Skip to main content

Backdoor.Win32.PcClient_5ae576c95f


Adware.Agent.OBK (B) (Emsisoft), Adware.Agent.OBK (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, VirTool, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5ae576c95f8be4b5db9d09788a3b907d

SHA1: 9f4dd3694ef6f24c8452d0dc2929f4119b5754fc

SHA256: 02e127d3a9ff47aa6127c1e1fdf2201853ae25ec02d4111232034fc99cd1125b

SSDeep: 196608:DNHg05PhyItLsFKOETSbejAWZraRhr5G6q:DNnPhOUt9jFBaXXq

Size: 6910992 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-04-28 09:33:59

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

LiveSupport_setup.tmp:1580
%original file name%.exe:868
LiveSupport.exe:536
regsvr32.exe:436
regsvr32.exe:648
rundll32.exe:1256
rundll32.exe:1272
LiveSupport_setup.exe:1600
setup.tmp:572
setup.exe:196

The Backdoor injects its code into the following process(es):

wuauclt.exe:540
LiveSupport.exe:540
OptProStart.exe:1176

File activity

The process LiveSupport_setup.tmp:1580 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Program Files%\LiveSupport\is-8TRDM.tmp (673 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-HKR4L.tmp (1281 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-50VJV.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Program Files%\LiveSupport\is-KJO4B.tmp (7385 bytes)
%Program Files%\LiveSupport\is-M4VEB.tmp (34256 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-50VJV.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-50VJV.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-50VJV.tmp (0 bytes)

The process %original file name%.exe:868 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (846078 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7160 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5716 bytes)

The process wuauclt.exe:540 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Backdoor deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process LiveSupport.exe:536 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)

The process LiveSupport.exe:540 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1220 bytes)

The process regsvr32.exe:648 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)

The process LiveSupport_setup.exe:1600 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2QU83.tmp\LiveSupport_setup.tmp (7386 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2QU83.tmp\LiveSupport_setup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2QU83.tmp (0 bytes)

The process setup.tmp:572 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-GVDO7.tmp (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro\is-FP91K.tmp (712 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro\is-4AIL0.tmp (48 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Program Files%\Optimizer Pro\OptProCrashSvc.dll (186 bytes)
%Program Files%\Optimizer Pro\is-1JIBB.tmp (22 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (193985 bytes)
%Program Files%\Optimizer Pro\is-7TETM.tmp (31891 bytes)
%Program Files%\Optimizer Pro\is-JAB92.tmp (1281 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Program Files%\Optimizer Pro\unins000.dat (17017 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Optimizer Pro\is-ACLN3.tmp (54 bytes)
%Program Files%\Optimizer Pro\is-61I25.tmp (185630 bytes)
%Program Files%\Optimizer Pro\is-AIPAC.tmp (1425 bytes)
%Program Files%\Optimizer Pro\is-354C0.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-FGHNC.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-UMLVN.tmp (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\OptProCrash.dll (22336 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-OPCD3.tmp (7345 bytes)
%Program Files%\Optimizer Pro\is-8KRNN.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-2O7QJ.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp (4 bytes)
%Program Files%\Optimizer Pro\is-JU8EF.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-H2GS3.tmp (7433 bytes)
%Program Files%\Optimizer Pro\is-6OD8U.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-2B7N4.tmp (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-9HFK3.tmp (673 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\LiveSupport.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\optpro2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\OptProCrash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\itdownload.dll (0 bytes)

The process setup.exe:196 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-H12MI.tmp\setup.tmp (7386 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-H12MI.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-H12MI.tmp\setup.tmp (0 bytes)

Registry activity

The process LiveSupport_setup.tmp:1580 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Language" = "en"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"MajorVersion" = "1"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl1" = "http://dl.softservers.net/121001356/DriverPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayVersion" = "1.2.8.0"

