Susp_Dropper (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f0b730bcab8ac5d233689926129fd3b2
SHA1: 6628c54732d326c4339e418b8af2899459258b76
SHA256: a5a6319cc41053dbc3f434f44b6f4bec95593d97a2457f0b950e839ccef0d971
SSDeep: 196608:DYlty6y5IJc SS2bd9 iU3o3 7aWjpdO7kvB2U:EL0W6a2bd9Y38SXjdvI
Size: 7712800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphiv60v70_v2, UPolyXv05_v6, BorlandDelphi30, BorlandDelphiv30, ACProtect141
Company: no certificate found
Created at: 2014-06-03 11:50:32
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
optprosetup.exe:1944
optprosetup.tmp:912
LiveSupport.exe:852
rundll32.exe:664
rundll32.exe:1004
LiveSupport_setup.exe:920
regsvr32.exe:1724
regsvr32.exe:1728
%original file name%.exe:1852
LiveSupport_setup.tmp:208
The Malware injects its code into the following process(es):
LiveSupport.exe:228
OptProStart.exe:1556
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process optprosetup.exe:1944 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp\optprosetup.tmp (7386 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp\optprosetup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp (0 bytes)
The process optprosetup.tmp:912 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files%\Optimizer Pro\is-2OOOE.tmp (48 bytes)
%Program Files%\Optimizer Pro\is-7J528.tmp (54 bytes)
%Program Files%\Optimizer Pro\unins000.dat (15301 bytes)
%Program Files%\Optimizer Pro\is-S4A06.tmp (673 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-484KR.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (195505 bytes)
%Program Files%\Optimizer Pro\is-OH0KU.tmp (1425 bytes)
%Program Files%\Optimizer Pro\is-K0UL9.tmp (32054 bytes)
%Program Files%\Optimizer Pro\is-SBJOQ.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-J8QF8.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\OptProCrash.dll (22575 bytes)
%Program Files%\Optimizer Pro\is-OE54R.tmp (7433 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-PJNJ0.tmp (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Optimizer Pro\is-F9MM2.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-V7ELF.tmp (7547 bytes)
%Program Files%\Optimizer Pro\is-5A7TN.tmp (4545 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro\is-JNCLJ.tmp (712 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Program Files%\Optimizer Pro\is-ITH3L.tmp (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\LiveSupport.exe (11493 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp (4 bytes)
%Program Files%\Optimizer Pro\is-T3840.tmp (601 bytes)
%Program Files%\Optimizer Pro\is-QNK15.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro\is-N2MUL.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-CBGOF.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-U8M6Q.tmp (185630 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\optpro2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\OptProCrash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\LiveSupport.exe (0 bytes)
The process LiveSupport.exe:852 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
The process LiveSupport.exe:228 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1221 bytes)
The process LiveSupport_setup.exe:920 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp\LiveSupport_setup.tmp (7386 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp\LiveSupport_setup.tmp (0 bytes)
The process regsvr32.exe:1728 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
The process %original file name%.exe:1852 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{98FEA671-CA18-4FFC-B57F-5ED480FEB1EA}\optprosetup.exe (47888 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{98FEA671-CA18-4FFC-B57F-5ED480FEB1EA}\optprosetup.exe (0 bytes)
The process LiveSupport_setup.tmp:208 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-L33UU.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-5D7HH.tmp (7385 bytes)
%Program Files%\LiveSupport\is-6RER9.tmp (34256 bytes)
