Trojan.Win32.Delphi_728ec40989 – Adaware

Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 728ec40989b9fe277e20820160493b9d

SHA1: 63c5224ec5b6942d7cb6c3ade9b6b800aef55d30

SHA256: f7b02ab2d8cff4e99d49219502207cde65055f3d23e6de353eff21c1eb888ef9

SSDeep: 98304:v3gIFc18bjSr9IALPrT/jooFpSkqd7Ow47mu/g6Db7RvCyA/uZhohK:Pgmc12MPLTT/jooPSkqdA7DL9HZhohK

Size: 5110784 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-06-06 12:31:50

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

optprosetup.exe:3448
LiveSupport.exe:1464
regsvr32.exe:2468
regsvr32.exe:2372
%original file name%.exe:2916
LiveSupport_setup.exe:2424
LiveSupport_setup.tmp:2432
optprosetup.tmp:1528

The Trojan injects its code into the following process(es):

LiveSupport.exe:3576
OptProStart.exe:2208

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process optprosetup.exe:3448 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-MF9LA.tmp\optprosetup.tmp (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-MF9LA.tmp\optprosetup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-MF9LA.tmp (0 bytes)

The process LiveSupport.exe:1464 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)

The process LiveSupport.exe:3576 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1245 bytes)

The process regsvr32.exe:2372 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (133 bytes)

The process %original file name%.exe:2916 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\optprosetup.exe (632205 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (7188 bytes)

The process LiveSupport_setup.exe:2424 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6G66.tmp\LiveSupport_setup.tmp (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6G66.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6G66.tmp\LiveSupport_setup.tmp (0 bytes)

The process LiveSupport_setup.tmp:2432 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-9R878.tmp (34256 bytes)
%Program Files%\LiveSupport\is-BCFK8.tmp (673 bytes)
%Program Files%\LiveSupport\is-HKE1F.tmp (1281 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NVBSV.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-N6SSS.tmp (7385 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-NVBSV.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NVBSV.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NVBSV.tmp\_isetup (0 bytes)

The process optprosetup.tmp:1528 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Optimizer Pro\is-9JPN4.tmp (7547 bytes)
%Program Files%\Optimizer Pro\is-EKSID.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-9E9RR.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-9QVKT.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-UIUUH.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-BS0CG.tmp (185630 bytes)
%Program Files%\Optimizer Pro\is-D17JS.tmp (4545 bytes)
%Program Files%\Optimizer Pro\is-S0B9L.tmp (48 bytes)
%Program Files%\Optimizer Pro\unins000.dat (13793 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-CA5CG.tmp (712 bytes)
%Program Files%\Optimizer Pro\is-CH6VG.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Program Files%\Optimizer Pro\is-MO715.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-SJD5J.tmp (1425 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro\is-3LFN4.tmp (898 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-RV9JS.tmp (31891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-D0U9S.tmp (673 bytes)
%Program Files%\Optimizer Pro\is-EN83R.tmp (7345 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-DVD0L.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-EQASH.tmp (54 bytes)
%Program Files%\Optimizer Pro\is-RPMNS.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-EQKJ8.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\LiveSupport.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\optpro2.bmp (0 bytes)

Registry activity

The process optprosetup.exe:3448 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B F3 77 54 A1 C4 31 99 B1 CE 74 1D 5F C2 02 89"

The process LiveSupport.exe:1464 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 81 04 81 5B 8D DA 15 1E C5 F3 8E 24 75 5C 38"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LiveSupport_setup.exe" = "LiveSupport Setup"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process LiveSupport.exe:3576 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\LiveSupport]
"SoftUpdateUrl" = "http://updates.livesupport.pcutilitiespro.com"
"ShowTitleBarBtn" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\LiveSupport]
"Assistant" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"BtnCallPressed" = "0"

"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"Language" = "1"

"OS" = "102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\LiveSupport]
"SoftUpdateDate" = "0"
"RunOnOSRun" = "1"
"QueryDate" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\LiveSupport]
"SHOWTRAY" = "1"

"FixHoverIconToTray" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 1E 46 B0 1B FE 6F C1 37 06 4E 10 49 3E 44 CB"

[HKCU\Software\LiveSupport]
"InstallDate" = "1403558707"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\LiveSupport]
"MachineGuid" = "c3ff7ade-6883-4220-8790-0f5adb1a3b0f"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2468 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 5A F5 C8 0A E3 86 32 23 AC 1D 13 CE 30 12 BE"