[HKCU\Software\LiveSupport]
"SupportURL" = "http://support.pcutilitiespro.com"
"AdsLandingPageLink2" = "http://www.pcutilitiespro.com/optimizerpro.php"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"AdsLandingPageLink1" = "http://www.pcutilitiespro.com/driverpro.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\LiveSupport]
"AdsDescription1" = "Driver Updater"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"AdsDescription2" = "System Performance Optimizer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\LiveSupport]
"LiveSupport.exe" = "LiveSupport"

[HKCU\Software\LiveSupport]
"DelayedStart" = "0"
"homepageurl" = "http://www.pcutilitiespro.com/livesupport.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayName" = "LiveSupport"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"QuietUninstallString" = "%Program Files%\LiveSupport\unins000.exe /SILENT"
"Inno Setup: App Path" = "%Program Files%\LiveSupport"
"MinorVersion" = "2"

[HKCU\Software\LiveSupport]
"CallbannerUrl" = "http://ls.callbanner.pcutilitiespro.com/?sid=171001356"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\LiveSupport]
"Query" = "http://bi.softservers.net/t/ls?sid=171001356-UA-035&dt=%dt%&gid=%gid%&tz=%tz%&ln=%ln%&os=%os%&bis=%bis%&bipc=%bipc%&lc1=%lc1%&lc2=%lc2%&lc3=%lc3%&f=2182739400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayIcon" = "%Program Files%\LiveSupport\LiveSupport.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl2" = "http://dl.softservers.net/191001356/OptmizerPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\LiveSupport]
"PhoneNumber" = " 1-855-544-6024"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsCheckName2" = "Optimizer Pro"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 5A D5 F2 F8 D4 D2 B5 D9 74 0A 03 BE DC 8D 31"

[HKCU\Software\LiveSupport]
"UninstallURL" = "http://www.pcutilitiespro.com/uninstall-livesupport.php?sid=171001356-UA-035"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\LiveSupport]
"AdsCheckName1" = "Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"InstallLocation" = "%Program Files%\LiveSupport\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: Icon Group" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"UninstallString" = "%Program Files%\LiveSupport\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"Publisher" = "PC Utilities Software Limited"

[HKCU\Software\LiveSupport]
"AdsLicenseKey2" = "LicenseDate"
"AdsLicenseKey1" = "User"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoRepair" = "1"
"InstallDate" = "20140511"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:868 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 A6 D6 4B 7F B8 DC DF 76 CA 6E C4 F9 8C FA 99"

[HKCU\Software\Optimizer Pro]
"setupname" = "c:\%original file name%.exe"

The process LiveSupport.exe:536 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 8A 75 98 16 88 04 A4 79 7C 00 AB 98 D7 AD 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LiveSupport_setup.exe" = "LiveSupport Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process LiveSupport.exe:540 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\LiveSupport]
"ShowTitleBarBtn" = "1"
"Assistant" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"BtnCallPressed" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\LiveSupport]
"AppStart" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\LiveSupport]
"OS" = "102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\LiveSupport]
"RunOnOSRun" = "1"
"QueryDate" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\LiveSupport]
"SHOWTRAY" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\LiveSupport]
"FixHoverIconToTray" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 44 94 D0 86 A2 75 95 28 18 F8 50 D5 CE A5 96"

[HKCU\Software\LiveSupport]
"InstallDate" = "1399771139"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\LiveSupport]
"MachineGuid" = "27bbdcf0-06bd-4574-8d1b-d04636589bed"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:436 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 25 E7 84 16 51 EF 08 C8 BC B1 58 68 DA AA AD"

The process regsvr32.exe:648 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 E9 AF 6D 91 23 1A 7E A4 A9 92 96 1F 5D 30 CB"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}]
"(Default)" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll"

The process rundll32.exe:1256 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 F1 A9 16 47 18 AD 7B E2 0D 40 55 FD A8 57 D3"

The process rundll32.exe:1272 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 DA 1A 59 3E FE D3 23 C2 D9 A4 C6 85 D3 C7 24"