%Program Files%\LiveSupport\is-674E2.tmp (673 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup (0 bytes)
Registry activity
The process optprosetup.exe:1944 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 E2 F6 24 E6 2C 98 16 22 94 9B 1A B4 FD 79 61"
The process optprosetup.tmp:912 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svpath" = "c:\Program Files\Optimizer Pro\OptProCrash.dll"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_205c0720\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "2032275112"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2e22d94e" = "///%"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro]
"OptProStart.exe" = "Optimizer Pro Launcher"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"appid.0" = "Vx7srrvik9DjScdefARCH5Df0oEV5y8d8/jl"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"dlpath" = "c:\progra~1\optimi~1\optpro~2.dll"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"n" = "1"
[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.0" = "lUoSMF8OBeItzIABCDEuChwgLJcqcKZp7XwAEzyXy7nqevDsJOhU3QCZLzRcJ2x8AiITRevKYQkqrF59yIu5 UH1xq8nMrXlhxfcnPbcfC"
"data.1" = "nVTk0RFpFONytwysur1W61bIGLCJPfVZU7MeW71I1WeFK7oCZ6QVvcmZQ/PUbhSCTryVrTgRjj5Kzv637H9RIAjYo8V83WdWByCrGlJgvpfqN14emR5UVYcznzlUxhxVR"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "2032275112"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1404761959"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Optimizer Pro]
"Language" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\optimi~1\optpro~2.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
"f0bf0bde" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"InstallDate" = "20140707"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1520c6f1" = "V/////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.0" = "vjIceecdefABCDWYSU"
"usr.1" = "BPN02vxztvqomjlhab"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B CF AB 15 75 09 17 07 7D 7B 2E 8B B0 75 1C 66"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"State" = "0"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7f69fa1f" = "///%"
"0e93c3f3" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Language" = "en"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-2HTP7.tmp]
"LiveSupport.exe" = "LiveSupport Installer"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svt" = "1404751394"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_205c0720\eae10f9d]
"340d3099" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0e93c3f3" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0c230bcb" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"
[HKCU\Software\Optimizer Pro]
"culValue" = ""
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"
"0dc3ee96" = "/P////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.1" = "BPN02vxztvqomjlhab"
"usr.0" = "vjIceecdefABCDWYSU"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayName" = "Optimizer Pro v3.2"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
"Version" = "22022053"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"27ddcf6f" = "///%"
"d1abcdb6" = "///%"
"0c230bcb" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1404761959"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svn" = "Optimizer Pro Crash Monitor"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svi" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
"27ddcf6f" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svx" = ""
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"2e22d94e" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"7f69fa1f" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"
"DisplayIcon" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.1" = "nVTk0RFpFONytwysur1W61bIGLCJPfVZU7MeW71I1WeFK7oCZ6QVvcmZQ/PUbhSCTryVrTgRjj5Kzv637H9RIAjYo8V83WdWByCrGlJgvpfqN14emR5UVYcznzlUxhxVR"
"data.0" = "lUoSMF8OBeItzIABCDEuChwgLJcqcKZp7XwAEzyXy7nqevDsJOhU3QCZLzRcJ2x8AiITRevKYQkqrF59yIu5 UH1xq8nMrXlhxfcnPbcfC"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
"48bd1aff" = "VP/l/C//N//l////"
