Backdoor.Win32.PcClient_776706011c – Adaware

Backdoor.Win32.PcClient.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 776706011cff9de8dab9b58eb23869b4

SHA1: 13c036ca02947fe6ab01ce5f9b2b4868dcd1bcc9

SHA256: 144c8d9e36ef654b0658e205f9fabe336d9c565b6c0b5c7b3a3eaa83c422f781

SSDeep: 196608:1dkfrbW8JimlK3QjNiWjrZla/g1lHAqJGoSKYM:1dgPnI3KvaFkX

Size: 6811136 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-06-06 16:06:12

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

optprosetup.exe:540
optprosetup.tmp:336
LiveSupport.exe:184
mscorsvw.exe:1912
%original file name%.exe:1944
rundll32.exe:644
rundll32.exe:480
LiveSupport_setup.exe:348
regsvr32.exe:1528
regsvr32.exe:668
LiveSupport_setup.tmp:1616

The Backdoor injects its code into the following process(es):

LiveSupport.exe:640
OptProStart.exe:324

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process optprosetup.exe:540 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-N1KNB.tmp\optprosetup.tmp (7386 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-N1KNB.tmp\optprosetup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-N1KNB.tmp (0 bytes)

The process optprosetup.tmp:336 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-UBJF4.tmp (673 bytes)
%Program Files%\Optimizer Pro\is-HVJ4U.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-GJGR8.tmp (1425 bytes)
%Program Files%\Optimizer Pro\is-7QDRM.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-BS4BG.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-0M3P3.tmp (7547 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (195505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\OptProCrash.dll (22575 bytes)
%Program Files%\Optimizer Pro\is-PTJV5.tmp (898 bytes)
%Program Files%\Optimizer Pro\is-3N91K.tmp (22 bytes)
%Program Files%\Optimizer Pro\unins000.dat (17017 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-TTQIU.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-E3QMJ.tmp (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Optimizer Pro\is-RJFNB.tmp (56 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp (4 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro\is-5A403.tmp (185630 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-C32JC.tmp (31891 bytes)
%Program Files%\Optimizer Pro\is-A1634.tmp (712 bytes)
%Program Files%\Optimizer Pro\is-SPPPG.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-R6DJ3.tmp (4545 bytes)
%Program Files%\Optimizer Pro\is-7G7OI.tmp (7345 bytes)
%Program Files%\Optimizer Pro\is-2QV2M.tmp (54 bytes)
%Program Files%\Optimizer Pro\is-LEE6C.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-QGJL2.tmp (7433 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\LiveSupport.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\optpro2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\OptProCrash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\_isetup (0 bytes)

The process LiveSupport.exe:640 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1221 bytes)

The process LiveSupport.exe:184 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)

The process %original file name%.exe:1944 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\optprosetup.exe (829023 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5316 bytes)

The process LiveSupport_setup.exe:348 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-7IF6H.tmp\LiveSupport_setup.tmp (7386 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-7IF6H.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-7IF6H.tmp\LiveSupport_setup.tmp (0 bytes)

The process regsvr32.exe:668 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)

The process LiveSupport_setup.tmp:1616 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Program Files%\LiveSupport\is-CE05V.tmp (1281 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-1HUE8.tmp (7385 bytes)
%Program Files%\LiveSupport\is-BUP44.tmp (34256 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Program Files%\LiveSupport\is-S3OG5.tmp (673 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DCC6H.tmp\_isetup\_shfoldr.dll (23 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-DCC6H.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DCC6H.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DCC6H.tmp\_isetup\_shfoldr.dll (0 bytes)

Registry activity

The process optprosetup.exe:540 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 1E 6A E2 E8 15 AB 0C F0 11 58 32 21 4A B0 51"