The process OptProStart.exe:1176 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://www.safeshopgate.com/r?s=111001356-LV-042&g=57E03A89-E8DD-D896-DD1F-4464BAAE2BCB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Optimizer Pro]
"UseAds" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.softservers.net/121001356/DriverPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Optimizer Pro]
"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111001356-LV-042"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"DelayedStart" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

"Querry" = "http://bi.softservers.net/t/op?sid=111001356-LV-042&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=1958268274"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121001356&g=57E03A89-E8DD-D896-DD1F-4464BAAE2BCB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 38 11 CE 67 B7 4E 27 4D 43 10 6E 89 11 C2 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Optimizer Pro]
"InstallDate" = "1A 65 9A BF 45 65 E4 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Optimizer Pro]
"AdsHost" = "dl.softservers.net"
"OS" = "102"
"MachineGuid" = "57E03A89-E8DD-D896-DD1F-4464BAAE2BCB"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport_setup.exe:1600 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0F D1 4F 27 E6 AA 53 AA 0C 38 5F F2 85 D5 1C"

The process setup.tmp:572 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svpath" = "c:\progra~1\optimi~1\OptProCrashSvc.dll"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "2408491096"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro]
"OptProStart.exe" = "Optimizer Pro Launcher"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"appid.0" = "4WOacm3ABKNtuqomjl9/0okPMZGU8UEyF2lx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"dlpath" = "c:\progra~1\optimi~1\optpro~2.dll"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"n" = "1"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.0" = "fx7srbh7yYtOV3ysur4YE6cPAShFD1QbecV7Xrf5vKIPnxsAb5qmJN gRJq5mqNd/Eph tyP9VdU3zVx0qPklpBlUi//G1j7bkiDmQkg2L"
"data.1" = "q zCW48QCNnw0Jurpn3uPSVkohikjfq4jt8xvieOxa1iWYKjE2ewil bsTf3hhtCdO3kja5vRI6rklCoxTiSUxZ3 pDohExqyHYtGhhJhH614JqP28ufrtojwkzEG x"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "2408491096"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1399771110"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/e/CV////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\optimi~1\optpro~2.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"InstallDate" = "20140511"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.0" = "i /piAWYSUMOQIKEG "
"usr.1" = "18F57MXZTVNPRJLFHw"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 0C 2D B5 99 68 1D E6 75 E8 F9 30 84 89 78 47"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"State" = "0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7f69fa1f" = "///%"
"0e93c3f3" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Language" = "en"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svt" = "1399771110"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2e22d94e" = "///%"
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\Optimizer Pro]
"culValue" = ""

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.1" = "18F57MXZTVNPRJLFHw"
"usr.0" = "i /piAWYSUMOQIKEG "

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayName" = "Optimizer Pro v3.2"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
"Version" = "22022009"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"27ddcf6f" = "///%"
"1520c6f1" = "V/////%%"
"0c230bcb" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_8d82f66f\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1399771110"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svn" = "Optimizer Pro Crash Monitor"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svi" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svx" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"
"DisplayIcon" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.1" = "q zCW48QCNnw0Jurpn3uPSVkohikjfq4jt8xvieOxa1iWYKjE2ewil bsTf3hhtCdO3kja5vRI6rklCoxTiSUxZ3 pDohExqyHYtGhhJhH614JqP28ufrtojwkzEG x"
"data.0" = "fx7srbh7yYtOV3ysur4YE6cPAShFD1QbecV7Xrf5vKIPnxsAb5qmJN gRJq5mqNd/Eph tyP9VdU3zVx0qPklpBlUi//G1j7bkiDmQkg2L"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/e/CV////%"
"48bd1aff" = "VP/l/C//N//l////"
"414bc593" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_8d82f66f\eae10f9d]
"340d3099" = "///%"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-8F7AR.tmp]
"LiveSupport.exe" = "LiveSupport Installer"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C/////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"ca82e1a5" = "%Program Files%\Optimizer Pro\OptProCrash.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C/////%"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"UninstallString" = "%Program Files%\Optimizer Pro\unins000.exe"
"InstallLocation" = "%Program Files%\Optimizer Pro\"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup.exe:196 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 41 CE B0 16 32 FD F5 68 CF 78 8A AC 42 6D 96"

