In the past, adware and potentially unwanted programs were designed to show advertisements or change your homepage without fear of legal action due to working under legal entities or using End User License Agreements (EULA). Emboldened by the lack of legal action against them, these types of companies have started to increasingly exhibit behavior that clearly puts them in the category of backdoors, rootkits, & Trojans.

SmartService: A PUP & Adware's Bodyguard

This is clearly shown with an infection called SmartService that is being heavily distributed with almost all current adware or "offer" bundles that people typically encounter when installing free downloads.

While BleepingComputer was getting many reports about people unable to launch their security programs, it wasn't until after I received a sample from Zemana malware researcher Djordje Lukic that I realized that this was being installed as part of a PUP installer called sMark5 that states it is an anonymous VPN service. sMark5 has been around for quite some time, but only recently started adding SmartService as part of its payload.

s5Mark Installer
s5Mark Installer

When SmartService is installed it will create a Windows service, which loads a driver that blocks many security programs from being executed on the computer, prevents the terminating of protected processes, and prevents the deletion of registry keys associated with these processes. This service essentially acts as a bodyguard to the other crapware that is installed along with it.

You can see examples of SmartService blocking legitimate security software below. When a program is blocked, Windows will display an error that states that "The requested resource is in use.".

SmartService is able to block programs from running by hooking the CreateProcess Windows function so that any time a new process is created in Windows, SmartService can detect it and determine if it will be allowed to run. Currently SmartService determines whether a process is going to be allowed to run based on the process name or digital signature of the program. The current list of blacklisted process names and code signing certificates can be found at the end of this article.

In addition to blocking security programs from launching, SmartService is also used to protect certain processes from being disabled. This means that it prevents a victim from deleting a protected files, terminating the process, or even modifying the registry entries associated with a process or service.

Unable to Delete Protected Value
Unable to Delete Protected Value

The current list of protected processes and keys include:

C:\windows\system32\tprdpw32.exe
\QDCOMSVC
\WINDOWSMANAGEMENTSERVICE
\SMARTSERVICE
\DATAUP
\DRMKPRO64

What Exactly is SmartService Protecting?

SmartService serves as a dual-purpose bodyguard. For adware that is bundled along with SmartService, SmartService as a protector by preventing security software from running and removing them. Second, it also protects what appears to be a Trojan.Clicker that is always installed along with SmartService.

When installed, SmartService will launch an executable called VMXclient.exe that continuously connects to web sites using a hidden browser process. When it connects to these web sites it will render everything on them including advertisements, but does so in hidden windows so the user does not seem them. You can see the constant stream of web requests in the Fiddler output below.

Web Requests shown in Fiddler
Web Requests shown in Fiddler

You can see also see all of the network connections made by this vmxclient.exe executable in the TCPView.

TCPView
TCPView Showing the Numerous VMXclient Connections

As you can see, SmartService exhibits rootkit behavior, purposely prevents security programs from running, and is included with what appears to be a Trojan.Clicker. This behavior goes way beyond what is normally associated with adware and PUPs, yet is is still being distributed along with them and by the companies that distribute download installers.

How do you Remove SmartService?

As most security software is detecting SmartService, as long as you have an updated anti-malware or anti-virus program running, you should not get infected by this program. If you did happen to get infected, the easiest way to remove SmartService is to use an unsigned security program and rename it to another name like iexplore.exe so that it will execute.  For our guide, we are using an unsigned version of Zemana, which has been staying on top of this infection.

Otherwise, you will need to boot into the Windows Recovery Environment and manually delete the files associated with SmartService.  Then when you reboot the computer you should be able to use your normal security programs to remove the leftovers.

 

Files associated with SmartService:

