCSetup.exe
2e5356f7c8938730dd5a639893d325f1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\VNCHooks.dll
a0ce0247d48fecaac607edb1e2d87fd8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\ijl11.dll
0ceb92bc938674df03d1ad51f8ece6e1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\smpcvc.exe
52541baa5793f240603b6afa1b908ae5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\smvnview.exe
491e99207bba55d1bbb03346b0ae3a4e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\smwg.exe
87e700bd9fc23ed4286ac473e3979785	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\smwinvnc.exe
63c46d69f98b1bbf21a782e75308d9a6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\spcplink.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan-Dropper file.
Delete or disinfect the following files created/modified by the Trojan-Dropper:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\VNCHooks.dll (1836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smpcvndat (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TIPOFDAY.TXT (797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\mm2.res (3516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smvnview.exe (9923 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smpcvc.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\settings.ini (2538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\spcplink.exe (6390 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\i_vbtnstr_JPN (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ijl11.dll (3194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\i_sbtnstr_JPN (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SMPCSetup.exe (58525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MSRC4Plugin.dsm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smwg.exe (7324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\smwinvnc.exe (13128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MSWINSCK.OCX (2650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\i_obtnstr_JPN (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MSRC4Plugin_NoReg.dsm (600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo-showmypc-210-50[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.base[1].css (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.progressbar[1].css (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\s[1] (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\en[1].png (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f[1].txt (8972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.tabs[1].js (6868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[3].txt (6433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\s[1].htm (143 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@download3.showmypc[1].txt (3677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.3.2[1].js (61513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ui.datepicker[1].css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[1].txt (15005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAUUOD6T.htm (3400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\zrt_lookup[1].html (2822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\appheader[1].htm (831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.dialog[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\x_button_blue2[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.all[1].css (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAH0KBL9 (12863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_4uxRUNeSH9c_Oxod8Ksh0O7XY50emxWlN7xg2zLfxk[1].js (3860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui.accordion[1].css (739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[3].txt (10854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\about-us[1].htm (879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mobile_unified_button_icon_white[1].png (283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].txt (8460 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@download3.showmypc[2].txt (4030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.tabs[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\googlelogo_color_112x36dp[1].png (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ui.theme[1].css (5665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\f[2].txt (7979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui.core[1].js (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zrt_lookup[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f[2].txt (9387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui.slider[1].css (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ga[1].js (1892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (1406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ui.core[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui.resizable[1].css (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (11580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[1].png (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[2].txt (460 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.2180
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 6.00.2900.2180Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	39212	39424	4.55052	17a6fbe18a834b6f3462304415675d36
.data	45056	7140	1024	2.94449	99858e86526942a66950c7139f78a725
.rsrc	53248	1658880	1656832	5.51294	8bba93f6daaaaf67a08365c6abd61afb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://download3.showmypc.com/app/appheader.html?version=3055&lang=ENG	64.22.103.52
hxxp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM	64.22.103.52
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://s3-1.amazonaws.com/images/logo-showmypc-210-50.gif
hxxp://s3-1.amazonaws.com/js/themes/base/ui.all.css
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=565884732&utmhn=download3.showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=544x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=1995597227&utmr=-&utmp=/app/appheader.html?version=3055&lang=ENG&utmht=1463805253604&utmac=UA-3896280-1&utmcc=__utma=172476214.434589424.1463805253.1463805253.1463805253.1;+__utmz=172476214.1463805253.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=1660193878&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://s3-1.amazonaws.com/js/jquery-1.3.2.js
hxxp://s3-1.amazonaws.com/js/themes/base/ui.base.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.theme.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.core.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.accordion.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.resizable.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.dialog.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.slider.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.tabs.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.datepicker.css
hxxp://s3-1.amazonaws.com/js/themes/base/ui.progressbar.css
hxxp://s3-1.amazonaws.com/js/ui/ui.core.js
hxxp://s3-1.amazonaws.com/js/ui/ui.tabs.js
hxxp://pagead46.l.doubleclick.net/pagead/show_ads.js
hxxp://pagead46.l.doubleclick.net/pagead/js/r20160517/r20151006/show_ads_impl.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.6.7&utms=2&utmn=93188622&utmhn=download3.showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=488x298&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=929702296&utmr=-&utmp=/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11%2520AM&utmht=1463805259104&utmac=UA-3896280-1&utmcc=__utma=172476214.434589424.1463805253.1463805253.1463805253.1;+__utmz=172476214.1463805253.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=&utmu=DAAAAAAAAAAAAAAAAAAAAABE~
hxxp://s3.showmypc.com/js/themes/base/ui.progressbar.css	54.231.98.123
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=565884732&utmhn=download3.showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=544x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=1995597227&utmr=-&utmp=/app/appheader.html?version=3055&lang=ENG&utmht=1463805253604&utmac=UA-3896280-1&utmcc=__utma=172476214.434589424.1463805253.1463805253.1463805253.1;+__utmz=172476214.1463805253.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=1660193878&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~	173.194.113.193
hxxp://s3.showmypc.com/js/themes/base/ui.all.css	54.231.98.123
hxxp://pagead2.googlesyndication.com/pagead/show_ads.js	173.194.113.218
hxxp://s3.showmypc.com/js/themes/base/ui.slider.css	54.231.98.123
hxxp://s3.showmypc.com/js/themes/base/ui.theme.css	54.231.98.123
hxxp://pagead2.googlesyndication.com/pagead/js/r20160517/r20151006/show_ads_impl.js	173.194.113.218
hxxp://s3.showmypc.com/js/themes/base/ui.accordion.css	54.231.98.123
hxxp://s3.showmypc.com/js/themes/base/ui.datepicker.css	54.231.98.123
hxxp://s3.showmypc.com/js/themes/base/ui.base.css	54.231.98.123
hxxp://s3.showmypc.com/js/themes/base/ui.core.css	54.231.98.123
hxxp://s3.showmypc.com/js/ui/ui.core.js	54.231.98.123
hxxp://s3.showmypc.com/js/jquery-1.3.2.js	54.231.98.123
hxxp://s3.showmypc.com/js/themes/base/ui.resizable.css	54.231.98.123
hxxp://www.google-analytics.com/ga.js	173.194.113.193
hxxp://s3.showmypc.com/images/logo-showmypc-210-50.gif	54.231.98.123
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.6.7&utms=2&utmn=93188622&utmhn=download3.showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=488x298&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=929702296&utmr=-&utmp=/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11%2520AM&utmht=1463805259104&utmac=UA-3896280-1&utmcc=__utma=172476214.434589424.1463805253.1463805253.1463805253.1;+__utmz=172476214.1463805253.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=&utmu=DAAAAAAAAAAAAAAAAAAAAABE~	173.194.113.193
hxxp://s3.showmypc.com/js/themes/base/ui.tabs.css	54.231.98.123
hxxp://s3.showmypc.com/js/themes/base/ui.dialog.css	54.231.98.123
hxxp://s3.showmypc.com/js/ui/ui.tabs.js	54.231.98.123
googleads.g.doubleclick.net	173.194.113.217
www.google.com	173.194.113.209
encrypted-tbn1.gstatic.com	216.58.209.206
www.gstatic.com	173.194.113.215
tpc.googlesyndication.com	216.58.214.193

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /images/logo-showmypc-210-50.gif HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/appheader.html?version=3055&lang=ENG

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 2fsTgDwuoaho1oyiYco4UCQpQThf6jKEWs6Ap6yqXvYj7M2YZ z5ktKM4ckLSTDESzuEgMuU KQ=

x-amz-request-id: 1A00062E3340D419

Date: Sat, 21 May 2016 04:34:07 GMT

x-amz-meta-s3fox-filesize: 3934

x-amz-meta-s3fox-modifiedtime: 1326484442667

Last-Modified: Fri, 13 Jan 2012 20:36:03 GMT

ETag: "f11f9152cbccafb7623088ef6a2dd0e3"