The process optprosetup.tmp:336 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_5097ffec\eae10f9d]
"340d3099" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svpath" = "c:\Program Files\Optimizer Pro\OptProCrash.dll"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "1733885287"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro]
"OptProStart.exe" = "Optimizer Pro Launcher"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"appid.0" = "0xhQKm3A7Jituomjlh/30olJlZGG8UJUPrlx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"dlpath" = "c:\progra~1\optimi~1\optpro~2.dll"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"n" = "1"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.0" = "OakNRjV DaUmsmabcdUPvb7dR2cukvrY4AG1Bx3psup6tqjZJDRpQEketBRhNXh2aQhQzDDcoaVpg7kq1oCuvFolVUZid6PIY6H92V67/G"
"data.1" = "c0vWSXHwJfO7f 3456Tne14 tItQJLkhzBeXTjKIDgXqqFzshuQgXf s4gLLpFpRfQY5fgj8Y7GXwFN3sJsgiZvRS1z86b3IlKJG80bYPPi1OG24B gXi4Zska5630ur"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "1733885287"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1403602006"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\optimi~1\optpro~2.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"InstallDate" = "20140624"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.0" = "e0y8/qqomjlhabcdef"
"usr.1" = "Kkw79xYSUMOQIKEG x"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 33 4B 78 BC 55 50 B1 79 97 34 78 D7 1D D3 11"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"State" = "0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7f69fa1f" = "///%"
"0e93c3f3" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Language" = "en"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svt" = "1403591506"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2e22d94e" = "///%"
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\Optimizer Pro]
"culValue" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-0GK83.tmp]
"LiveSupport.exe" = "LiveSupport Installer"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_5097ffec\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.1" = "Kkw79xYSUMOQIKEG x"
"usr.0" = "e0y8/qqomjlhabcdef"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayName" = "Optimizer Pro v3.2"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
"Version" = "22022053"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"27ddcf6f" = "///%"
"d1abcdb6" = "///%"
"0c230bcb" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1403602006"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svn" = "Optimizer Pro Crash Monitor"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svi" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svx" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"
"DisplayIcon" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.1" = "c0vWSXHwJfO7f 3456Tne14 tItQJLkhzBeXTjKIDgXqqFzshuQgXf s4gLLpFpRfQY5fgj8Y7GXwFN3sJsgiZvRS1z86b3IlKJG80bYPPi1OG24B gXi4Zska5630ur"
"data.0" = "OakNRjV DaUmsmabcdUPvb7dR2cukvrY4AG1Bx3psup6tqjZJDRpQEketBRhNXh2aQhQzDDcoaVpg7kq1oCuvFolVUZid6PIY6H92V67/G"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
"48bd1aff" = "VP/l/C//N//l////"
"414bc593" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"ca82e1a5" = "%Program Files%\Optimizer Pro\OptProCrash.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"UninstallString" = "%Program Files%\Optimizer Pro\unins000.exe"
"InstallLocation" = "%Program Files%\Optimizer Pro\"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport.exe:640 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\LiveSupport]
"SoftUpdateUrl" = "http://updates.livesupport.pcutilitiespro.com"
"ShowTitleBarBtn" = "1"
"Assistant" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"BtnCallPressed" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\LiveSupport]
"AppStart" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\LiveSupport]
"OS" = "102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\LiveSupport]
"SoftUpdateDate" = "0"
"RunOnOSRun" = "1"
"QueryDate" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\LiveSupport]
"SHOWTRAY" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\LiveSupport]
"FixHoverIconToTray" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 F8 67 01 E6 B9 E0 DD 6E F2 79 66 89 78 52 C1"

[HKCU\Software\LiveSupport]
"InstallDate" = "1403591518"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\LiveSupport]
"MachineGuid" = "c1bb9bfd-28e0-4a5d-9991-bf2582770261"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport.exe:184 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 08 BB 36 86 46 6E EE 8B E3 22 4C D6 E6 5D FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LiveSupport_setup.exe" = "LiveSupport Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process mscorsvw.exe:1912 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:1944 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 16 B1 CE E5 98 93 BE BB 16 67 7D B0 2A FD 83"

[HKCU\Software\Optimizer Pro]
"setupname" = "c:\%original file name%.exe"

The process rundll32.exe:644 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 01 19 F3 87 07 E8 70 40 0A 78 A5 47 85 9C B1"

The process rundll32.exe:480 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"fe94ce1e" = "V/////%%"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"7367429f" = "///%"
"340d3099" = "/P////%%"
"1520c6f1" = "V/////%%"
"3c09c42b" = "///%"
"2d71d5ab" = "V/////%%"
"a2e3b941" = "///%"
"c6c5dd44" = "V/////%%"
"f6ad6fa6" = "VP/l/C//V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"c99a5f5c" = "///%"
"c5705860" = "Vx////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"a0743acc" = "N/////%%"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"587b5709" = "V/////%%"
"48bd1aff" = "VP/l/C//N//l////"
"0c230bcb" = "///%"
"0e93c3f3" = "///%"
"72758a5d" = "///%"
"a1dcff5b" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 1F 8E AA 67 29 18 E7 2F 29 26 49 B0 79 B3 48"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"8b9e4cbc" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"
"65114b36" = "VP/ ////"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"27ddcf6f" = "///%"
"bbf88800" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