The process regsvr32.exe:2372 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 82 44 9C 5A 60 23 9F F1 1D 00 2F 47 38 DF DC"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}]
"(Default)" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll"

The process %original file name%.exe:2916 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 E2 D4 9B E7 5C F0 CD 4E 69 08 3D A0 B6 2F 19"

[HKCU\Software\Optimizer Pro]
"setupname" = "c:\%original file name%.exe"

The process OptProStart.exe:2208 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://www.safeshopgate.com/r?s=111000524-CR-085&g=5CCF8AC3-D317-BBC7-BB70-FB3EBDA0F605&t=1"
"UseAds" = "1"
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.softservers.net/121000524/DriverPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Optimizer Pro]
"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111000524-CR-085"
"DelayedStart" = "15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

"Querry" = "http://bi.softservers.net/t/op?sid=111000524-CR-085&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=4219141986"
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121000524&g=5CCF8AC3-D317-BBC7-BB70-FB3EBDA0F605"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 9F 57 6B 9B 9A 11 0E ED CB 00 16 F1 C6 5D 3E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Optimizer Pro]
"InstallDate" = "D8 2E F7 8D C0 6A E4 40"
"AdsHost" = "dl.softservers.net"
"OS" = "102"
"MachineGuid" = "5CCF8AC3-D317-BBC7-BB70-FB3EBDA0F605"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport_setup.exe:2424 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 93 1D 7E 91 DD 9A E3 38 91 BC 3F 99 81 55 FA"

The process LiveSupport_setup.tmp:2432 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Language" = "en"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"MajorVersion" = "1"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl1" = "http://dl.softservers.net/121000524/DriverPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayVersion" = "1.2.8.0"

[HKCU\Software\LiveSupport]
"SupportURL" = "http://support.pcutilitiespro.com"
"AdsLandingPageLink2" = "http://www.pcutilitiespro.com/optimizerpro.php"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"AdsLandingPageLink1" = "http://www.pcutilitiespro.com/driverpro.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\LiveSupport]
"AdsDescription1" = "Driver Updater"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: App Path" = "%Program Files%\LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"AdsDescription2" = "System Performance Optimizer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\LiveSupport]
"LiveSupport.exe" = "LiveSupport"

[HKCU\Software\LiveSupport]
"DelayedStart" = "0"
"homepageurl" = "http://www.pcutilitiespro.com/livesupport.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayName" = "LiveSupport"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Publisher" = "PC Utilities Software Limited"
"QuietUninstallString" = "%Program Files%\LiveSupport\unins000.exe /SILENT"
"MinorVersion" = "2"

[HKCU\Software\LiveSupport]
"CallbannerUrl" = "http://ls.callbanner.pcutilitiespro.com/?sid=171000524"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\LiveSupport]
"Query" = "http://bi.softservers.net/t/ls?sid=171000524-CA-035&dt=%dt%&gid=%gid%&tz=%tz%&ln=%ln%&os=%os%&bis=%bis%&bipc=%bipc%&lc1=%lc1%&lc2=%lc2%&lc3=%lc3%&f=2182739400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayIcon" = "%Program Files%\LiveSupport\LiveSupport.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl2" = "http://dl.softservers.net/191000524/OptmizerPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\LiveSupport]
"PhoneNumber" = " 1-855-544-6024"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsCheckName2" = "Optimizer Pro"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C B6 53 91 16 E7 3C C9 C4 BA 33 B6 D8 87 3E 11"

[HKCU\Software\LiveSupport]
"UninstallURL" = "http://www.pcutilitiespro.com/uninstall-livesupport.php?sid=171000524-CA-035"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\LiveSupport]
"AdsCheckName1" = "Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"InstallLocation" = "%Program Files%\LiveSupport\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: Icon Group" = "LiveSupport"
"UninstallString" = "%Program Files%\LiveSupport\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\LiveSupport]
"AdsLicenseKey2" = "LicenseDate"
"AdsLicenseKey1" = "User"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoRepair" = "1"
"InstallDate" = "20140624"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process optprosetup.tmp:1528 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro]
"OptProStart.exe" = "Optimizer Pro Launcher"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"
"culValue" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"

[HKCU\Software\Optimizer Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayIcon" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
"Inno Setup: Language" = "en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayName" = "Optimizer Pro v3.2"