Accept-Ranges: bytes

Content-Type: image/gif

Content-Length: 3934

Server: AmazonS3

GIF89a..2.w..!.......,......2...r.......w.C..z.............h%...........D.-.3\.e.87.:..{.................w...Iv..J...l.v6...]. ..:....u!......g.Gm.n......4.Tk.3.....k.m....y.6..x...[.B..h.uH....b2..[......V.8U....XXz5..d`.$~.c.X..T3..r...s.>....{T.{*..i.......m2S....c...&{7.Z*Dj....N.g.R".k0...q...L).M.....W'....u5.jG>d....G.98`......W.]2....S*...In".x%.......@*....|-...@f........_$.H4....D.......d.5Y......s/w.Z......\....UX....g.zg......:a...rn.E....q ......Z..O.>...-W.....]&=b.....W5..........N4...Ru.Nq*........E..........P.......X. .h1_.#..I......M..W..L..>c.....b>......Bm....d.gb.%a.$...h./d.(X...o1<c.......a.%...`.?.{.~.M....w .|6o.8@.4]....s....r?.a7...K~5.]C...m.Op.R..a..vc.&.~.....pQ.g)..a.............j<e.[...w.PP.....O}.Z. ..Y.T&......?e...w...6^....>j...............`b.&..,.o7......Q..H......*\......#J.H.....3j...... C..I....(S.\.....0c..I..../........@...)....H..$.....Po",F....X.j......`...K.l..S..].....p..=.....x...k........@X...0.c(....}.. .K..e.|.^....g.YBgA.&J.:..$X.......\.M.6....>...7'!...6}..j?~:.h.c.>..X.=.j...I...N..@..x...B...#>f.......8.,8qu...w....c.....X.w.a..o.daH.O.W....bW..l..*.. ..x..BV...[...5M&.X...m. .*0..!.4..aV."..[.p3N)5. ....e....RD.L.ucVg...!e..J).."F3\6....h.V.3Ru...(9O.l..$VF....`..F.)@.....).95.2.......*..GU$....U.P.Ã«u.-$(....M3MVO,..Z]T@.<..`*Wi(!...$.y..XE..'.x5K......^....CTB'U.,".Vi....N0._..... ....V...L......TI0..I(..U.(.n...q..N.B.U........G.. .J.U....H.....,....]u....s...... ....3..2..Vu..*..7@ V.z..B.&D..t5K.LD.l.&lAN1OHC.U .3j

<<< skipped >>>

GET /js/themes/base/ui.base.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 4MwcW/e2ZF2dHcuKeiP tW6fJmqwn9 tW1iXN2r/WWzKdL4meSpWVlC3pir0cVPCRR3LcwokPrc=

x-amz-request-id: 23C6C850D269637D

Date: Sat, 21 May 2016 04:34:07 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:16 GMT

ETag: "b68871675bce768f26116a0c32b3e26e"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 257

Server: AmazonS3

@import url("ui.core.css");..@import url("ui.resizable.css");..@import url("ui.accordion.css");..@import url("ui.dialog.css");..@import url("ui.slider.css");..@import url("ui.tabs.css");..@import url("ui.datepicker.css");..@import url("ui.progressbar.css");....

GET /js/themes/base/ui.theme.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: e3U5J FtcusQbBQzxa/dGc4GvLwd k9yfrmWlDpbxOyW7AJqHWhgggIZR8jgE/hHBAyIeHgsmDc=

x-amz-request-id: CB9BD1F6CA57AA6D

Date: Sat, 21 May 2016 04:34:07 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:18 GMT

ETag: "22179f609ede2c15e6610ee0713ece41"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 17981

Server: AmazonS3

/*..* jQuery UI CSS Framework..* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)..* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses...* To view and modify this theme, visit hXXp://jqueryui.com/themeroller/..*/..../* Component containers..----------------------------------*/...ui-widget { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1em/*{fsDefault}*/; }...ui-widget input, .ui-widget select, .ui-widget textarea, .ui-widget button { font-family: Verdana,Arial,sans-serif/*{ffDefault}*/; font-size: 1em; }...ui-widget-content { border: 1px solid #aaaaaa/*{borderColorContent}*/; background: #ffffff/*{bgColorContent}*/ url(images/ui-bg_glass_75_ffffff_1x400.png)/*{bgImgUrlContent}*/ 0/*{bgContentXPos}*/ 0/*{bgContentYPos}*/ repeat-x/*{bgContentRepeat}*/; color: #222222/*{fcContent}*/; }...ui-widget-content a { color: #222222/*{fcContent}*/; }...ui-widget-header { border: 1px solid #aaaaaa/*{borderColorHeader}*/; background: #cccccc/*{bgColorHeader}*/ url(images/ui-bg_highlight-soft_75_cccccc_1x100.png)/*{bgImgUrlHeader}*/ 0/*{bgHeaderXPos}*/ 50%/*{bgHeaderYPos}*/ repeat-x/*{bgHeaderRepeat}*/; color: #222222/*{fcHeader}*/; font-weight: bold; }...ui-widget-header a { color: #222222/*{fcHeader}*/; }../* Interaction states..----------------------------------*/...ui-state-default, .ui-widget-content .ui-state-default { border: 1px solid #d3d3d3/*{borderColorDefault}*/; background: #e6e6e6/*{bgColorDefault}*/ url(images/ui-bg_glass_75_e6e6e6_1x400.png)/*{bgImgU

<<< skipped >>>

GET /js/themes/base/ui.core.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: puUaLIOutCK MigoPnUx2J1AGivhXWKaPa/ dMeKMWaLIuTP3tEwS8FMwY7sAhXHS9D1Pc4Ws30=

x-amz-request-id: 04381DB42FBE6868

Date: Sat, 21 May 2016 04:34:08 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:16 GMT

ETag: "1f8b9323acc054d6e22907871e14a815"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 1387

Server: AmazonS3

/*..* jQuery UI CSS Framework..* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)..* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses...*/../* Layout helpers..----------------------------------*/...ui-helper-hidden { display: none; }...ui-helper-hidden-accessible { position: absolute; left: -99999999px; }...ui-helper-reset { margin: 0; padding: 0; border: 0; outline: 0; line-height: 1.3; text-decoration: none; font-size: 100%; list-style: none; }...ui-helper-clearfix:after { content: "."; display: block; height: 0; clear: both; visibility: hidden; }...ui-helper-clearfix { display: inline-block; }../* required comment for clearfix to work in Opera \*/..* html .ui-helper-clearfix { height:1%; }...ui-helper-clearfix { display:block; }../* end clearfix */...ui-helper-zfix { width: 100%; height: 100%; top: 0; left: 0; position: absolute; opacity: 0; filter:Alpha(Opacity=0); }..../* Interaction Cues..----------------------------------*/...ui-state-disabled { cursor: default !important; }..../* Icons..----------------------------------*/../* states and images */...ui-icon { display: block; text-indent: -99999px; overflow: hidden; background-repeat: no-repeat; }..../* Misc visuals..----------------------------------*/../* Overlays */...ui-widget-overlay { position: absolute; top: 0; left: 0; width: 100%; height: 100%; }....

<<< skipped >>>

GET /js/themes/base/ui.resizable.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: oIuiQVxAdnEb p6Xw T4yInvx6gJTTqiN6dqUhdF5jgL6IoWcRh8H3bzlAmqdA/flWZ4xg5rk2g=

x-amz-request-id: E8F94F48323BECD1

Date: Sat, 21 May 2016 04:34:08 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:17 GMT

ETag: "a91b7528cbbf7d45d86571fe1a446e7f"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 1005

Server: AmazonS3

/* Resizable..----------------------------------*/...ui-resizable { position: relative;}...ui-resizable-handle { position: absolute;font-size: 0.1px;z-index: 99999; display: block;}...ui-resizable-disabled .ui-resizable-handle, .ui-resizable-autohide .ui-resizable-handle { display: none; }...ui-resizable-n { cursor: n-resize; height: 7px; width: 100%; top: -5px; left: 0px; }...ui-resizable-s { cursor: s-resize; height: 7px; width: 100%; bottom: -5px; left: 0px; }...ui-resizable-e { cursor: e-resize; width: 7px; right: -5px; top: 0px; height: 100%; }...ui-resizable-w { cursor: w-resize; width: 7px; left: -5px; top: 0px; height: 100%; }...ui-resizable-se { cursor: se-resize; width: 12px; height: 12px; right: 1px; bottom: 1px; }...ui-resizable-sw { cursor: sw-resize; width: 9px; height: 9px; left: -5px; bottom: -5px; }...ui-resizable-nw { cursor: nw-resize; width: 9px; height: 9px; left: -5px; top: -5px; }...ui-resizable-ne { cursor: ne-resize; width: 9px; height: 9px; right: -5px; top: -5px;}....