Dropped PE files

MD5 File path
9dd553f06657dee90413079098f36ae4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-8F7AR.tmp\OptProCrash.dll
92dc6ef532fbb4a5c3201469a5b5eb63c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-8F7AR.tmp\_isetup\_shfoldr.dll
d82a429efd885ca0f324dd92afb6b7b8c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-8F7AR.tmp\itdownload.dll
ec110443a8093902cfc0a579a23380c5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-H12MI.tmp\setup.tmp
3e11c77a43a2bd38701a2e6f416517f7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\setup.exe
9dd553f06657dee90413079098f36ae4c:\Program Files\Optimizer Pro\OptProCrash.dll
bee363f79f3f2bf371831cb520a1d2dfc:\Program Files\Optimizer Pro\OptProCrashSvc.dll
b751a6adb9642e91dc3ef1988b414cb8c:\Program Files\Optimizer Pro\OptProGuard.exe
7b624b22ac4c022900964c6f8848412ac:\Program Files\Optimizer Pro\OptProHelper.dll
0c97071b4d54afbbd75eaf81afefd5aac:\Program Files\Optimizer Pro\OptProLauncher.exe
52421ea8fb28afaf071ac39c2bb612fcc:\Program Files\Optimizer Pro\OptProReminder.exe
b2563685a91d322ef9c35aba0fd75255c:\Program Files\Optimizer Pro\OptProSchedule.exe
9f6ff7221e3fa3898636916ee2121108c:\Program Files\Optimizer Pro\OptProSmartScan.exe
2585142a4a29f9c1d31a95c92805cfc4c:\Program Files\Optimizer Pro\OptProStart.exe
e39ba81c1e7f71421c9e81328491bc31c:\Program Files\Optimizer Pro\OptProUninstaller.exe
87602e330053f0e08baff71544b07a6ac:\Program Files\Optimizer Pro\OptimizerPro.exe
d82a429efd885ca0f324dd92afb6b7b8c:\Program Files\Optimizer Pro\itdownload.dll
0f66e8e2340569fb17e774dac2010e31c:\Program Files\Optimizer Pro\sqlite3.dll
ec110443a8093902cfc0a579a23380c5c:\Program Files\Optimizer Pro\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    LiveSupport_setup.tmp:1580
    %original file name%.exe:868
    LiveSupport.exe:536
    regsvr32.exe:436
    regsvr32.exe:648
    rundll32.exe:1256
    rundll32.exe:1272
    LiveSupport_setup.exe:1600
    setup.tmp:572
    setup.exe:196