C:\Program Files (x86)\s5\
C:\Program Files (x86)\s5\s.exe
C:\Program Files (x86)\s5\u.exe
%UserProfile%\AppData\Local\Temp\1492607097\
%UserProfile%\AppData\Local\Temp\1492607097\s5-20170325.exe
%UserProfile%\AppData\Local\Temp\1492607097\s5-20170325.zip
%UserProfile%\AppData\Local\Temp\1492607097\s5m_install_325.exe
%UserProfile%\AppData\Local\Temp\1492607097\s5m_install_325.zip
%UserProfile%\AppData\Local\Temp\2640_20819\
%UserProfile%\AppData\Local\CEF\User Data\Dictionaries\
%UserProfile%\AppData\Local\ewjipbsd\
%UserProfile%\AppData\Local\ewjipbsd\ct.exe
%UserProfile%\AppData\Local\hdsvad\
%UserProfile%\AppData\Local\hdsvad\qdcomsvc.exe
%UserProfile%\AppData\Local\llssoft\
%UserProfile%\AppData\Local\llssoft\winvmx\
%UserProfile%\AppData\Local\llssoft\winvmx\data662
%UserProfile%\AppData\Local\llssoft\winvmx\data662\Cookies
%UserProfile%\AppData\Local\llssoft\winvmx\data662\Cookies-journal
%UserProfile%\AppData\Local\llssoft\winvmx\data662\data_0
%UserProfile%\AppData\Local\llssoft\winvmx\data662\data_1
%UserProfile%\AppData\Local\llssoft\winvmx\data662\data_2
%UserProfile%\AppData\Local\llssoft\winvmx\data662\data_3
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000001
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000002
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000003
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000004
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000005
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000006
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000007
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000008
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000009
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00000a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00000b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00000c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00000d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00000e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00000f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000010
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000011
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000012
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000013
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000014
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000015
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000016
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000017
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000018
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000019
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00001b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00001c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00001d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00001e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00001f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000020
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000021
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000022
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000023
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000024
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000025
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000026
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000027
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000028
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000029
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00002a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00002b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00002c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00002d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00002e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00002f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000030
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000031
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000032
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000033
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000034
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000035
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000036
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000038
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000039
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00003a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00003b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00003c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00003d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00003e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00003f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000040
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000041
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000042
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000043
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000044
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000045
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000046
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000047
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000048
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000049
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00004a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00004b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00004c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00004d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00004e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00004f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000050
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000051
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000052
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000053
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000054
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000055
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000056
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000057
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000058
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000059
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00005a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00005b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00005c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00005d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00005e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00005f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000060
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000061
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000062
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000063
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000064
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000065
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000066
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000067
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000068
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000069
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00006a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00006b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00006c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00006d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00006e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00006f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000070
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000071
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000072
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000073
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000074
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000075
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000076
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000077
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000078
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000079
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00007a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00007b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00007c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00007d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00007e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00007f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000080
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000081
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000082
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000083
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000084
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000085
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000086
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000087
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000088
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000089
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00008a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00008b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00008c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00008d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00008e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00008f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000090
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000091
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000092
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000093
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000094
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000095
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000096
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000097
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000098
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_000099
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00009a
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00009b
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00009c
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00009d
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00009e
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_00009f
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a0
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a1
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a2
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a3
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a4
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a5
%UserProfile%\AppData\Local\llssoft\winvmx\data662\f_0000a6
%UserProfile%\AppData\Local\llssoft\winvmx\data662\GPUCache\
%UserProfile%\AppData\Local\llssoft\winvmx\data662\GPUCache\data_0
%UserProfile%\AppData\Local\llssoft\winvmx\data662\GPUCache\data_1
%UserProfile%\AppData\Local\llssoft\winvmx\data662\GPUCache\data_2
%UserProfile%\AppData\Local\llssoft\winvmx\data662\GPUCache\data_3
%UserProfile%\AppData\Local\ntuserlitelist\
%UserProfile%\AppData\Local\ntuserlitelist\dataup\
%UserProfile%\AppData\Local\ntuserlitelist\dataup\dataup.exe
%UserProfile%\AppData\Local\ntuserlitelist\dataup\dataup.ini
%UserProfile%\AppData\Local\ntuserlitelist\dataup\help_dll.dll
%UserProfile%\AppData\Local\ntuserlitelist\dataup\NTSVC.ocx
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\cef.pak
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\cef_100_percent.pak
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\cef_200_percent.pak
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\cef_extensions.pak
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\d3dcompiler_47.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\dbghelp.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\debug.log
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\icudtl.dat
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\libcef.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\libEGL.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\libGLESv2.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\locales\
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\locales\en-US.pak
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\locales\zh-CN.pak
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\natives_blob.bin
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\pepflashplayer.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\snapshot_blob.bin
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\svcvmx.log
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\widevinecdm.dll
%UserProfile%\AppData\Local\ntuserlitelist\svcvmx\widevinecdmadapter.dll
%UserProfile%\AppData\Local\ntuserlitelist\winscr\
%UserProfile%\AppData\Local\ntuserlitelist\winscr\winscr.exe
%UserProfile%\AppData\Roaming\c\
%UserProfile%\Desktop\s5.lnk
C:\Windows\System32\drivers\ndistpr64.sys
C:\Windows\System32\GWX\Download\Config.cab
C:\Windows\System32\GWX\Download\detectorN.dat
C:\Windows\System32\tprdpw32.exe