GET /js/themes/base/ui.slider.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: FbrsabYYTxj5Ix1t3fcMzmmqNsGE50pJ4BGmK5VzmgiVr6kBWCowK4GCYdMvq/CHUXXYtBIkjYI=

x-amz-request-id: E0E9FB2EC399325C

Date: Sat, 21 May 2016 04:34:09 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:17 GMT

ETag: "224d478712aa7addc59a6891d5db9f9e"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 947

Server: AmazonS3

/* Slider..----------------------------------*/...ui-slider { position: relative; text-align: left; }...ui-slider .ui-slider-handle { position: absolute; z-index: 2; width: 1.2em; height: 1.2em; cursor: default; }...ui-slider .ui-slider-range { position: absolute; z-index: 1; font-size: .7em; display: block; border: 0; }...ui-slider-horizontal { height: .8em; }...ui-slider-horizontal .ui-slider-handle { top: -.3em; margin-left: -.6em; }...ui-slider-horizontal .ui-slider-range { top: 0; height: 100%; }...ui-slider-horizontal .ui-slider-range-min { left: 0; }...ui-slider-horizontal .ui-slider-range-max { right: 0; }...ui-slider-vertical { width: .8em; height: 100px; }...ui-slider-vertical .ui-slider-handle { left: -.3em; margin-left: 0; margin-bottom: -.6em; }...ui-slider-vertical .ui-slider-range { left: 0; width: 100%; }...ui-slider-vertical .ui-slider-range-min { bottom: 0; }...ui-slider-vertical .ui-slider-range-max { top: 0; }....

GET /js/themes/base/ui.datepicker.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: OtcJZ YMbYYmgFHUNxuaABRLPlrNcZwjis/cF8rRCbzVmZaWaWMSMzu77otXxvfqPTZgyC5V nY=

x-amz-request-id: 6BCCB7B0D86A910E

Date: Sat, 21 May 2016 04:34:09 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:16 GMT

ETag: "4663a45272bc95a9e7999103b233fdf8"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 3997

Server: AmazonS3

/* Datepicker..----------------------------------*/...ui-datepicker { width: 17em; padding: .2em .2em 0; }...ui-datepicker .ui-datepicker-header { position:relative; padding:.2em 0; }...ui-datepicker .ui-datepicker-prev, .ui-datepicker .ui-datepicker-next { position:absolute; top: 2px; width: 1.8em; height: 1.8em; }...ui-datepicker .ui-datepicker-prev-hover, .ui-datepicker .ui-datepicker-next-hover { top: 1px; }...ui-datepicker .ui-datepicker-prev { left:2px; }...ui-datepicker .ui-datepicker-next { right:2px; }...ui-datepicker .ui-datepicker-prev-hover { left:1px; }...ui-datepicker .ui-datepicker-next-hover { right:1px; }...ui-datepicker .ui-datepicker-prev span, .ui-datepicker .ui-datepicker-next span { display: block; position: absolute; left: 50%; margin-left: -8px; top: 50%; margin-top: -8px; }...ui-datepicker .ui-datepicker-title { margin: 0 2.3em; line-height: 1.8em; text-align: center; }...ui-datepicker .ui-datepicker-title select { float:left; font-size:1em; margin:1px 0; }...ui-datepicker select.ui-datepicker-month-year {width: 100%;}...ui-datepicker select.ui-datepicker-month, ...ui-datepicker select.ui-datepicker-year { width: 49%;}...ui-datepicker .ui-datepicker-title select.ui-datepicker-year { float: right; }...ui-datepicker table {width: 100%; font-size: .9em; border-collapse: collapse; margin:0 0 .4em; }...ui-datepicker th { padding: .7em .3em; text-align: center; font-weight: bold; border: 0; }...ui-datepicker td { border: 0; padding: 1px; }...ui-datepicker td span, .ui-datepicker td a { disp

<<< skipped >>>

GET /js/ui/ui.core.js HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: jX8Dlp2Q/u0cI4BCS7TC62LYEgk3Pcc/DMBLaScHH0zoEaf5Vi7MnN392sgV5DYiv c4VZE/iy8=

x-amz-request-id: CA1B81F106372474

Date: Sat, 21 May 2016 04:34:09 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:31 GMT

ETag: "7ba404374e3e38ebd3e869c444a10fcd"

Accept-Ranges: bytes

Content-Type: application/x-javascript

Content-Length: 13932

Server: AmazonS3

/*. * jQuery UI 1.7.1. *. * Copyright (c) 2009 AUTHORS.txt (hXXp://jqueryui.com/about). * Dual licensed under the MIT (MIT-LICENSE.txt). * and GPL (GPL-LICENSE.txt) licenses.. *. * hXXp://docs.jquery.com/UI. */.;jQuery.ui || (function($) {..var _remove = $.fn.remove,..isFF2 = $.browser.mozilla && (parseFloat($.browser.version) < 1.9);..//Helper functions and ui object.$.ui = {..version: "1.7.1",...// $.ui.plugin is deprecated. Use the proxy pattern instead...plugin: {...add: function(module, option, set) {....var proto = $.ui[module].prototype;....for(var i in set) {.....proto.plugins[i] = proto.plugins[i] || [];.....proto.plugins[i].push([option, set[i]]);....}...},...call: function(instance, name, args) {....var set = instance.plugins[name];....if(!set || !instance.element[0].parentNode) { return; }.....for (var i = 0; i < set.length; i ) {.....if (instance.options[set[i][0]]) {......set[i][1].apply(instance.element, args);.....}....}...}..},...contains: function(a, b) {...return document.compareDocumentPosition....? a.compareDocumentPosition(b) & 16....: a !== b && a.contains(b);..},...hasScroll: function(el, a) {....//If overflow is hidden, the element might have extra content, but the user wants to hide it...if ($(el).css('overflow') == 'hidden') { return false; }....var scroll = (a && a == 'left') ? 'scrollLeft' : 'scrollTop',....has = false;....if (el[scroll] > 0) { return true; }....// TODO: determine which cases actually cause this to happen...// if the element doesn't have the scroll set, s

<<< skipped >>>

GET /js/themes/base/ui.all.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: LKsYBv s5PNFlEkezBwRshPwadCobYrsx3/34PKI4TlKJLI/VU Kvbl38c8HcaRFIeCpgK6p9K4=

x-amz-request-id: A7F6A1FE97325DBA

Date: Sat, 21 May 2016 04:34:07 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:15 GMT

ETag: "1bd7585503b70c200bf0aa5d9a5763d2"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 49

Server: AmazonS3

@import "ui.base.css";..@import "ui.theme.css";......

GET /js/jquery-1.3.2.js HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: /EiPEW92uZX2tTNoOyiyoEehf3/VvMGzJZIchOtVtEDVwY6XxBcGUjCzB8rcjSigSV2SqtEKUDc=

x-amz-request-id: A15A0E5607A52E9F

Date: Sat, 21 May 2016 04:34:07 GMT

Last-Modified: Fri, 13 Jan 2012 21:16:34 GMT

ETag: "e4af2b4805203f1ac490ad67531b848b"

Accept-Ranges: bytes

Content-Type: application/x-javascript

Content-Length: 120619

Server: AmazonS3

/*!. * jQuery JavaScript Library v1.3.2. * hXXp://jquery.com/. *. * Copyright (c) 2009 John Resig. * Dual licensed under the MIT and GPL licenses.. * hXXp://docs.jquery.com/License. *. * Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009). * Revision: 6246. */.(function(){..var ..// Will speed up references to window, and allows munging its name...window = this,..// Will speed up references to undefined, and allows munging its name...undefined,..// Map over jQuery in case of overwrite.._jQuery = window.jQuery,..// Map over the $ in case of overwrite.._$ = window.$,...jQuery = window.jQuery = window.$ = function( selector, context ) {...// The jQuery object is actually just the init constructor 'enhanced'...return new jQuery.fn.init( selector, context );..},...// A simple way to check for HTML strings or ID strings..// (both of which we optimize for)..quickExpr = /^[^<]*(<(.|\s) >)[^>]*$|^#([\w-] )$/,..// Is it a simple selector..isSimple = /^.[^:#\[\.,]*$/;..jQuery.fn = jQuery.prototype = {..init: function( selector, context ) {...// Make sure that a selection was provided...selector = selector || document;....// Handle $(DOMElement)...if ( selector.nodeType ) {....this[0] = selector;....this.length = 1;....this.context = selector;....return this;...}...// Handle HTML strings...if ( typeof selector === "string" ) {....// Are we dealing with HTML string or an ID?....var match = quickExpr.exec( selector );.....// Verify a match, and that no context was specified for #id....if ( match && (match[1] || !c