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Program Files%\LiveSupport\is-8TRDM.tmp (673 bytes)
    %Program Files%\LiveSupport\unins000.msg (646 bytes)
    %Program Files%\LiveSupport\is-HKR4L.tmp (1281 bytes)
    %Program Files%\LiveSupport\unins000.dat (8096 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-50VJV.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
    %Program Files%\LiveSupport\is-KJO4B.tmp (7385 bytes)
    %Program Files%\LiveSupport\is-M4VEB.tmp (34256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (846078 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7160 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1220 bytes)
    %Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2QU83.tmp\LiveSupport_setup.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\LiveSupport.exe (11493 bytes)
    %Program Files%\Optimizer Pro\is-GVDO7.tmp (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\Optimizer Pro\is-FP91K.tmp (712 bytes)
    %Program Files%\Optimizer Pro\unins000.msg (646 bytes)
    %Program Files%\Optimizer Pro\is-4AIL0.tmp (48 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
    %Program Files%\Optimizer Pro\OptProCrashSvc.dll (186 bytes)
    %Program Files%\Optimizer Pro\is-1JIBB.tmp (22 bytes)
    %Program Files%\Optimizer Pro\OptProCrash.dll (193985 bytes)
    %Program Files%\Optimizer Pro\is-7TETM.tmp (31891 bytes)
    %Program Files%\Optimizer Pro\is-JAB92.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
    %Program Files%\Optimizer Pro\unins000.dat (17017 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\Optimizer Pro\is-ACLN3.tmp (54 bytes)
    %Program Files%\Optimizer Pro\is-61I25.tmp (185630 bytes)
    %Program Files%\Optimizer Pro\is-AIPAC.tmp (1425 bytes)
    %Program Files%\Optimizer Pro\is-354C0.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\optpro2.bmp (673 bytes)
    %Program Files%\Optimizer Pro\is-FGHNC.tmp (2321 bytes)
    %Program Files%\Optimizer Pro\is-UMLVN.tmp (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\OptProCrash.dll (22336 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
    %Program Files%\Optimizer Pro\is-OPCD3.tmp (7345 bytes)
    %Program Files%\Optimizer Pro\is-8KRNN.tmp (3073 bytes)
    %Program Files%\Optimizer Pro\is-2O7QJ.tmp (601 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
    %Program Files%\Optimizer Pro\is-JU8EF.tmp (2321 bytes)
    %Program Files%\Optimizer Pro\is-H2GS3.tmp (7433 bytes)
    %Program Files%\Optimizer Pro\is-6OD8U.tmp (3073 bytes)
    %Program Files%\Optimizer Pro\is-2B7N4.tmp (898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-8F7AR.tmp\itdownload.dll (1281 bytes)
    %Program Files%\Optimizer Pro\is-9HFK3.tmp (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-H12MI.tmp\setup.tmp (7386 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409683149834564.554651faeb58ca8be9302d5ddd4292eaaf5d5
.rdata9011220754209923.39370135d0fff0968edfadcfe1f9563efe25
.data1146881344456322.157562cef89c59f35f4fcafe95749186c0933
.rsrc131072676840467686405.54315973c2d9724e82788d9307236d4b0afe
.reloc690176024154245761.3304578f073413c602a037c2df5cfc67ec1d6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 11
f517fa6a1e32843d19bf9ad1da849791
93ac43bb670852feab7f194d7de49381
3e75266321c56bfe016c6edc2b758164
f7bb14080de4ed9cb477998b71723338
307daa3e82f05c6347172168912efa10
8e5840fa9fa14054dfd454def7e429ad
7690a41c4e06ff42df3cceb71079bae7
98a6cb20f3b7f0ceb4a0e15f997966ab
d400711383de4598655e924a1732166c
6cbfd529a71142e93b28a0679d9363f9
313652dc8f76b9ebb4ba6c80c0a027ca