"414bc593" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Deselected Tasks" = ""
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"ca82e1a5" = "%Program Files%\Optimizer Pro\OptProCrash.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"
"a2e3b941" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"UninstallString" = "%Program Files%\Optimizer Pro\unins000.exe"
"InstallLocation" = "%Program Files%\Optimizer Pro\"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process LiveSupport.exe:852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 E0 78 D1 9D 89 A0 EF 75 7F 26 71 7B 4A 35 B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LiveSupport_setup.exe" = "LiveSupport Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process LiveSupport.exe:228 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\LiveSupport]
"SoftUpdateUrl" = "http://updates.livesupport.pcutilitiespro.com"
"ShowTitleBarBtn" = "1"
"Assistant" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\LiveSupport]
"BtnCallPressed" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\LiveSupport]
"AppStart" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\LiveSupport]
"Language" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\LiveSupport]
"OS" = "102"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\LiveSupport]
"SoftUpdateDate" = "0"
"RunOnOSRun" = "1"
"QueryDate" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\LiveSupport]
"SHOWTRAY" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\LiveSupport]
"FixHoverIconToTray" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 C5 3D C9 22 0C C2 3C E5 69 00 67 9B 5B D8 16"
[HKCU\Software\LiveSupport]
"InstallDate" = "1404751405"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\LiveSupport]
"MachineGuid" = "8cc0ffbe-adc7-48f5-a8c5-a4e91704d732"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process rundll32.exe:664 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"fe94ce1e" = "V/////%%"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"7367429f" = "///%"
"340d3099" = "/P////%%"
"1520c6f1" = "V/////%%"
"3c09c42b" = "///%"
"2d71d5ab" = "V/////%%"
"a2e3b941" = "///%"
"c6c5dd44" = "V/////%%"
"f6ad6fa6" = "VP/l/C//V/////%%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"c99a5f5c" = "///%"
"c5705860" = "Vx////%%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"a0743acc" = "N/////%%"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"587b5709" = "V/////%%"
"48bd1aff" = "VP/l/C//N//l////"
"0c230bcb" = "///%"
"0e93c3f3" = "///%"
"72758a5d" = "///%"
"a1dcff5b" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 1D 27 08 9A D9 81 3B 61 BA D8 34 4F AE 63 51"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"8b9e4cbc" = "V/////%%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
"493c7345" = ""
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"
"65114b36" = "VP/ ////"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"27ddcf6f" = "///%"
"bbf88800" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
The process rundll32.exe:1004 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 79 4A EC A6 EF 1A CF C9 A3 63 64 B9 CE 0D D5"
The process OptProStart.exe:1556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://www.safeshopgate.com/r?s=111001356-GB-042&g=A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Optimizer Pro]
"UseAds" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Optimizer Pro]
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.softservers.net/121001356/DriverPro.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Optimizer Pro]
"AppStart" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111001356-GB-042"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Optimizer Pro]
"DelayedStart" = "5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"
"Querry" = "http://bi.softservers.net/t/op?sid=111001356-GB-042&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=2856268330"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Optimizer Pro]