<<< skipped >>>

GET /js/themes/base/ui.accordion.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: t6P/6YxcvMos4/maboVomYdo5PQa6dnXzcx0rWQI6daQFvD97kMz6ciI4HFjGrmomwIFgAFHkWY=

x-amz-request-id: CC51B24D042B9A31

Date: Sat, 21 May 2016 04:34:08 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:15 GMT

ETag: "f9f6dc314c99503d328869a447fd3ee0"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 739

Server: AmazonS3

/* Accordion..----------------------------------*/...ui-accordion .ui-accordion-header { cursor: pointer; position: relative; margin-top: 1px; zoom: 1; }...ui-accordion .ui-accordion-li-fix { display: inline; }...ui-accordion .ui-accordion-header-active { border-bottom: 0 !important; }...ui-accordion .ui-accordion-header a { display: block; font-size: 1em; padding: .5em .5em .5em 2.2em; }...ui-accordion .ui-accordion-header .ui-icon { position: absolute; left: .5em; top: 50%; margin-top: -8px; }...ui-accordion .ui-accordion-content { padding: 1em 2.2em; border-top: 0; margin-top: -2px; position: relative; top: 1px; margin-bottom: 2px; overflow: auto; display: none; }...ui-accordion .ui-accordion-content-active { display: block; }....

GET /js/themes/base/ui.dialog.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: seNdRVBEj3/fecbe9/6si0MvQALuDGM3kGCqRzkBhTqPdzqt3M6nHn693xrMCZSFuW3qVjj srE=

x-amz-request-id: C754C263393A56C7

Date: Sat, 21 May 2016 04:34:08 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:17 GMT

ETag: "1450ea3b2d0244a864357719557d5c5d"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 1177

Server: AmazonS3

/* Dialog..----------------------------------*/...ui-dialog { position: relative; padding: .2em; width: 300px; }...ui-dialog .ui-dialog-titlebar { padding: .5em .3em .3em 1em; position: relative; }...ui-dialog .ui-dialog-title { float: left; margin: .1em 0 .2em; } ...ui-dialog .ui-dialog-titlebar-close { position: absolute; right: .3em; top: 50%; width: 19px; margin: -10px 0 0 0; padding: 1px; height: 18px; }...ui-dialog .ui-dialog-titlebar-close span { display: block; margin: 1px; }...ui-dialog .ui-dialog-titlebar-close:hover, .ui-dialog .ui-dialog-titlebar-close:focus { padding: 0; }...ui-dialog .ui-dialog-content { border: 0; padding: .5em 1em; background: none; overflow: auto; zoom: 1; }...ui-dialog .ui-dialog-buttonpane { text-align: left; border-width: 1px 0 0 0; background-image: none; margin: .5em 0 0 0; padding: .3em 1em .5em .4em; }...ui-dialog .ui-dialog-buttonpane button { float: right; margin: .5em .4em .5em 0; cursor: pointer; padding: .2em .6em .3em .6em; line-height: 1.4em; width:auto; overflow:visible; }...ui-dialog .ui-resizable-se { width: 14px; height: 14px; right: 3px; bottom: 3px; }...ui-draggable .ui-dialog-titlebar { cursor: move; }......

<<< skipped >>>

GET /js/themes/base/ui.tabs.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: MS QVzVQxyumu1xYgLxffLD7vcDFyE70yxUHZ43 CwtdvKElI73/MMxQt2mWP8AzqGTFInSRQB0=

x-amz-request-id: A6221A21F2A13611

Date: Sat, 21 May 2016 04:34:09 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:17 GMT

ETag: "9b89f005055f72900e73ca689d2d3ea2"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 1047

Server: AmazonS3

/* Tabs..----------------------------------*/...ui-tabs { padding: .2em; zoom: 1; }...ui-tabs .ui-tabs-nav { list-style: none; position: relative; padding: .2em .2em 0; }...ui-tabs .ui-tabs-nav li { position: relative; float: left; border-bottom-width: 0 !important; margin: 0 .2em -1px 0; padding: 0; }...ui-tabs .ui-tabs-nav li a { float: left; text-decoration: none; padding: .5em 1em; }...ui-tabs .ui-tabs-nav li.ui-tabs-selected { padding-bottom: 1px; border-bottom-width: 0; }...ui-tabs .ui-tabs-nav li.ui-tabs-selected a, .ui-tabs .ui-tabs-nav li.ui-state-disabled a, .ui-tabs .ui-tabs-nav li.ui-state-processing a { cursor: text; }...ui-tabs .ui-tabs-nav li a, .ui-tabs.ui-tabs-collapsible .ui-tabs-nav li.ui-tabs-selected a { cursor: pointer; } /* first selector in group seems obsolete, but required to overcome bug in Opera applying cursor: text overall if defined elsewhere... */...ui-tabs .ui-tabs-panel { padding: 1em 1.4em; display: block; border-width: 0; background: none; }...ui-tabs .ui-tabs-hide { display: none !important; }......

GET /js/themes/base/ui.progressbar.css HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 5HJDPPTEIENsWVSARBNp/1IHgkoU3ebF3oWXg X/HFviuMHAZE/2yYrOHSHPeB0P ZTw DiVDdg=

x-amz-request-id: 3C74A7F42C865472

Date: Sat, 21 May 2016 04:34:09 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:17 GMT

ETag: "c302fab2906c786b4cec8df7970e4cb2"

Accept-Ranges: bytes

Content-Type: text/css

Content-Length: 172

Server: AmazonS3

/* Progressbar..----------------------------------*/...ui-progressbar { height:2em; text-align: left; }...ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }HTTP/1.1 200 OK..x-amz-id-2: 5HJDPPTEIENsWVSARBNp/1IHgkoU3ebF3oWXg X/HFviuMHAZE/2yYrOHSHPeB0P ZTw DiVDdg=..x-amz-request-id: 3C74A7F42C865472..Date: Sat, 21 May 2016 04:34:09 GMT..Last-Modified: Fri, 13 Jan 2012 21:28:17 GMT..ETag: "c302fab2906c786b4cec8df7970e4cb2"..Accept-Ranges: bytes..Content-Type: text/css..Content-Length: 172..Server: AmazonS3../* Progressbar..----------------------------------*/...ui-progressbar { height:2em; text-align: left; }...ui-progressbar .ui-progressbar-value {margin: -1px; height:100%; }....

GET /js/ui/ui.tabs.js HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: wkuPZhMOXAvOtOG6udcQ7QhLEcUUI/nfguFIEfY0C4sLp6OF44FGihV0Pz4aojhxJFeUPyBiqTE=

x-amz-request-id: 9EC993F8A7CEFEA9

Date: Sat, 21 May 2016 04:34:10 GMT

Last-Modified: Fri, 13 Jan 2012 21:28:34 GMT

ETag: "f07e6494dd1b6068a2d432af1ec208a8"

Accept-Ranges: bytes

Content-Type: application/x-javascript

Content-Length: 19069

Server: AmazonS3

/*. * jQuery UI Tabs 1.7.2. *. * Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about). * Dual licensed under the MIT (MIT-LICENSE.txt). * and GPL (GPL-LICENSE.txt) licenses.. *. * hXXp://docs.jquery.com/UI/Tabs. *. * Depends:. *.ui.core.js. */.(function($) {..$.widget("ui.tabs", {..._init: function() {...if (this.options.deselectable !== undefined) {....this.options.collapsible = this.options.deselectable;...}...this._tabify(true);..},..._setData: function(key, value) {...if (key == 'selected') {....if (this.options.collapsible && value == this.options.selected) {.....return;....}....this.select(value);...}...else {....this.options[key] = value;....if (key == 'deselectable') {.....this.options.collapsible = value;....}....this._tabify();...}..},..._tabId: function(a) {...return a.title && a.title.replace(/\s/g, '_').replace(/[^A-Za-z0-9\-_:\.]/g, '') ||....this.options.idPrefix $.data(a);..},..._sanitizeSelector: function(hash) {...return hash.replace(/:/g, '\\:'); // we need this because an id may contain a ":"..},..._cookie: function() {...var cookie = this.cookie || (this.cookie = this.options.cookie.name || 'ui-tabs-' $.data(this.list[0]));...return $.cookie.apply(null, [cookie].concat($.makeArray(arguments)));..},..._ui: function(tab, panel) {...return {....tab: tab,....panel: panel,....index: this.anchors.index(tab)...};..},..._cleanup: function() {...// restore all former loading tabs labels...this.lis.filter('.ui-state-processing').removeClass('ui-state-processing')......find('span:data(label.