Network Activity

URLs

URL IP
hxxp://optpro.info/get/?q=BK+lapGrHEOBZ/mUMOffAhF38PHAVZq2QjUIjEn6Isxjq2EQp6UIwWO4cShJ2JXEkO8kXRKzxm3YacbWCvpKQhBjy1HwK5ysrTLYC7qw1Tuca/AFsO1GZzChjZCvK+926DPY5WmIzt2iXpkmbNTN2OSYw57bL9c3JRTBFLnRJspYv5dhRSzUCTRX+VrsZrcVauJwcK3x3QlcWmxqKe8ixT+wWEYMACHa2fEC4XMIUgP0cxtP42RhH8bmFTkh/homrhnKnzubWHIxH9ekSNlc9kjlJ1GByYeUHPqnSj3q12pJWm5/pXjcaB9NIBGqNcub3297Txepzm/i+ce2w9UpmGbSzFYCGBthdJZa0ATTRnLoD410IlQTvldn4ZrDYP2n4+iDy+xYSHGtnhR+ptsJRBwdjS1btE5jf8OT4avzlJhPkC94eAkf8srI7B6um8vYRGi5ng9aMwRHLGI17akbGs9WahPeDAVR8XMT03hxuhCKhY12dkUHKtXkq+FCcJF5bCjaFnsOXQ9i0FR/32zdUrm3RnXvYTGLpjwsPW2fElNQ0bdIQ3Oi7riCrBuupCvkfqxi7hoghvMvaNqaQh7PTV207.244.66.33
hxxp://optpro.info/install/207.244.66.33
hxxp://dl.softservers.net/171001356/LiveSupport.exe198.20.70.75
hxxp://bi.softservers.net/t/op?sid=111001356-LV-042&dt=1399781921&gid=57E03A89-E8DD-D896-DD1F-4464BAAE2BCB&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1958268274107.6.170.117
hxxp://bi.softservers.net/t/ls?sid=171001356-UA-035&dt=1399771139&gid=27bbdcf0-06bd-4574-8d1b-d04636589bed&tz=1399778339&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400107.6.170.117
hxxp://bi.softservers.net/t/ls?sid=171001356-UA-035&dt=1399771140&gid=27bbdcf0-06bd-4574-8d1b-d04636589bed&tz=1399778340&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400107.6.170.117
hxxp://ls.callbanner.pcutilitiespro.com/?sid=171001356198.143.146.75
time.nist.gov216.171.120.36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /t/op?sid=111001356-LV-042&dt=1399781921&gid=57E03A89-E8DD-D896-DD1F-4464BAAE2BCB&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1958268274 HTTP/1.1

Host: bi.softservers.net

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sun, 11 May 2014 01:18:41 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

GET /t/ls?sid=171001356-UA-035&dt=1399771139&gid=27bbdcf0-06bd-4574-8d1b-d04636589bed&tz=1399778339&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1

User-Agent: LiveSupport

Host: bi.softservers.net

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sun, 11 May 2014 01:19:00 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Sun, 11 May 2014 01:19:00 GMT..Content-Type: application/octet-stream..Content-Length: 0..Connection: keep-alive..content-type: text/html......

GET /t/ls?sid=171001356-UA-035&dt=1399771140&gid=27bbdcf0-06bd-4574-8d1b-d04636589bed&tz=1399778340&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1

User-Agent: LiveSupport

Host: bi.softservers.net

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sun, 11 May 2014 01:19:00 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Sun, 11 May 2014 01:19:00 GMT..Content-Type: application/octet-stream..Content-Length: 0..Connection: keep-alive..content-type: text/html..

GET /171001356/LiveSupport.exe HTTP/1.0

Host: dl.softservers.net

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sun, 11 May 2014 01:18:38 GMT

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 15:25:14 GMT

Connection: close

content-length: 1503528

ETag: "5328655a-16d478"

Content-Disposition: attachment; filename=LiveSupport.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................3.......................2.....................Rich............................PE..L....((S.................(...........g.......@....@.......................... ......(.....@.....................................P.......p...............(............................................q..@............@..P............................text....'.......(.................. ..`.rdata...L...@...N...,..............@..@.data....4...........z..............@....rsrc...p...........................@..@.reloc...'.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................U.........l.A.3..E.V.u.W.}.h..........j.P..;...........Qj.j.j(j...8AA.....j.........#.PWVh.AA.j...<AA.3... ..._^...M.3...;....].U...U....@$R.U.R.U.R..]............AA..:C.......U..V.....AA..$C...E..t.V..:.......^]............U..QV..j..M..:0...F....s.@.F..M..N0..^..].......U..QVW..j..M...0...G...t....s.H.G..w........M.#...0.._..^..].......AA...........U..QW.9..t;j..M.../...G...t....s.H.G.V.w......M...../..#.t.....j.....^_..]......................................U...E....u..y..r....E..U....]....y..r....M.P.