Registry Entries Associated with SmartService:

HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Classes\NTService.Control.1
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
HKLM\SOFTWARE\Wow6432Node\Microsoft\Network\FileService
HKLM\SOFTWARE\Wow6432Node\Microsoft\Network\FileService\install_time	13137080704437033
HKLM\SOFTWARE\Wow6432Node\Microsoft\Network\FileService\Liveup	79641392-9DBA-48B6-80C9-996632AFC5B3
HKLM\SOFTWARE\Wow6432Node\Microsoft\Network\FileService\dataup_time	13137081001372428
HKLM\SOFTWARE\Wow6432Node\Microsoft\Network\FileService\svcvmx_time	13137081009094428
HKLM\SOFTWARE\Wow6432Node\Microsoft\Network\FileService\winscr_time	13137081010782428
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m\	0
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m\DisplayName	s5m
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m\UninstallString	C:\Program Files (x86)\s5\u.exe
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m\DisplayIcon	C:\Program Files (x86)\s5\u.exe
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m\Publisher	s5m
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\s5m\DisplayVersion	2.0.2
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
HKLM\SOFTWARE\Wow6432Node\xs
HKLM\SOFTWARE\Wow6432Node\xs\	0
HKLM\SOFTWARE\Wow6432Node\xs\InstallDir	SOFTWARE\xs
HKLM\SOFTWARE\Wow6432Node\xs\Version	2.0.2
HKLM\SOFTWARE\Wow6432Node\xs\AllUser	1
HKLM\SOFTWARE\Wow6432Node\xs\ref
HKLM\SOFTWARE\Wow6432Node\xs\ref\aid	1000081
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Dataup
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Dataup\EventMessageFile	%UserProfile%\AppData\Local\NTUSER~1\dataup\NTSVC.ocx
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Dataup\TypesSupported	7
HKLM\SYSTEM\CurrentControlSet\services\Dataup
HKLM\SYSTEM\CurrentControlSet\services\Dataup\Type	16
HKLM\SYSTEM\CurrentControlSet\services\Dataup\Start	2
HKLM\SYSTEM\CurrentControlSet\services\Dataup\ErrorControl	1
HKLM\SYSTEM\CurrentControlSet\services\Dataup\ImagePath	%UserProfile%\AppData\Local\NTUSER~1\dataup\dataup.exe
HKLM\SYSTEM\CurrentControlSet\services\Dataup\DisplayName	Dataup Service
HKLM\SYSTEM\CurrentControlSet\services\Dataup\WOW64	1
HKLM\SYSTEM\CurrentControlSet\services\Dataup\ObjectName	LocalSystem
HKLM\SYSTEM\CurrentControlSet\services\Dataup\Description	Detect version consistency of client and server, and get the latest version from the server.
HKLM\SYSTEM\CurrentControlSet\services\Dataup\Parameters
HKLM\SYSTEM\CurrentControlSet\services\Dataup\Parameters\TimerInterval	300
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Type	1
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Start	0
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\ErrorControl	0
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\ImagePath	system32\drivers\ndistpr64.sys
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\DisplayName	drmkpro64
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Group	System Reserved
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\WOW64	1
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Instances
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Instances\DefaultInstance	drmkpro64 Instance
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Instances\drmkpro64 Instance
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Instances\drmkpro64 Instance\Altitude	45666
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Instances\drmkpro64 Instance\Flags	0
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Enum
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Enum\0	Root\LEGACY_DRMKPRO64\0000
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Enum\Count	1
HKLM\SYSTEM\CurrentControlSet\services\drmkpro64\Enum\NextInstance	1
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\Type	16
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\Start	2
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\ErrorControl	1
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\ImagePath	"%UserProfile%\AppData\Local\ewjipbsd\ct.exe" /svc
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\DisplayName	Windows Management Service
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\DependOnService	RPCSS
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\WOW64	1
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\ObjectName	LocalSystem
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\Description	Provides management service for system.
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\DelayedAutostart	1
HKLM\SYSTEM\CurrentControlSet\services\windowsmanagementservice\FailureActions	BINARY SIZE=44 MD5=EB077EEC8DF1CCF95BE8EA74EF0AEFE1