<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/appheader.html?version=3055&lang=ENG

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 21 May 2016 04:22:49 GMT

Expires: Sat, 21 May 2016 06:22:49 GMT

Last-Modified: Mon, 09 May 2016 22:17:11 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16022

Age: 677

Cache-Control: public, max-age=7200

...........}kW....w~........pk..f......ZZ(O.,.!$$!q.....gft...>{....%.G..>..fF~2........;>..i...&.9.....v*.|x.|$....L.....y. 5.....!..R*i..........>..mAf.o..@.0L.....1....w.v<_-.|aa.......F.p,....yA.....Q.{'...kyA....^.S...'o.2......5K..2o'~.....F#....*.7...c.#.l.P. >.L.j.4....h...L~-....JW.Z..bm.I.9....s..;...=..Ue...b....r.................).......dO.c....v.f...^:....=.}.N'.-4.5m|h..tb.6v..W..r$.@.8................v......e...T.t.h.c:..(....~.e0.].....{Y.p.....K.@L..JZ.q.s.8...T...9..1r...u.KS..(xa!..{0!..5.4.^...7..."..........J8... .....O....t...q...|...a......a.V.q.5.e.([2..F[.........E...W.|....5a...0..0...Ma.ML.....d....3.....=/.z`....i....ku#.4.b.Ra.^.:.-.j.*..L.......A.;...Q.{2i.....}l..H.....T...Y._.Q!q ..V.y...9.@.R..8..!x!...p.e4...'$c......x....'..AF&*i.../..@...!..zx..bq.{<..9...~..]...cW.Q....@A...........U..}. .ihA..n..KK0:....b....@.D..U.....b.I>...-=...|..E.._.W.pS..5....4.Ma..|.B......w...b>X. ...a....gV.1...ra!ZX.).,...[..*[.....)s8.. .....X8.c..D6'ai.6..Q.u10..N...p...>V.............!V.......p#.....#.j...b......C....^........#..>E.`.........y.....%..M.D.e...Y.HB.....a.G(.b.P.=.......'...&.T._.B..C......T....8..Ra.5.o.*...!.o..t ....`"@...='..<.Z.n..}`...m...TY...-...&".!.p....j...H....z........|....H.....*...4"...K.0D8..2...`.O..R......../`2.6.F.W..,...2.....I..Y....o...8..yA].....G.....8..8[..U.*x..).]...=.\...0<.pu....7%.e?".P..f../.C??.h..8|Y.....W.j...^.O(.O.....3W\Q....~.N.G.Z.3.OO..W.....7i(....c...!.Az....*...*..pdo.c4.k.%..}.......". ..f...{_.z..

<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.7&utms=1&utmn=565884732&utmhn=download3.showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=544x54&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=1995597227&utmr=-&utmp=/app/appheader.html?version=3055&lang=ENG&utmht=1463805253604&utmac=UA-3896280-1&utmcc=__utma=172476214.434589424.1463805253.1463805253.1463805253.1;+__utmz=172476214.1463805253.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=1660193878&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/appheader.html?version=3055&lang=ENG

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Sat, 21 May 2016 04:34:06 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

GIF89a.............,...........D..;....

GET /__utm.gif?utmwv=5.6.7&utms=2&utmn=93188622&utmhn=download3.showmypc.com&utmcs=utf-8&utmsr=1276x846&utmvp=488x298&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=929702296&utmr=-&utmp=/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11%2520AM&utmht=1463805259104&utmac=UA-3896280-1&utmcc=__utma=172476214.434589424.1463805253.1463805253.1463805253.1;+__utmz=172476214.1463805253.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=&utmu=DAAAAAAAAAAAAAAAAAAAAABE~ HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Wed, 18 May 2016 09:36:06 GMT

Pragma: no-cache

Expires: Mon, 01 Jan 1990 00:00:00 GMT

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Age: 241084

Cache-Control: no-cache, no-store, must-revalidate

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Wed, 18 May 2016 09:36:06 GMT..Pragma: no-cache..Expires: Mon, 01 Jan 1990 00:00:00 GMT..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..Age: 241084..Cache-Control: no-cache, no-store, must-revalidate..GIF89a.............,...........D..;..

GET /app/appheader.html?version=3055&lang=ENG HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 21 May 2016 04:34:03 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 1859

Connection: close

Content-Type: text/html; charset=UTF-8

<html><head><smpcok></smpcok>.<style>.a.linksmall {color:green;text-decoration:underline;font-size: 11px;}.a.linksmallred {color:green;text-decoration:underline;font-size: 11px;}.a.colorlink {color:green;text-decoration:underline;font-size: 12px;}.a.linkclear {color:green;text-decoration:none;font-size: 12px;}.</style>.<script language="JavaScript">..</script>.</head>.<body topmargin="0" leftmargin="0" scroll="no">.<table border="0" cellspacing="0" cellpadding="0">.<tr>.<td valign="bottom">..<a href="hXXp://showmypc.com?ref=header" target="_new"><img src="hXXp://s3.showmypc.com/images/logo-showmypc-210-50.gif" border="0"></a>.</td>.<td valign="bottom">..</td>...<td valign="middle">......<a href="hXXp://download3.showmypc.com/ShowMyPC3161.exe" class="linksmallred">Get Latest Version 3161</a>.....</td>..</tr&

<<< skipped >>>

GET /pagead/show_ads.js HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pagead2.googlesyndication.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 12933430863646048122

Date: Sat, 21 May 2016 03:44:19 GMT

Expires: Sat, 21 May 2016 04:44:19 GMT

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 10659

X-XSS-Protection: 1; mode=block

Age: 2991

Cache-Control: public, max-age=3600

...........}iw....w.../#...-....u........>..J.(Q!)/......7IN..3..XX.@.(......37...i.^.xwJ.q...h^..'.u..t..vY.ea.d.yxc.&.f.a.h1..4.V.o..|...t.GW.gq....@Y.8o...l.....}....9..4Jo..... ..f..t-G..6..?...u..,..~..../...2..j.9..XiAVd.. 3.\........;..*.i.9..........|...4...n....1fs.a=....aX...E.E....}.Ra5G"..L.l.V.%|.[F.,N..0b).....={....s.......m."nu....}..A...^...z.vW.c.....\.....u_%o.de.....?.6......c(...rG...S..c. .v{n.=..Z....4...a....3.N.c...E.*.6H.".....E....I%..:.fi......wA7(.....a....X.kX.4^.{.f*.h..0.....Z.D..........\."&.....J...i.L.9yc.i.........f... .\.....S.Z#..."1.W.L..............K.... ..\....Mo.L..1..........L........L..Le2..u..../.3.........,..b.C..v....'.. .l...I...~.f'.................:...N3*.S^k...L.%...DP#..hP..E....f2..Iv6#>m;..........]Q.s5.KD....0...;......is....K..Y..S..7.7..HD.d.L..~C.s..9<.l..V...0V...n...s9...~.....0.1.c..3_...!..4.{.....<.pg.........N"...k..:..FW">e.(.. .'A*...d.;........99etM@..z. .q.b`...w....(.v.@z....q.`E..-.=..x.9` ...f......4....ZMq-\....4..-Dq..F....[.z......q5.....w....u....o..:.|^..I><..M.......Z.^.x...9..M..s.{.....lTb'....S....s5..._....:c.u..i>g..$r...3....^2...W....kV.X./.X.....i........1....=.....A..t....t...e..<.mJy....yX.,G..#.\.....%'....].M........g.-.a#.E..t.Hv...Z..P|.z....9.U..R..... B5..:..E....p.L.v....r...Q. ..V.....uO..L........Z..q..l....2.>....7.CG.2...e.e..g.4....;..t.R`.o@..i<.....Ry..,}8%.zS!.7}c....$.rTY..*f......w..^..xi..~/..3...?G...b.El..^..=[....-^...<B..y..GZ..P..4..]s...Z.&......eR....... ..P..(..Bk.