<<

<<< skipped >>>

GET /get/?q=BK+lapGrHEOBZ/mUMOffAhF38PHAVZq2QjUIjEn6Isxjq2EQp6UIwWO4cShJ2JXEkO8kXRKzxm3YacbWCvpKQhBjy1HwK5ysrTLYC7qw1Tuca/AFsO1GZzChjZCvK+926DPY5WmIzt2iXpkmbNTN2OSYw57bL9c3JRTBFLnRJspYv5dhRSzUCTRX+VrsZrcVauJwcK3x3QlcWmxqKe8ixT+wWEYMACHa2fEC4XMIUgP0cxtP42RhH8bmFTkh/homrhnKnzubWHIxH9ekSNlc9kjlJ1GByYeUHPqnSj3q12pJWm5/pXjcaB9NIBGqNcub3297Txepzm/i+ce2w9UpmGbSzFYCGBthdJZa0ATTRnLoD410IlQTvldn4ZrDYP2n4+iDy+xYSHGtnhR+ptsJRBwdjS1btE5jf8OT4avzlJhPkC94eAkf8srI7B6um8vYRGi5ng9aMwRHLGI17akbGs9WahPeDAVR8XMT03hxuhCKhY12dkUHKtXkq+FCcJF5bCjaFnsOXQ9i0FR/32zdUrm3RnXvYTGLpjwsPW2fElNQ0bdIQ3Oi7riCrBuupCvkfqxi7hoghvMvaNqaQh7PTV HTTP/1.1

Accept: */*

User-Agent: win32

Host: optpro.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sun, 11 May 2014 01:20:11 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.4.16

0..

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_1272:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s

OptProStart.exe_1176:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EInvalidGraphicOperation

EInvalidGraphicOperation

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

!"#$%d

!"#$%d

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeyworddRA

HelpKeyworddRA

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys\

AutoHotkeys\

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreviewP

KeyPreviewP

WindowState

WindowState

OnKeyDown

OnKeyDown

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

tagMSG

tagMSG

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

getservbyport

getservbyport

WSAAsyncGetServByPort

WSAAsyncGetServByPort

WSAJoinLeaf

WSAJoinLeaf

WS2_32.DLL

WS2_32.DLL

127.0.0.1

127.0.0.1

TIdSocketListWindows

TIdSocketListWindows

TIdStackWindowsU

TIdStackWindowsU

IdStackWindows

IdStackWindows

UhExE

UhExE

%s, %.2d %s %.4d %s %s

%s, %.2d %s %.4d %s %s

%s, %d %s %d %s %s

%s, %d %s %d %s %s

password

password

Password

Password

IdHTTPHeaderInfo

IdHTTPHeaderInfo

ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword(<F><pre>EIdOSSLLoadingRootCertErrorlFF</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient@dF</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnHeadersAvailable</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>PortP</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>OnActionExecuteX</pre><pre>%s, ClassID: %s</pre><pre>ole32.dll</pre><pre>\OptimizerPro.exe</pre><pre>WelcomeURL</pre><pre>SupportURL</pre><pre>HomePageURL</pre><pre>BuyNowURL</pre><pre>UninstallURL</pre><pre>AdsDownloadURL</pre><pre>AdsBuyNowURL</pre><pre>BannerURL</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>wininet.dll</pre><pre>6!606@6`6</pre><pre>5!5%5)5-515</pre><pre>> >$>(>,>0>4>8><>@>\>|></pre><pre>0#0'0 0/03070;0</pre><pre>= >$>(>,>0>4></pre><pre>3 3$3(3,30343</pre><pre>9%9u9</pre><pre>5 5$5(5,5:5</pre><pre>8"9&9*92989</pre><pre>2 2$2(2,20242</pre><pre>5"5&5*5.52565:5</pre><pre>2"292\2?3</pre><pre>3 3$3(3,3034383<3@3\3|3</pre><pre>9 9$9(9,90949\9|9</pre><pre>5&5*5>5`5</pre><pre>2-2`2</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>Icon.Data</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>%s is not a valid IP address.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>No help keyword specified.</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>Alt Clipboard does not support Icons/Menu '%s' is already being used by another form</pre><pre>Unsupported clipboard format</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><pre>3.0.0.0</pre></F></pre></pre></pre>