SmartService Hashes:

1d4236b3c446c1ab86c577615cc52d4edc99bf5b4077cd93e6cd37b90d6991a0

List of Blocked Processes:

SECURITYTASKMANAGER.EXE, SPEEDUPMYPC.EXE, REMOTEPROCESSES.EXE, SYSTEMHEALER.EXE, RVL1QB3C.EXE, COMBOFIX.EXE, HIJACKTHIS.EXE, CWSHREDDER.EXE, SUNNYDAY.EXE, APPVERIFIER.EXE, DEKKER.EXE, FOOTPRINTS.EXE, FOREPLAY.EXE, INTERNETPORT3.EXE, NOWUSEEITPLAYER.EXE, RATCHET.EXE, SMOLDER.EXE, WEBDEV.EXE, WINDOWEATHER.EXE, WINLOGGER.EXE, YTDOWNLOADER.EXE, NETTRANS.EXE, FASTWEB.EXE, OSPD_US_, UNOKUCU.EXE, WINCHECK.EXE, VETICEQ.EXE, GEUNFY.EXE, Q3CI_ CGVP.EXE, GUVTDHJI.EXE, HEMKAJDOA.EXE, JSDRV.EXE, LOWYKU.EXE, MUSGOWNYO.EXE, SETMYHOMEPAGE.EXE, WIN_EN_77.EXE, WIZZCASTER.EXE, XEEEDXI.EXE, XMKYSECQUN64.EXE, MAINTAINER.EXE, DSRLTE.EXE, EITEHKO.EXE, GOPIDUL.EXE, PRODUPD.EXE, BFSVC.EXE, GMSD_US_, HDAUDIO.EXE, RAWEI.EXE, VPDAGENT_X64.EXE, CASTER.EXE, VESTIE.EXE, WINDOWS DEFENDER.EXE, RZSYNAPSE.EXE, BESTCLEANER.EXE, INTERSTAT, UPDATEADMIN.EXE, IC-, \SET.EXE, ANONYMIZERLAUNCHER, PCCLEANPLUS, LEAPING, MYTRANSITGUIDE, OPTIMUM, REOPTIMIZER, VIDSQAURE, S5MARK, MYMEMORY, 360RP.EXE, 360RPS.EXE, 360SAFE.EXE, 360SAFEBOX.EXE, 360SD.EXE, 360TRAY.EXE, A2GUARD.EXE, A2SERVICE.EXE, A2START.EXE, ADAWAREDESKTOP.EXE, ADAWARESERVICE.EXE, ADAWARETRAY.EXE, AGENTSVC.EXE, ARWSRVC.EXE, ASWIDSAGENTA.EXE, AVASTSVC.EXE, AVASTUI.EXE, AVCENTER.EXE, AVGRSX.EXE, AVGSVC.EXE, AVGSVCA.EXE, AVGSVCX.EXE, AVGUI.EXE, AVGUIRNA.EXE, AVGUIX.EXE, AVKPROXY.EXE, AVKSERVICE.EXE, AVKTRAY.EXE, AVKWCTLX64.EXE, AVP.EXE, AVPUI.EXE, BDAGENT.EXE, BDSSVC.EXE, BDWTXAG.EXE, BGNAG.EXE, BGWSC.EXE, BSSISS.EXE, BULLGUARD.EXE, BULLGUARDBHVSCANNER.EXE, BULLGUARDSCANNER.EXE, BULLGUARDUPDATE.EXE, BYTEFENCE.EXE, CAVWP.EXE, CIS.EXE, CISPREMIUM_INSTALLER.EXE, CISTRAY.EXE, CLAMBC.EXE, CLAMCONF.EXE, CLAMD.EXE, CLAMDSCAN.EXE, CLAMSCAN.EXE, CMDAGENT.EXE, COMPUCLEVER.EXE, COREFRAMEWORKHOST.EXE, CORESERVICESHELL.EXE, DWARKDAEMON.EXE, DWENGINE.EXE, DWSERVICE.EXE, EGUI.EXE, EHTTPSRV.EXE, EKRN.EXE, EMLPROXY.EXE, FCAPPDB.EXE, FCDBLOG.EXE, FCHELPER64.EXE, FILMSG.EXE, FMON.EXE, FORTICLIENT.EXE, FORTICLIENTVIRUSCLEANER.EXE, FORTIESNAC.EXE, FORTIPROXY.EXE, FORTISCAND.EXE, FORTISSLVPNDAEMON.EXE, FORTIWF.EXE, FPAVSERVER.EXE, FPROTTRAY.EXE, FPWIN.EXE, FRESHCLAM.EXE, FSADMINSETTINGS.EXE, F-SECURE-SAFE-NETWORK-INSTALLER.EXE, FSGK32.EXE, FSHDLL64.EXE, FSHOSTER32.EXE, FSMA32.EXE, FSORSP.EXE, FSSM32.EXE, GDKBFLTEXE32.EXE, GDSC.EXE, GDSCAN.EXE, GEEKBUDDYRSP.EXE, GUARDXKICKOFF.EXE, GUARDXKICKOFF_X64.EXE, GUARDXSERVICE.EXE, GUARDXSERVICE_X64.EXE, GUARDXUP.EXE, INSTUP.EXE, IPARMOR.EXE, IPTRAY.EXE, ISESRV.EXE, K7AVSCAN.EXE, K7CRVSVC.EXE, K7EMLPXY.EXE, K7RTSCAN.EXE, K7SYSMON.EXE, K7TSECURITY.EXE, K7TSMAIN.EXE, K7TSMNGR.EXE, KAVSTART.EXE, KAVSVC.EXE, KAVSVCUI.EXE, KMAILMON.EXE, KSAFESVC.EXE, KSAFETRAY.EXE, KWATCH.EXE, LAUNCHER_SERVICE.EXE, MBAM.EXE, MBAMSERVICE.EXE, MBAMTRAY.EXE, MCAPEXE.EXE, MCCLIENTANALYTICS.EXE, MCCSPSERVICEHOST.EXE, MCSACORE.EXE, MCSHIELD.EXE, MCSVHOST.EXE, MFEFIRE.EXE, MFEMMS.EXE, MFEVTPS.EXE, MODULECORESERVICE.EXE, MYPCBACKUP.EXE, NANOAV.EXE, NANOSVC.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NORMAN_MALWARE_CLEANER.EXE, ONESYSTEMCARE.EXE, ONLINENT.EXE, OPSSVC.EXE, PANDA_URL_FILTERINGB.EXE, PCCGUIDE.EXE, PCCMAIN.EXE, PCCNTMON.EXE, PEFSERVICE.EXE, PRODUCTAGENTSERVICE.EXE, PSANHOST.EXE, PSUACONSOLE.EXE, PSUAMAIN.EXE, PSUASERVICE.EXE, PTSESSIONAGENT.EXE, PTSVCHOST.EXE, QMDL.EXE, QQPCMGR.EXE, QQPCNETFLOW.EXE, QQPCPATCH.EXE, QQPCREALTIMESPEEDUP.EXE, QQPCRTP.EXE, QQPCTRAY.EXE, QTWEBENGINEPROCESS.EXE, QUHLPSVC.EXE, RAV.EXE, RAVMON.EXE, RAVMOND.EXE, RAVTIMER.EXE, REPRSVC.EXE, RISING.EXE, SABSI.EXE, SAFEBOXTRAY, SAPISSVC.EXE, SASCORE.EXE, SBAMSVC.EXE, SBAMTRAY.EXE, SBPIMSVC.EXE, SCANNER.EXE, SCANWSCS.EXE, SCHED.EXE, SCSECSVC.EXE, SDRSERVICE.EXE, SECCENTER.EXE, SIGTOOL.EXE, SNTPSERVICE.EXE, SOLOCFG.EXE, SOLOSCAN.EXE, SOLOSENT.EXE, SPHINX.EXE, SUPERANTISPYWARE.EXE, SWEEP95.EXE, TBSCAN.EXE, TWISTER.EXE, TWSSCAN.EXE, TWSSRV.EXE, UISEAGNT.EXE, UIWATCHDOG.EXE, UIWINMGR.EXE, UPDATESRV.EXE, VBA32LDR.EXE, VIPREEDGEPROTECTION.EXE, VIPREUI.EXE, VIRUSUTILITIES.EXE, VKISE.EXE, VSSERV.EXE, VSSERVP.EXE, WEBSCANX.EXE, WFINDV32.EXE, DWSCANNER.EXE, FRWL_SVC.EXE, SPIDERAGENT.EXE, SPIDERAGENT_ADM.EXE, FRWL_NOTIFY.EXE, DWNETFILTER.EXE, A2WIZARD.EXE, SASCORE64.EXE, SASTASK.EXE, PANDASECURITYTB.EXE, AVGCSRVA.EXE, AVGIDSAGENTA.EXE, AVGWDSVCA.EXE, AVGNT.EXE, AVGUARD.EXE, AVSHADOW.EXE, AVIRA.SERVICEHOST.EXE, AVIRA.SYSTRAY.EXE, AVIRA.SYSTEMSPEEDUP.SPEEDUPSERVICE.EXE, AVIRA.SYSTEMSPEEDUP.UI.SYSTRAY.EXE, AVGRSA.EXE, AVGFWSA.EXE, AVGNSA.EXE, AVGEMCA.EXE, AVGMFAPX.EXE, AVGCOMDLGA.EXE, AVGDIAGEX.EXE, AVGCMGR.EXE, AVMAILC7.EXE, AVWEBG7.EXE, AVIRA.SYSTRAYSTARTTRIGGER.EXE, MCHOST.EXE, MCUICNT.EXE, MCODS.EXE, ZHUDONGFANGYU.EXE, 360SDRUN.EXE, VSSBRIDGE64.EXE, NANOREPORT.EXE, NANOREPORTC64.EXE, AVKBAP64.EXE, PTWATCHDOG.EXE, QHAVFT64.EXE, INST.EXE, STRTUPAP.EXE, EECLNT.EXE, DRAGON_UPDATER.EXE, CSSSRV64.EXE, UNIT_MANAGER.EXE, UNIT.EXE, VDCSS.EXE, CMDVIRTH.EXE, FORTITRAY.EXE