<<< skipped >>>

GET /pagead/js/r20160517/r20151006/show_ads_impl.js HTTP/1.1

Accept: */*

Referer: hXXp://download3.showmypc.com/app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pagead2.googlesyndication.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 4115156899196434771

Date: Sat, 21 May 2016 04:34:10 GMT

Expires: Sat, 21 May 2016 04:34:10 GMT

Cache-Control: private, max-age=1209600

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 109488

X-XSS-Protection: 1; mode=block

............w_.I.0.?..z.0.V!$...4z1.0N......_'.....Fz?.=.T.. .gw.s...u.|..2..a0.....x.M.......u.S6qU.g=N..|2\..u.....zK.xZ....z.\.<...3.(.....b1t.F......FP....2.t...B...v.(af.i.&&.C. ..a<.ln.!....g.e9.F.21}..4.....&|P.......ZW..%k{..y.8...Ng.0...b.^..Q......Fw.....k.....a......m...........A......%.v2.x..o..0`8.<....i.w.......d4.a....r6...r.....u..{..gw...Z..@.&......?.m.0....M ..&.......F.........T..8...^O...h..}..Q.`..2..O....1......l....U%..Ko,..4Z...9.q(...2..H..M.0.(r......C1...{..d...HiN.....v...i.*/....)m2-......U.d7.C..H...g.*=Q4.8....#..{.FE..{...Z,L.uK.>6..\#....It=...F....>}..:...gg`Z......=...y..@..g......W...1o..&.....$_....g.:.....d....n.H.. .."t..j'..'E.{Y.....g`|...J....5....c.X.Z.D..g..7........f...G[k..rss...*QA@.*C0....p.....z0......=.[h.^t..Oj.~.:$g..f..j.}7.%`q..x>..LFv>...q.N.3o......"7.%..0}..g..C...{kA...O...}.d"..X{......N.y0.M\.R>....,.......ff..V.b=...r....JV.....\.....LL:..Z....L.]....7.&..E..............XT......u@ .l......j`.J..^t.-.sm....=....)...Q...j{pO..U....s..2....V.Y......[Zf.nT..[%..d..f...$.(x..7.:.<.w..Q..mQ...=5.J.R3....2H....T).\..(x&.U..\.yM/2e_R.>_.$..FF..[...z. ....>..C:."=.?....N.L...N.S..._...K_.3.-...t......T.a:5.S.n.....2.B.?5...]?....Z.._..>3...........6.p.s1.\.(.3..|..1...#..&.=Y..p..x4....N.q9......6...hf.........`....>..n..m...Xx......)i.b.4.y..8wtq.m0........&^.Y .9h..........y...@l(......d. .N.....<.......j....#.Co....|:..(..!..U. ....._.f.d.K.......;...5.....L.D.>N.._...y.UZ...z..3......n....,..3c.....Rq?0.?..N0*

<<< skipped >>>

GET /app/about-us.html?lang=ENG&version=3055&seq=5/21/20167:34:11 AM HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download3.showmypc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 21 May 2016 04:34:03 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 3630

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>.<html>.<head>.<SCRIPT LANGUAGE="JavaScript">..</SCRIPT>. <link type="text/css" href="hXXp://s3.showmypc.com/style.css" />. <link type="text/css" href="hXXp://s3.showmypc.com/js/themes/base/ui.all.css" rel="stylesheet" / >. <script type="text/javascript" src="http://s3.showmypc.com/js/jquery-1.3.2.js"></script>. <script type="text/javascript" src="hXXp://s3.showmypc.com/js/ui/ui.core.js"></script>. <script type="text/javascript" src="hXXp://s3.showmypc.com/js/ui/ui.tabs.js"></script>. <script type="text/javascript">. $(document).ready(function(){. $("#tabs").tabs();. });. </script>.</head>.<style type="text/css">./*margin and padding on body element. can introduce errors in determining. element position and are not recommended;. we turn them off as a foundation for YUI. CSS treatments. */.body {..margin:0px;..padding:0pt;..height:100%;..font-family:arial,sans-serif;.}...yui-skin-sam .yui-navset .yui-content {.background:#ffffff none repeat scroll 0 0;.}.a.{..color:green;.}.h2 {.border-bottom:1px dotted green;.color:#E66C2C;.font-size:1.5em;.font-weight:bold;.margin-bottom:2px;.margin-top:8px;.padding:0 0 4px;.}.</style>.<body style="font-size:

<<< skipped >>>

Map

The Trojan-Dropper connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_172:

.text

.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

VERSION.dll

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

GetWindowsDirectoryA

ExitWindowsEx

MsgWaitForMultipleObjects

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

~~}}}|||3

smpcvc.exe

MSRC4Plugin.dsm

MSRC4Plugin_NoReg.dsm

settings.ini

SMPCSetup.exe

spcplink.exe

TIPOFDAY.TXT

VNCHooks.dll

smvnview.exe

smwinvnc.exe

mm2.res

MSWINSCK.OCX

smwg.exe

ijl11.dll

.nF&&

Fq=%f`{c

)|{^|*|`

.rEcX

Dx%uM

l.izX

4%f^`

E%ug7

Fc.lK!

S.RBFVi;

"ÂD3

Q.CL

-]

#.Ga03

.YB\F|G

.csUA

dG.Sr

J.apC

%.AD2

%c(!i

)?O%u

2,A%C'o

ED.sd

z=.Yr

.NG`$

:%Cy9

(w.yk V

%U=ya

(7UDp

(.tC=v

.zz>NL

.ej$'

.zM){i

.RS'f

)m(9CQ%%f

.aaD1M

Iw.pQ

%U3

0.Xml}j,

`Q.Ne(

Ov]P1

z.MCW\

v$;(

]'I.uU

|m%cs

B .ZL_

U%clt

.Ey;[

eymsG

^kEyz

.vRSS

6.HSj

.kW =l

R.rYV

K.Ib&

.wCkN

WH%d,

%CH J

R\:,%dN

&.eKe

#q.mj

2%5X

Ov).ap

"[r.lp

.Twd

zi"%cs

W8.LrZ

.ZIT-

(F.hS

G.MAx

.fvAt?

V.CUp

%U]zs

#h.OL2

PM%d/

Rm.ye*

>^%xf

3D.gf

em%fk

]%C}M

.ffg:

.Ju4m[gr

e.yfR

RkJ.qp

SSh;?

r.cS%

N0`(B.LsFT

{n:.Sm

.Bp#yN

D`T%U

.OzeC

F_%d|%

.co^:Y

$-wJ}

DMD7%S

=.qFh

w-s}~,b

*%u}ly

-&/&1&3&5&6&8

.RW U

P.SuC

7`H%SJ

2:.fz

.dd9Y

.UWS~

.ch[[

_?SbRsJ@Qa%S

-9%u

%c#w?

.EKMO

J%D

.Xr2P7LH

o.hDB

N@DT%d

p=Q.sDvkE

Y(.mb

p.qK#

vhqi%s

Qmsg

.tvIc)

-M%1Xd

,

\~.OJ

9%F;0)TO

'ie.tl

%Uwl/3

eHXkr%Xm

VY.kF

%X.A*

.rJ:KA

.nA3D

8%f~WWn

i/";%d

|p.nU

V.cs_K

y.uad }#

S.gc;.