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121001356&g=A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 FB 6D 2F DC 28 7F 1B 2A 02 0F A6 0E EB 94 CF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Optimizer Pro]
"InstallDate" = "5B 87 A4 4B 7A 6C E4 40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Optimizer Pro]
"AdsHost" = "dl.softservers.net"
"OS" = "102"
"MachineGuid" = "A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process LiveSupport_setup.exe:920 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 69 60 08 F5 CF EF 78 1C 7B E5 4E 60 18 08 47"
The process regsvr32.exe:1724 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 59 9E A6 02 2C 12 1A 6C 37 21 E2 2A 27 1D F4"
The process regsvr32.exe:1728 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 32 8D 67 55 14 D9 B3 6B C8 B8 8C 3C BC 96 F9"
[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}]
"(Default)" = "LiveSupport"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll"
The process %original file name%.exe:1852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 DC 05 C9 F8 FA 6D 9B CF 1B 1D 16 70 75 61 72"
[HKCU\Software\Optimizer Pro]
"setupname" = "c:\%original file name%.exe"
The process LiveSupport_setup.tmp:208 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Language" = "en"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"MajorVersion" = "1"
[HKCU\Software\LiveSupport]
"AdsDownloadUrl1" = "http://dl.softservers.net/121001356/DriverPro.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayVersion" = "1.2.8.0"
[HKCU\Software\LiveSupport]
"SupportURL" = "http://support.pcutilitiespro.com"
"AdsLandingPageLink2" = "http://www.pcutilitiespro.com/optimizerpro.php"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\LiveSupport]
"AdsLandingPageLink1" = "http://www.pcutilitiespro.com/driverpro.php"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Selected Tasks" = "desktopicon"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\LiveSupport]
"AdsDescription1" = "Driver Updater"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\LiveSupport]
"AdsDescription2" = "System Performance Optimizer"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\LiveSupport]
"LiveSupport.exe" = "LiveSupport"
[HKCU\Software\LiveSupport]
"DelayedStart" = "0"
"homepageurl" = "http://www.pcutilitiespro.com/livesupport.php"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayName" = "LiveSupport"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"QuietUninstallString" = "%Program Files%\LiveSupport\unins000.exe /SILENT"
"Inno Setup: App Path" = "%Program Files%\LiveSupport"
"MinorVersion" = "2"
[HKCU\Software\LiveSupport]
"CallbannerUrl" = "http://ls.callbanner.pcutilitiespro.com/?sid=171001356"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\LiveSupport]
"Query" = "http://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=%dt%&gid=%gid%&tz=%tz%&ln=%ln%&os=%os%&bis=%bis%&bipc=%bipc%&lc1=%lc1%&lc2=%lc2%&lc3=%lc3%&f=2182739400"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayIcon" = "%Program Files%\LiveSupport\LiveSupport.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\LiveSupport]
"AdsDownloadUrl2" = "http://dl.softservers.net/191001356/OptmizerPro.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Deselected Tasks" = ""
[HKCU\Software\LiveSupport]
"PhoneNumber" = " 1-855-544-6024"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\LiveSupport]
"AdsCheckName2" = "Optimizer Pro"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 73 AE 32 23 74 81 72 8B E4 D4 18 76 D9 87 CC"
[HKCU\Software\LiveSupport]
"UninstallURL" = "http://www.pcutilitiespro.com/uninstall-livesupport.php?sid=171001356-CA-035"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\LiveSupport]
"AdsCheckName1" = "Driver Pro"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"InstallLocation" = "%Program Files%\LiveSupport\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: Icon Group" = "LiveSupport"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"UninstallString" = "%Program Files%\LiveSupport\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"Publisher" = "PC Utilities Software Limited"