"NoModify" = "1"
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"InstallDate" = "20140624"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 62 A6 A0 5B 8E FA 07 81 C4 AA 3D 08 C6 3A 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-NH1E6.tmp]
"LiveSupport.exe" = "LiveSupport Installer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"
"UninstallString" = "%Program Files%\Optimizer Pro\unins000.exe"
"InstallLocation" = "%Program Files%\Optimizer Pro\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
d2d6341a87cc3995abe80f505b6e112a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LiveSupport_setup.exe
efeb261e8d6ed866df1f375fed6a8722	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\optprosetup.exe
87217247d99dd350a595399fb11b349a	c:\Program Files\LiveSupport\LiveSupport.exe
a6127535670da8d8d0d338faf81112ec	c:\Program Files\LiveSupport\LiveSupport_deskband_x32.dll
69c715189c3106946c5dc13bb563450a	c:\Program Files\LiveSupport\LiveSupport_deskband_x64.dll
7c1fbcbbe0d2998719bbd6b73783bca5	c:\Program Files\LiveSupport\unins000.exe
875204a0782f45bb8d57d6834fb576af	c:\Program Files\Optimizer Pro\OptProGuard.exe
3a4eeddfc8d0727e0e28318e58cf8fcd	c:\Program Files\Optimizer Pro\OptProHelper.dll
3330647496ba2ffe5aef45d90fe80ca3	c:\Program Files\Optimizer Pro\OptProLauncher.exe
c0f86fce7b76a4654d539a515549a302	c:\Program Files\Optimizer Pro\OptProReminder.exe
0c6e770a153286cf59805cc4863ff2b2	c:\Program Files\Optimizer Pro\OptProSchedule.exe
c4022673ffc41805f8b72e7566e9a7fc	c:\Program Files\Optimizer Pro\OptProSmartScan.exe
cc168ef0d274fd530157e1e90b3add52	c:\Program Files\Optimizer Pro\OptProStart.exe
57c8575d8c4bb52a1ef3f9d816a1a005	c:\Program Files\Optimizer Pro\OptProUninstaller.exe
fdf0ccf9c02b2a25e62a8407fef221d8	c:\Program Files\Optimizer Pro\OptimizerPro.exe
d82a429efd885ca0f324dd92afb6b7b8	c:\Program Files\Optimizer Pro\itdownload.dll
0f66e8e2340569fb17e774dac2010e31	c:\Program Files\Optimizer Pro\sqlite3.dll
a93afd5279f5244728662fa6e88ca972	c:\Program Files\Optimizer Pro\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
optprosetup.exe:3448
LiveSupport.exe:1464
regsvr32.exe:2468
regsvr32.exe:2372
%original file name%.exe:2916
LiveSupport_setup.exe:2424
LiveSupport_setup.tmp:2432
optprosetup.tmp:1528
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\is-MF9LA.tmp\optprosetup.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1245 bytes)
%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (133 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\optprosetup.exe (632205 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (7188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6G66.tmp\LiveSupport_setup.tmp (7386 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-9R878.tmp (34256 bytes)
%Program Files%\LiveSupport\is-BCFK8.tmp (673 bytes)
%Program Files%\LiveSupport\is-HKE1F.tmp (1281 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NVBSV.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-N6SSS.tmp (7385 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Program Files%\Optimizer Pro\is-9JPN4.tmp (7547 bytes)
%Program Files%\Optimizer Pro\is-EKSID.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-9E9RR.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-9QVKT.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-UIUUH.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-BS0CG.tmp (185630 bytes)
%Program Files%\Optimizer Pro\is-D17JS.tmp (4545 bytes)
%Program Files%\Optimizer Pro\is-S0B9L.tmp (48 bytes)
%Program Files%\Optimizer Pro\unins000.dat (13793 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-CA5CG.tmp (712 bytes)
%Program Files%\Optimizer Pro\is-CH6VG.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Program Files%\Optimizer Pro\is-MO715.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-SJD5J.tmp (1425 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro\is-3LFN4.tmp (898 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-RV9JS.tmp (31891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-D0U9S.tmp (673 bytes)
%Program Files%\Optimizer Pro\is-EN83R.tmp (7345 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-DVD0L.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-EQASH.tmp (54 bytes)
%Program Files%\Optimizer Pro\is-RPMNS.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NH1E6.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-EQKJ8.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	83149	83456	4.55467	85b2050c503ac757a6d6465071ba1133
.rdata	90112	20754	20992	3.38964	aeac203663a9c2f9acb6de2a121b34b8
.data	114688	13444	5632	2.15756	2cef89c59f35f4fcafe95749186c0933
.rsrc	131072	4972644	4973056	5.54154	7b902c0e3da9bbbef7541495e41f6915
.reloc	5107712	19764	19968	1.58353	a9d19550557de4f6d93d595a8fc3f3ac