List of Blocked Digital Signatures:

System Healer Tech Sp.Zo.o.
Beijing Rising Information Technology Corporation Limited
Filseclab Corporation
Trend Micro, Inc.
SUPERAntiSpyware.com
Sophos Ltd
ThreatTrack Security, Inc.
IKARUS Security Software GmbH
Quick Heal Technologies(Pvt) Ltd.
Panda Security S.L
Blue Coat Norway AS
NANO Security Ltd
McAfee, Inc.
Glarysoft LTD
Malwarebytes Corporation
Kaspersky Lab
K7 Computing Pvt Ltd
SurfRight B.V.
FRISK Software International
Fortinet Technologies
Emsisoft GmbH
ESET, spol.s r.o.
Doctor Web Ltd.
Immunet Corporation
Comodo Security Solutions
G DATA Software AG
BullGuard Ltd.
BullGuard Ltd
Bitdefender SRL
Avira Operations GmbH & Co.KG
AVG Technologies CZ, s.r.o.
AVAST Software s.r.o.
AVAST Software a.s.
System Healer Tech Sp.Zo.o.Lavasoft Limited
Check Point Software Technologies Ltd.
VIRUSBLOKADA ODO
Beijing Kingsoft Security software Co., Ltd
Qihoo 360 Software(Beijing) Company Limited
Plumbytes Software Lp
Bleeping Computer, LLC.
Doctor Web
Filseclab
Trend Micro
SUPERAntiSpyware
IKARUS
Quick Heal
Panda Security
Symantec Corporation
NANO
McAfee
Malwarebytes
Kaspersky
K7 Computing
FRISK
Fortinet
Emsisoft
ESET
Immunet
Comodo
G DATA
NovaShield
BullGuard
Bitdefender
Avira
AVG
AVAST
AhnLab
Lavasoft
System Healer Tech Sp.Zo.o.Baidu (China)
Safer Networking Ltd.
BrightFort LLC
Gridinsoft, LLC
Auslogics Labs Pty Ltd
Datpol Janusz Siemienowicz
Zemana Ltd.
Piriform Ltd
IObit Information Technology
Check Point
VIRUSBLOKADA
Sophos
ThreatTrack
Blue Coat
Glarysoft
SurfRight
Computer Associates International
Shanghai 2345 Network
Beijing Kingsoft Security
Beijing Rising Information
Qihoo 360 Software