[HKCU\Software\LiveSupport]
"AdsLicenseKey2" = "LicenseDate"
"AdsLicenseKey1" = "User"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoRepair" = "1"
"InstallDate" = "20140707"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| d2d6341a87cc3995abe80f505b6e112a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LiveSupport_setup.exe |
| 87217247d99dd350a595399fb11b349a | c:\Program Files\LiveSupport\LiveSupport.exe |
| a6127535670da8d8d0d338faf81112ec | c:\Program Files\LiveSupport\LiveSupport_deskband_x32.dll |
| 69c715189c3106946c5dc13bb563450a | c:\Program Files\LiveSupport\LiveSupport_deskband_x64.dll |
| 7c1fbcbbe0d2998719bbd6b73783bca5 | c:\Program Files\LiveSupport\unins000.exe |
| 9601309d3723fded3e836adb76f3875d | c:\Program Files\Optimizer Pro\OptProCrash.dll |
| eefcfd57a4102195b9ac80b8d50a5f3f | c:\Program Files\Optimizer Pro\OptProGuard.exe |
| 73159250df28025dc4b7b20e6f6eb1e0 | c:\Program Files\Optimizer Pro\OptProHelper.dll |
| 175ca727b241f0538ac3f0be3d8c84a3 | c:\Program Files\Optimizer Pro\OptProLauncher.exe |
| 5000d42a3391fee44247878bb56515bd | c:\Program Files\Optimizer Pro\OptProReminder.exe |
| 7bf8547d995d75dc2e6c5daaeffdfe6e | c:\Program Files\Optimizer Pro\OptProSchedule.exe |
| 0e1398d9f38c7bf1ef5451cfc947ae56 | c:\Program Files\Optimizer Pro\OptProSmartScan.exe |
| d3a8d68c2be395890bdbf00d108a5f61 | c:\Program Files\Optimizer Pro\OptProStart.exe |
| 910f229c039716dce3b7cca9525c83b3 | c:\Program Files\Optimizer Pro\OptProUninstaller.exe |
| 6feded4372041d43132f81b8d37ed4db | c:\Program Files\Optimizer Pro\OptimizerPro.exe |
| d82a429efd885ca0f324dd92afb6b7b8 | c:\Program Files\Optimizer Pro\itdownload.dll |
| 0f66e8e2340569fb17e774dac2010e31 | c:\Program Files\Optimizer Pro\sqlite3.dll |
| 580fe2de2134cca7e854b5bb9f747166 | c:\Program Files\Optimizer Pro\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
optprosetup.exe:1944
optprosetup.tmp:912
LiveSupport.exe:852
rundll32.exe:664
rundll32.exe:1004
LiveSupport_setup.exe:920
regsvr32.exe:1724
regsvr32.exe:1728
%original file name%.exe:1852
LiveSupport_setup.tmp:208 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp\optprosetup.tmp (7386 bytes)
%Program Files%\Optimizer Pro\is-2OOOE.tmp (48 bytes)
%Program Files%\Optimizer Pro\is-7J528.tmp (54 bytes)
%Program Files%\Optimizer Pro\unins000.dat (15301 bytes)
%Program Files%\Optimizer Pro\is-S4A06.tmp (673 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-484KR.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (195505 bytes)
%Program Files%\Optimizer Pro\is-OH0KU.tmp (1425 bytes)
%Program Files%\Optimizer Pro\is-K0UL9.tmp (32054 bytes)
%Program Files%\Optimizer Pro\is-SBJOQ.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-J8QF8.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\OptProCrash.dll (22575 bytes)
%Program Files%\Optimizer Pro\is-OE54R.tmp (7433 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-PJNJ0.tmp (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Optimizer Pro\is-F9MM2.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-V7ELF.tmp (7547 bytes)
%Program Files%\Optimizer Pro\is-5A7TN.tmp (4545 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro\is-JNCLJ.tmp (712 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Program Files%\Optimizer Pro\is-ITH3L.tmp (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\LiveSupport.exe (11493 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-T3840.tmp (601 bytes)
%Program Files%\Optimizer Pro\is-QNK15.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro\is-N2MUL.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-CBGOF.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-U8M6Q.tmp (185630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp\LiveSupport_setup.tmp (7386 bytes)