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 28
a212886f6e08f85b8eb2339a6a766e75
e653e742a1278944389a6a0fb040f863
20a75a4a6da63e7febc08439db56c472
b33918c49ab2aa35af81f52133130c5a
320e23b689bf12f6ae09f8bb61b1a83e
b4bc4b0ef675a026d82f1635f9117847
9395936ec05ab4d066b9a73e2c01bd9b
f02792f88bdec3f502bcfb637fd96b54
0134afa36d061c9dd6536eefd7a0c24b
c6f51e3eba4f4c3b329d8f15f20207c3
c018b8c463ac91bf51392e5050bcd207
c7d68974053a9a206373031218dbc54c
5329ea21ea06e6589e7cf23510e5cf15
6b333e3cff932fd4ae17348ff0f7ba8b
8e6e7f83dd11f41dcfa087862886e46c
da91d360013c88a5a2d546bfd6443387
2d2c4f7a9df66a0e1d7f1e138ca4192a
9aa56a4d114aea9c9ecc99bc7930d266
9b979736f3450b7b5a73fe3de1e8e18e
bdf34e3bc41538c08871d0b43221af65
1b9462b8a914e6de33d626b6a3b09a74
5548865ce497087cdbd151f2c62e4b32
997b86f2164f96876068ab3437f9d171
7d35ba0a78160fac482c6b7b59965feb
8afe3765ec6e3256004b35c61f15821c

Network Activity

URLs

URL	IP
hxxp://dl.softservers.net/171000524/LiveSupport.exe	184.154.145.171
hxxp://bi.softservers.net/t/op?sid=111000524-CR-085&dt=1403569499&gid=5CCF8AC3-D317-BBC7-BB70-FB3EBDA0F605&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=4219141986	107.6.170.117
hxxp://bi.softservers.net/t/ls?sid=171000524-CA-035&dt=1403558707&gid=c3ff7ade-6883-4220-8790-0f5adb1a3b0f&tz=1403565907&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400	107.6.170.117
hxxp://bi.softservers.net/t/ls?sid=171000524-CA-035&dt=1403558708&gid=c3ff7ade-6883-4220-8790-0f5adb1a3b0f&tz=1403565908&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400	107.6.170.117
hxxp://ls.callbanner.pcutilitiespro.com/?sid=171000524	69.175.108.139

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /t/op?sid=111000524-CR-085&dt=1403569499&gid=5CCF8AC3-D317-BBC7-BB70-FB3EBDA0F605&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=4219141986 HTTP/1.1

Host: bi.softservers.net

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 02:19:59 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

GET /t/ls?sid=171000524-CA-035&dt=1403558707&gid=c3ff7ade-6883-4220-8790-0f5adb1a3b0f&tz=1403565907&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1

User-Agent: LiveSupport

Host: bi.softservers.net

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 02:20:08 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

....

GET /t/ls?sid=171000524-CA-035&dt=1403558708&gid=c3ff7ade-6883-4220-8790-0f5adb1a3b0f&tz=1403565908&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1

User-Agent: LiveSupport

Host: bi.softservers.net

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 02:20:08 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

GET /171000524/LiveSupport.exe HTTP/1.0

Host: dl.softservers.net

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 02:19:58 GMT

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 15:25:14 GMT

Connection: close

content-length: 1503528

ETag: "5328655a-16d478"