.nT

V8.Xw

"SMPCSetup.exe"

_}$%U

@%U#-

yftp

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.ÃŠn not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C: -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

WEXTRACT.EXE

Windows

Operating System

6.00.2900.2180

%original file name%.exe_172_rwx_01001000_00001000:

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

SMPCSetup.exe_1076:

.text

`.data

.rsrc

MSVBVM60.DLL

shdocvw.dll

SHDocVwCtl.WebBrowser

WebBrowser

MSWINSCK.OCX

MSWinsockLib.Winsock

CmdOutput

ModuleWindows

frmLogin

frmLoginService

FormSSHSettings

ModMsgDisp

cMsgDisp

frmLogin1

ws2_32.dll

ReadExeProperty

iphlpapi.dll

urlmon

URLDownloadToFileA

SHFileOperationA

wininet.dll

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

comdlg32.dll

shell32.dll

ShellExecuteA

advapi32.dll

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

PrepareDotSSHFolder

LabelRemotePassword

TextRemotePassword

.httpConCheck

.%System%\winhttp.dll

WinHttp

ValueKey

httpConCheck1

winHttpReqObj

ShowPortConnectorInfo

WebBrowserFooter2

%WinDir%\System32\shdocvw.oca

ShowSerialPortConfigurations

WebBrowser1

ShowSerialPortInfo

ReportProblem

SupportRemoteUsers

DebugReport

ShowKeyboardInfo

ShowParallelPortInfo

psapi.dll

WriteExeProperty

IsLegacyPassword

StartMeetingAfterGettingPorts

ReadSSHSettings

ForceSSHLogin

SendTerminateMsg

InviteUsersViaWeb

StartServerWithCurrentSSHPort

SwitchToBackUpSSH

SSHHostConnection

SetupHTTPtunnel

StartClientProcessAfterGettingPorts

VerifyViewerSSH

SSHViewerConnection

GenerateHostKey

GetServerFromHostKey

VBA6.DLL

CreateAdditionalEXEAssociations

RegOpenKeyExA

CreateEXEAssociation

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegEnumKeyExA

ClassKey

%System%\msvbvm60.dll\3

RegCreateKeyExA

SectionKey

RegEnumKeyA

RegQueryInfoKeyA

KeyExists

CreateKey

DeleteKey

__vbaStopExe

CreatePipe

EnumWindows

EnumChildWindows

WebBrowserMyList

kernel32.dll

cmdOK

cmdCancel

TextLoginStatus

SetSchPasswordOnServer

user32.dll

3iTextURL

LabelURL

StartMeetingWithNicePass

txtPassword

cmdOK_Click

SetCustomPass

cmdKick

cmdDeselect

menuPrivateMsg

cmdDisconnect

LabelNickName

cmdSend

%System%\MSWINSCK.oca

cmdConnect

cmdHost

SendMsgOnUserClick

FrameSSH

LabelSSHPassword

LabelSSHPort

LabelSSHServer

ButtonSSHTest

TextSSHPort

TextSSHServer

TextSSHPassword

TextProxyPass

TextPort

TextSSHUserName

CheckUseHttp

RememberSSHSettings

ClearSSHSettings

winmm.dll

CryptDeriveKey

CryptDestroyKey

GetNamedPipeInfo

ijl11.dll

olepro32.dll

msvbvm60.dll

msvfw32.dll

F%WinDir%\System32\stdole2.tlb

Password

Login

~~}}}|||3

&Password:

ShowMyPC Web

Debug Report

Send Report

Meeting Password:

Get password from presenter

Password:

Use Windows Remote Desktop

00:00:00

Use HTTP Proxy Server

HTTP Proxy Server

Use SOCKS username/password

Port:

Private SSH Server

HTTP / Proxy

Use HTTP to Connect (For Restrictive Firewalls)

Test Private SSH Server

SSH Server:

TextURL

Share URL

Update Nick Name

Join

Nick Name

SSH Encrypted

div.tableContainer {

html>body div.tableContainer {

div.tableContainer table {

html>body div.tableContainer table {

thead.fixedHeader tr {

/* this enables overflow to work on TBODY element. All other non-IE, non-Mozilla browsers */

html>body thead.fixedHeader tr {

thead.fixedHeader th {

thead.fixedHeader a, thead.fixedHeader a:link, thead.fixedHeader a:visited {

thead.fixedHeader a:hover {

html>body tbody.scrollContent {

/* hXXp://VVV.alistapart.com/articles/zebratables/ */

tbody.scrollContent td, tbody.scrollContent tr.normalRow td {

tbody.scrollContent tr.alternateRow td {

/* hXXp://VVV.w3.org/TR/REC-CSS2/selector.html#adjacent-selectors */

html>body thead.fixedHeader th {

html>body thead.fixedHeader th th {

html>body thead.fixedHeader th th th {

html>body tbody.scrollContent td {

html>body tbody.scrollContent td td {

html>body tbody.scrollContent td td td {

Password for remote users

Schedule using Web

Support Remote Users

File Transfer (Web based)...

Keyboard Info

Parallel Port Info

Port Connector

Serial Port Configurations

Serial Port

Report a Problem...

HOME_URL

callbackAfterGettingPorts

attemptNumToGetPort

httpConCheck

supportID

hostkey

sKeyNames

iKeyCount

sExePath

bSupportPrint

bSupportNew

bSupportInstall

eKey

sSectionKey

sValueKey

viewerServiceURL

LoginSucceeded

AutoLogin

meetingTypeSupport

remoteKey

sendPrivateMsg

uiMsg

o*\A\\kallu\m\vagish\ShowMyPC\current\FinalSMPCssh.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

\servicelog.txt

WindowState

smwinvnc.exe

smvnview.exe

winvncultra.exe

vncultra.exe

hXXp://service1.showmypc.com/connectnow.php

f#p.x.gi52

hXXp://showmypc.com/ShowMyPCHelp.php?version=

hXXp://download3.showmypc.com/app/appheader.html?version=

hXXps://assured.showmypc.com/app/appheaderpr.html

hXXps://assured.showmypc.com/live/invite-users/index.php

hXXps://assured.showmypc.com/live/invite-users/screenshot-mail.php

hXXps://assured.showmypc.com/mac/meetnow.html

hXXps://assured.showmyp.com/users/fixk.php?version=

hXXps://assured.showmypc.com/users/rsettings.php?vr=

hXXp://showmypc.com/users/rsettings.php?vr=

up-msg

pop-msg

no-pop-msg

SOFTWARE\Microsoft\Windows NT\CurrentVersion

smpcchat.ini

[Joined]

Srv.exe

ShowMyPC.com Remote Service

-register PortNumber=7900 Password=

Error occured during operation.

Unsupported value type

Failed to delete requested subkey!

Registry Key Delete

Failed to delete requested main key!

\temp.html

Keyboard - Win32_Keyboard

ProtocolSupported

Select * from Win32_Keyboard

Number of Function Keys

NumberOfFunctionKeys

Parallel ports - Win32_ParallelPort

Select * from Win32_ParallelPort

Protocol Supported

Port connector - Win32_PortConnector

Select * from Win32_PortConnector

Port Type

PortType

Serial port configuration - Win32_SerialPortConfiguration

Select * from Win32_SerialPortConfiguration

Serial ports - Win32_SerialPort

Select * from Win32_SerialPort

Supports DTRDSR

Supports16BitMode

Supports 16-Bit Mode

SupportsDTRDSR

Supports Elapsed Timeouts

SupportsElapsedTimeouts

Supports Int Timeouts

SupportsIntTimeouts

Supports Parity Check

SupportsParityCheck

Supports RLSD

SupportsRLSD

Supports RTSCTS

SupportsRTSCTS

Supports Special Characters

SupportsSpecialCharacters

Supports XOn XOff

SupportsXOnXOff

Supports XOn XOff Setting

SupportsXOnXOffSet

Supports Hot Plug

SupportsHotPlug

VccMixedVoltageSupport

VCC Mixed Voltage Support

VppMixedVoltageSupport

VPP Mixed Voltage Support

Maximum Memory Supported

MaxMemorySupported

Monochrome

Power Management Supported

PowerManagementSupported

SupportedSRAM

Supported SRAM

Maximum Baud Rate To SerialPort

MaxBaudRateToSerialPort

Port SubClass

PortSubClass

Responses Key Name

ResponsesKeyName

Select * from Win32_OperatingSystem

Operating systems

Windows Directory

WindowsDirectory

winvnc.exe

Operating systems

Windows Directory

hXXps://assured.showmypc.com/remotedb.php

hXXp://showmypc.com/remotedb.php

hXXp://download3.showmypc.com/app/about-us.html

hXXps://assured.showmypc.com/portxxxxxmlxxx-351.php

download3.showmypc.com

ns2.showmypc.com

winvnc4.exe

hXXps://assured.showmypc.com/live/appsettings.php?ci=

connectnowurl

hXXp://showmypc.appspot.com/connectnow.php

Software\Microsoft\Windows\CurrentVersion\Policies\System

RegKey

&mtpass=

Please visit hXXp://showmypc.com for help or update information.