%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98FEA671-CA18-4FFC-B57F-5ED480FEB1EA}\optprosetup.exe (47888 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-L33UU.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-5D7HH.tmp (7385 bytes)
%Program Files%\LiveSupport\is-6RER9.tmp (34256 bytes)
%Program Files%\LiveSupport\is-674E2.tmp (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 881040 | 881152 | 4.48236 | 31d1aff03f08ea465eab45db25c6337c |
| .itext | 888832 | 2940 | 3072 | 4.25316 | eaabfd280dbbf29b8547397600dc5ea0 |
| .data | 892928 | 14964 | 15360 | 3.63951 | e7301e7e1334603f81823155ad7e91c9 |
| .bss | 909312 | 20528 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 933888 | 4530 | 4608 | 3.39002 | dc54b0a1dbf85f50eb541da666e881e9 |
| .didata | 942080 | 464 | 512 | 2.16145 | aa1bd1278a403125fffce2bf2717d356 |
| .tls | 946176 | 20 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 950272 | 24 | 512 | 0.146134 | 71fb01babd7aa03894831e303e70de3e |
| .reloc | 954368 | 81236 | 81408 | 4.64935 | c746ccff3d2c7880880b55749e4b4581 |
| .rsrc | 1036288 | 6718464 | 6718464 | 5.54042 | 53e1cde66875ad422ec560581a65a6f4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 17
78a08c3ec31ee72b259f07fc78807c89
3470380835d58a4c09b3248c2d922e6b
f85024be997b292762e57404f3e09013
57e4942e3f0f3c5a62471243c32261a1
2781c9afbb1aa8071627d508871f96c5
ed36ffa44669dde49df9ddb79b361c9b
1f3e614cc1c87c3792cf0644a13bf38c
263cf51ab452e7234ebaf90bda9649aa
64a746396eaa5409f851eda4e7560105
ff2a7c301d5d7f009b3c4ff2d4f2bd0b
75b4fa22bda4f8a3bd630eb7d66a069f
50c059403794fe5aa558fd68d6db919e
a14edf05e31a758d01c27ad6e2eb7f4b
4f592014898754c1d14e8ecc37746fdb
ba12b6b6fde9c7d7a340e06eb190a290
4d4a456cb5b7e77f36464804b1d8f8ac
46dfb75fed396aa32bf90db26a78d2cd
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://212.58.246.93/ | |
| hxxp://207.244.66.33/get/?q=CG7P2bk1PFkXs3zCDWarE1rWMzu6FUw+nJQuoE+SR2cSRRIQq5v00MQuwqEJbRReLrJhxyLT1wSkLire8Fez+ZDhlP4fTq4K5XXTLrUgkwRdDF1NWJHCIKloNvlOCo/QXHgqreJe2LmBuY1jVdktGoW47KxaSaDQ3HnowHqVEFEaf+iKOhWaHg0rPCVsZsIiljMKA+AjCx5pzoHmJE6AQYXgF5BJLPrAWmUDjFvcqNBrNd5UtQZQOP02epoy1r1JoL2V1A9qHTouf1fIEy7P6ef9ctsOZ92EvN6c19aKFZQvEKNaBawU8Mhev3CjN+8WQK0wcsge31mzMDAWMMXXZdeqDnW6kW/j8VwLtiDr72Skbhxfsf/L5q4aRcGn3YR+8BuiBCSCsHwEQCLMUzbBiCMeKkI4/Eue4lYL/u8WeoaoKposdXdAfkWv5S1GvSDE/knUyaIjdFAGgzckJKr8bqK/NXLo/ekGQo0HML2xwy+PmZDS4vC3zkaYUOp2vIApN5gMdxykBIdvC0u1lra1r79MFviFPZtB2tG6QHS5Z8AClr+uH310+N1y6A9mIOF1x+SMoOUG16f+0DZFLa5JbKde | |
| hxxp://207.244.66.33/install/ | |
| hxxp://dl.softservers.net/171001356/LiveSupport.exe | 198.20.70.75 |
| hxxp://bi.softservers.net/t/op?sid=111001356-GB-042&dt=1404762198&gid=A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=2856268330 | 198.20.86.29 |
| hxxp://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=1404751405&gid=8cc0ffbe-adc7-48f5-a8c5-a4e91704d732&tz=1404758605&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 | 198.20.86.29 |
| hxxp://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=1404751406&gid=8cc0ffbe-adc7-48f5-a8c5-a4e91704d732&tz=1404758606&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 | 198.20.86.29 |
| hxxp://ls.callbanner.pcutilitiespro.com/?sid=171001356 | 198.143.146.75 |
| hxxp://ls.callbanner.pcutilitiespro.com/get_version/ | 198.143.146.75 |
| hxxp://updates.livesupport.pcutilitiespro.com/get_version/ | 69.175.108.139 |
| hxxp://optpro.info/get/?q=CG7P2bk1PFkXs3zCDWarE1rWMzu6FUw+nJQuoE+SR2cSRRIQq5v00MQuwqEJbRReLrJhxyLT1wSkLire8Fez+ZDhlP4fTq4K5XXTLrUgkwRdDF1NWJHCIKloNvlOCo/QXHgqreJe2LmBuY1jVdktGoW47KxaSaDQ3HnowHqVEFEaf+iKOhWaHg0rPCVsZsIiljMKA+AjCx5pzoHmJE6AQYXgF5BJLPrAWmUDjFvcqNBrNd5UtQZQOP02epoy1r1JoL2V1A9qHTouf1fIEy7P6ef9ctsOZ92EvN6c19aKFZQvEKNaBawU8Mhev3CjN+8WQK0wcsge31mzMDAWMMXXZdeqDnW6kW/j8VwLtiDr72Skbhxfsf/L5q4aRcGn3YR+8BuiBCSCsHwEQCLMUzbBiCMeKkI4/Eue4lYL/u8WeoaoKposdXdAfkWv5S1GvSDE/knUyaIjdFAGgzckJKr8bqK/NXLo/ekGQo0HML2xwy+PmZDS4vC3zkaYUOp2vIApN5gMdxykBIdvC0u1lra1r79MFviFPZtB2tG6QHS5Z8AClr+uH310+N1y6A9mIOF1x+SMoOUG16f+0DZFLa5JbKde | |
| hxxp://www.bbc.com/ |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Malware connects to the servers at the folowing location(s):