Content-Disposition: attachment; filename=LiveSupport.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................3.......................2.....................Rich............................PE..L....((S.................(...........g.......@....@.......................... ......(.....@.....................................P.......p...............(............................................q..@............@..P............................text....'.......(.................. ..`.rdata...L...@...N...,..............@..@.data....4...........z..............@....rsrc...p...........................@..@.reloc...'.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................U.........l.A.3..E.V.u.W.}.h..........j.P..;...........Qj.j.j(j...8AA.....j.........#.PWVh.AA.j...<AA.3... ..._^...M.3...;....].U...U....@$R.U.R.U.R..]............AA..:C.......U..V.....AA..$C...E..t.V..:.......^]............U..QV..j..M..:0...F....s.@.F..M..N0..^..].......U..QVW..j..M...0...G...t....s.H.G..w........M.#...0.._..^..].......AA...........U..QW.9..t;j..M.../...G...t....s.H.G.V.w......M...../..#.t.....j.....^_..]......................................U...E....u..y..r....E..U....]....y..r....M.P.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

OptProStart.exe_2208:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

!"#$%d

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyworddRA

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys\

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewP

WindowState

OnKeyDown

OnKeyPress

OnKeyUp

tagMSG

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

UhExE

%s, %.2d %s %.4d %s %s

%s, %d %s %d %s %s

password

Password

IdHTTPHeaderInfo

ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword(<F><pre>EIdOSSLLoadingRootCertErrorlFF</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient@dF</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnHeadersAvailable</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>PortP</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>OnActionExecuteX</pre><pre>%s, ClassID: %s</pre><pre>ole32.dll</pre><pre>\OptimizerPro.exe</pre><pre>WelcomeURL</pre><pre>SupportURL</pre><pre>HomePageURL</pre><pre>BuyNowURL</pre><pre>UninstallURL</pre><pre>AdsDownloadURL</pre><pre>AdsBuyNowURL</pre><pre>BannerURL</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>wininet.dll</pre><pre>6!606@6`6</pre><pre>5!5%5)5-515</pre><pre>> >$>(>,>0>4>8><>@>\>|></pre><pre>0#0'0 0/03070;0</pre><pre>= >$>(>,>0>4></pre><pre>3 3$3(3,30343</pre><pre>9%9u9</pre><pre>5 5$5(5,5:5</pre><pre>8"9&9*92989</pre><pre>2 2$2(2,20242</pre><pre>5"5&5*5.52565:5</pre><pre>2"292\2?3</pre><pre>3 3$3(3,3034383<3@3\3|3</pre><pre>9 9$9(9,90949\9|9</pre><pre>5&5*5>5`5</pre><pre>2-2`2</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>Icon.Data</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>%s is not a valid IP address.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>No help keyword specified.</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>Alt Clipboard does not support Icons/Menu '%s' is already being used by another form</pre><pre>Unsupported clipboard format</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><pre>3.0.0.0</pre><b>LiveSupport.exe_3576:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>8%u:j</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>RegOpenKeyTransactedW</pre><pre>RegCreateKeyTransactedW</pre><pre>RegDeleteKeyTransactedW</pre><pre>FRegDeleteKeyExW</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>portuguese-brazilian</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>RPCRT4.dll</pre><pre>InternetOpenUrlW</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>GdiplusShutdown</pre><pre>gdiplus.dll</pre><pre>SHLWAPI.dll</pre><pre>VERSION.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyExW</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegFlushKey</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>OLEAUT32.dll</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>GetCPInfo</pre><pre>.?AV?$CFlagStateDlg@VCSupportContainerDlg@@@@</pre><pre>.?AV?$CDialogImpl@VCSupportContainerDlg@@VCWindow@ATL@@@ATL@@</pre><pre>.?AVCCmdLineOptions@@</pre><pre>.?AVCHttpHelper@@</pre><pre>.?AVCSupportContainerDlg@@</pre><pre>.?AVIHttpObserver@@</pre><pre>zcÁ</pre><pre>%c:^"</pre><pre>`%c:*</pre><pre>a).Wc@</pre><pre>50!