/chat/index.php?myroom=

showmypc.com

hXXp://showmypc.com/users/

\settings.ini

Getting Port 1

hXXps://assured.showmypc.com

hXXp://ns2.showmypc.com

Getting Port 2

hXXp://ns1.showmypc.com

Getting Port 3

UEMURL

InternetExplorer.Application

hXXp://showmypc.com/emailHandler.php?seq=

AutoPortSelect

PortNumber

?task=get&actionToPut=connect&keyToPut=

/ok.html

hXXps://assured.showmypc.com/users/rsettings.php?vr=3055

hXXp://showmypc.com/users/rsettings.php?vr=3055

hXXps://assured.

hXXp://

hXXp://localhost:

/ok.html?seq=

Windows 2000

hXXp://localhost:5800/?s=

?task=put&actionToPut=connect&keyToPut=

?task=del&actionToPut=connect&keyToPut=

hXXps://assured.showmypc.com/getClientStatus.php?ci=

\smpcvc.exe

\mm2.res

Error closing key.

WScript.Shell

Windows_NT

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

Cannot enable Remote Desktop on Windows 2000, use VNC

smwg.exe --no-check-certificate -O

01/01/2009

HTTP/1.0

VVV.example

/index.asp

mypassword

HTTP/1.1

Windows 95

Windows 98

Windows Millennium

Windows NT 3.51

Windows NT 4.0

Windows XP

Windows 7

Microsoft.XMLHTTP

application/x-www-form-urlencoded

Msxml2.XMLHTTP.6.0

Msxml2.XMLHTTP.3.0

Msxml2.XMLHTTP

\combo.exe

N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\combo.exe

N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\ShowMyPCPremium.exe

N:\home\vagish\ShowMyPC\showmypc-windows-bin-src\setall.bmp

Getting Port

_MSG_ST_SVR

ENG_MSG_GN_ERR

hXXp://VVV.vb2themax.com/vbmaximizer/files/vbm_demo.zip

c:\vbm_demo.zip

hXXp://showmypc.com/ShowMyPCHelp.php?version=3055

supportView

Share Password

Do you wish to update exe with new ID.

explorer.exe

Cannot connect, Check SSH settings file.

spcplink.exe

Testing SSH Connection...

\res.txt

SSH Test Failed

_MSG_DISCON

_MSG_WARNING

_MSG_GN_ERR

Check UI or settings.ini file, SSHServer is missing

Check UI or settings.ini file, SSHUserName is missing

Check UI or settings.ini file, SSHPassword is missing

Check UI or settings.ini file, SSHPort is missing, using default 22

smpc.com443

hXXps://secure.showmypc.com/transfer/index.php?cl=app&ver=

hXXp://download3.showmypc.com/app/appheader.html?version=3055

\explorer.exe

hXXps://showmypc.appspot.com/connectnow.php

generatepasscode

msgdesp

_MSG_LOGIN_FRM

_MSG_LBL_HOST

_MSG_LBL_PASS

_MSG_LBL_EMAIL

_MSG_LBL_TOP

_MSG_LBL_CK_SRV

_MSG_LBL_OK

_MSG_LBL_CANCEL

_MSG_FRM_SCH_MT

_MSG_LBL_HOST_EMAIL

_MSG_LBL_MT_PASS

_MSG_LBL_MT_INFO

_MSG_SHARE_APP

_MSG_REFRESH

_MSG_CLOSE

smvi.exe

LoginFrmCaption

LoginPasLabel

LoginTopCaption

HomeURL

smht.exe

SSH Protocol Version 2, AES 256

rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,3

hXXp://showmypc.com/ShowMyPCFeedBack.html?cl=app&ver=

outlook.exe

Outlook.Application

Password:

Or visit hXXp://

.showmypc.com

Password:

Reconnecting SSH...

Restarting SSH

Using HTTP...

\spcplink.exe

-N -C -v -ssh -2 -P

Starting SSH Connection...

\smsh.exe -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 443 -N

\smsh.exe

_MSG_GENER

_MSG_UN_ERR

HTTP Connect...

Starting with current port

passcodegenerated

_MSG_SHR_ST

hXXps://assured.showmypc.com/live/mailer.php?sa=1&et=

\smht.exe

-C -ssh -2 -P

Connecting via HTTP...

hostKey=

_MSG_ST_SSH

_MSG_SSHRST

PROXY_AUTH_PASSTHROUGH

PROXY_AUTH_PASS

PROXY_PORT

PORTMAP

443 ssh

80 ssh

hXXp://localhost:4080/ok.html?

_MSG_CONN

_MSG_WR_PASS

Check Version or Incorrect Password.

_MSG_ST_VIEW

_MSG_SSH_ERR

-C -v -ssh -2 -P

mstsc.exe /v:127.0.0.1:

/password

host=127.0.0.1

Port =

password =

_MSG_VIEW_ST

Warning, check password or get latest version from hXXp://showmypc.com

hXXps://assured.showmypc.com/room.html?vr=

Would you like to send full report, it can take upto 30 secs

Generating report please wait...

hXXps://assured.showmypc.com/live/mailer.php

&de=1&sb=Debug Report (

Could not send report, please copy text and email it to support@showmypc.com

Report Sent

Use standard password.

Password cannot be blank.

Meeting Password cannot less than 6 characters.

Check Password, Check Network or Meeting may not have started.

_MSG_YOUR_EMAIL

WMEncEng.WMEncoder

Video files (*.wmv)|*.wmv|All files (*.*)|*.*

Windows Media Encoder might not be installed.

New Password

WMENC_HELP_URL

hXXp://showmypc.com/service/wmencoder.html

Password must be atleast 2 characters. No Spaces.

Password must be atleast 8 characters. No Spaces.

\mmit.res

smsh.exe

SMPCSetupSrv.exe

@reconnect.session

\smpcvc.exe

\SMPCSetupSrv.exe

\winvncultra.exe

\ultravnc.ini

\SMPCHelper.exe

\smwg.exe

c:\cygwin

d:\cygwin

e:\cygwin

\cygcrypto-0.9.8.dll

\cygminires.dll

\cygwin1.dll

\cygz.dll

passwd

Please Save Password.

\mmi.res

c:\.ssh

c:\cygwin\.ssh

d:\cygwin\.ssh

d:\.ssh

Invalid Password, try again!

sshremem

sshusr

sshaut

Check your network. Server not available. Check version or Contact support@showmypc.com

joined.

One or more connections are currently open. Disconnect before attempting to change the port settings.

.cRegistry

Failed to create registry Key: '

Failed to delete registry Key: '

Failed to open key '

',Key: '

Failed to set registry value Key: '

Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command

Make sure you have Windows Remote Desktop Enabled on Remote Machine.

surl

spcplink.exe -v -ssh -2 -P

hXXp://showmypc.com/service/how-to-install-service/index.html?cl=app&ver=

hXXps://assured.showmypc.com/service/readpclist.php?task=pclstgoog&ci=

hXXp://showmypc.com/service/readpclist.php?task=pclstgoog&ci=

Test Complete. If Command Window is open, the SSH test passed, failed if it is closed.

\Test_Report_

.html

assetauthkey

hXXp://showmypc.com/ok.html

Verify Remote Port Manager

test.ini

smpctestkey

smpcval1

\test.ini

Verify Get Parent Exe Name

Verify SSH to Host Connection

Verify Web Browser Control

hXXps://assured.showmypc.com/ok.html

Verify Get Windows Version Information

\ShowMyPCSSH.exe

hXXp://showmypc.com/ShowMyPCSSH.exe

Test Passed:

temp.jpg

.cDIBSection

Uploading Screen Shot to URL...

hXXps://showmypcup.appspot.com/up?ac=sht&t=u&iid=

hXXps://assured.showmypc.com/broadcast/screenshot.html?ac=sht&iid=

.mIntelJPEGLibrary

ADODB.Stream

MSXML2.XMLHTTP

hXXp://showmypc.appspot.com/up?iid=56406&t=u&img=

hXXp://showmypc.appspot.com/up

ADODB.Recordset

wscript.shell

Upload file using http And multipart/form-data

[cscript|wscript] fupload.vbs file url [fieldname]

url ... URL which can accept uploaded data

curl -k -F img=@

hXXp:///

A*\A\\kallu\m\vagish\ShowMyPC\current\FinalSMPCssh.vbp

ShowMyPC.com Comments

ShowMyPC.com

6.01.0924

SMPCSetup.exe

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps

Operating systems

Operating systems