`A.egu</pre><pre>%SDDB</pre><pre>A.eu~</pre><pre>.Ny_>`_</pre><pre>vF%D@D</pre><pre>.bm' O</pre><pre>L:.KeBf</pre><pre>.Hj(^</pre><pre>-.uwl</pre><pre>f%s$o</pre><pre>V.LGm</pre><pre>.Dt!n\</pre><pre> K.eOpmd</pre><pre>RI.lvy</pre><pre>.ZKl/ Z,</pre><pre>\iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:D55BB01090EFE211ACDE8560C64C7E45" xmpMM:DocumentID="xmp.did:EA5144FCF05511E2B7E798039BD56FBF" xmpMM:InstanceID="xmp.iid:EA5144FBF05511E2B7E798039BD56FBF" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D55BB01090EFE211ACDE8560C64C7E45" stRef:documentID="xmp.did:D55BB01090EFE211ACDE8560C64C7E45" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5" xmpMM:InstanceID="xmp.iid:ABDDC127FAB511E2AF40EC6881A4C2FD" xmpMM:DocumentID="xmp.did:ABDDC128FAB511E2AF40EC6881A4C2FD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ABDDC125FAB511E2AF40EC6881A4C2FD" stRef:documentID="xmp.did:ABDDC126FAB511E2AF40EC6881A4C2FD" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:B65DA3C4FDF9E211A6FF95665BD7D125" xmpMM:DocumentID="xmp.did:12D33543FAB411E282A6DA328A34807F" xmpMM:InstanceID="xmp.iid:12D33542FAB411E282A6DA328A34807F" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B65DA3C4FDF9E211A6FF95665BD7D125" stRef:documentID="xmp.did:B65DA3C4FDF9E211A6FF95665BD7D125" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>></pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"></compatibility></assembly></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></pre><pre><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></pre><pre>6f6C6T6b6s6</pre><pre>: :$:(:,:0:4:8:</pre><pre>4 4$4(4,404|:</pre><pre>:(:4:<:\:</pre><pre>2 2<2@2`2</pre><pre>3 3@3\3`3</pre><pre>(0@0`0|0</pre><pre>Advapi32.dll</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>cmdonly</pre><pre>LiveSupport_MainDlg</pre><pre>LiveSupport</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>unins000.exe</pre><pre>_log.txt</pre><pre>AdsLicenseKey</pre><pre>AdsRunKey</pre><pre>CallbannerUrl</pre><pre>Cmd params:</pre><pre>24x7 Tech Support</pre><pre>Live Support</pre><pre>UrlTerms</pre><pre>UrlPrivacy</pre><pre>UrlAbout</pre><pre>UrlFAQ</pre><pre>Uninstall LiveSupport</pre><pre>New update package is available for LiveSupport.</pre><pre>Support</pre><pre>AdsDownloadUrl</pre><pre>http://www.pcutilitiespro.com/terms-and-conditions.aspx</pre><pre>http://www.pcutilitiespro.com/privacy.aspx</pre><pre>http://www.pcutilitiespro.com/livesupport.aspx</pre><pre>http://www.pcutilitiespro.com/faq.aspx</pre><pre>SoftUpdateUrl</pre><pre>http://updates.livesupport.pcutilitiespro.com</pre><pre>Software\LiveSupport</pre><pre>Display icon on all windows</pre><pre>@_update.exe</pre><pre>/LiveSupport_setup_%ver%.exe</pre><pre>Call us now for instant Technical Support and Assistance for PC issues such as network, printer, software installation and much more</pre><pre>Certified Trained Technicians</pre><pre>LiveSupport-</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>nKERNEL32.DLL</pre><pre>WUSER32.DLL</pre><pre>%Program Files%\LiveSupport\LiveSupport.exe</pre><pre>"GENERAL_CALL","24x7 Tech Support",</pre><pre>"MDLG_MAIN_PAGE","< Support","< Startseite"</pre><pre>"MDLG_TSKBAR_TOOLTIP","Click here for instant access to technical support from the %APP_BRAND%","Klicken Sie hier f</pre><pre>r sofortigen Zugriff auf technischen Support von der %APP_BRAND%"</pre><pre>"SPDLG_TITLE_2","Support","-Support"</pre><pre>"SPDLG_TITLE_3","Your Certified PC Expert","Certified geschulte Techniker"</pre><pre>r den sofortigen technischen Support und Unterst</pre><pre>"SPDLG_TABTITLE","Support","Support"</pre><pre>"SCDLG_NETERROR","Error occurred while downloading %UPSELL_BRAND%. ","Internet Fehler beim Herunterladen% UPSELL_BRAND%."</pre><pre>"FDLG_LINK_UNINSTALL","Uninstall LiveSupport","Deinstallieren Live Support"</pre><pre><a>Uninstall LiveSupport</a></pre><pre>1234567</pre><pre>Replace%Select the entire document</pre><pre>Arrange Icons/Arrange windows so they overlap</pre><pre>Cascade Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows(Split the active window into panes</pre><pre>1.2.8.0</pre><pre>LiveSupport.exe</pre></F></pre></pre></pre>