The process OptProStart.exe:324 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://www.safeshopgate.com/r?s=111001356-SE-042&g=48E230C6-CE2C-7E75-C900-8272EFE4B5DA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Optimizer Pro]
"UseAds" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.softservers.net/121001356/DriverPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Optimizer Pro]
"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111001356-SE-042"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"DelayedStart" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

"Querry" = "http://bi.softservers.net/t/op?sid=111001356-SE-042&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=1939276919"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121001356&g=48E230C6-CE2C-7E75-C900-8272EFE4B5DA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 60 23 98 C2 2E C2 1F 3C 07 36 90 FA 60 24 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Optimizer Pro]
"InstallDate" = "07 F4 25 B5 CC 6A E4 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Optimizer Pro]
"AdsHost" = "dl.softservers.net"
"OS" = "102"
"MachineGuid" = "48E230C6-CE2C-7E75-C900-8272EFE4B5DA"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport_setup.exe:348 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 F1 A2 E5 AC 25 72 07 3B F0 2F EB 32 99 DC F4"

The process regsvr32.exe:1528 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 7D EA 19 26 6E AF AD 9C A3 28 33 5E 54 84 D5"

The process regsvr32.exe:668 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 9E 93 82 EC 4B 01 FC 84 39 6B 2D B7 08 C1 67"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}]
"(Default)" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll"

The process LiveSupport_setup.tmp:1616 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Language" = "en"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"MajorVersion" = "1"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl1" = "http://dl.softservers.net/121001356/DriverPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayVersion" = "1.2.8.0"

[HKCU\Software\LiveSupport]
"SupportURL" = "http://support.pcutilitiespro.com"
"AdsLandingPageLink2" = "http://www.pcutilitiespro.com/optimizerpro.php"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"AdsLandingPageLink1" = "http://www.pcutilitiespro.com/driverpro.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\LiveSupport]
"AdsDescription1" = "Driver Updater"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"AdsDescription2" = "System Performance Optimizer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\LiveSupport]
"LiveSupport.exe" = "LiveSupport"

[HKCU\Software\LiveSupport]
"DelayedStart" = "0"
"homepageurl" = "http://www.pcutilitiespro.com/livesupport.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayName" = "LiveSupport"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"QuietUninstallString" = "%Program Files%\LiveSupport\unins000.exe /SILENT"
"Inno Setup: App Path" = "%Program Files%\LiveSupport"
"MinorVersion" = "2"

[HKCU\Software\LiveSupport]
"CallbannerUrl" = "http://ls.callbanner.pcutilitiespro.com/?sid=171001356"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\LiveSupport]
"Query" = "http://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=%dt%&gid=%gid%&tz=%tz%&ln=%ln%&os=%os%&bis=%bis%&bipc=%bipc%&lc1=%lc1%&lc2=%lc2%&lc3=%lc3%&f=2182739400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayIcon" = "%Program Files%\LiveSupport\LiveSupport.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl2" = "http://dl.softservers.net/191001356/OptmizerPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\LiveSupport]
"PhoneNumber" = " 1-855-544-6024"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsCheckName2" = "Optimizer Pro"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C E5 B0 99 BE 47 21 68 D7 5D 12 E5 B0 E5 74 2D"

[HKCU\Software\LiveSupport]
"UninstallURL" = "http://www.pcutilitiespro.com/uninstall-livesupport.php?sid=171001356-CA-035"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\LiveSupport]
"AdsCheckName1" = "Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"InstallLocation" = "%Program Files%\LiveSupport\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: Icon Group" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"UninstallString" = "%Program Files%\LiveSupport\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"Publisher" = "PC Utilities Software Limited"

[HKCU\Software\LiveSupport]
"AdsLicenseKey2" = "LicenseDate"
"AdsLicenseKey1" = "User"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoRepair" = "1"
"InstallDate" = "20140624"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5	File path
d2d6341a87cc3995abe80f505b6e112a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LiveSupport_setup.exe
8f4a1a43503f98ebfd473a145b2b11db	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\optprosetup.exe
87217247d99dd350a595399fb11b349a	c:\Program Files\LiveSupport\LiveSupport.exe
a6127535670da8d8d0d338faf81112ec	c:\Program Files\LiveSupport\LiveSupport_deskband_x32.dll
69c715189c3106946c5dc13bb563450a	c:\Program Files\LiveSupport\LiveSupport_deskband_x64.dll
7c1fbcbbe0d2998719bbd6b73783bca5	c:\Program Files\LiveSupport\unins000.exe
69e456d41d98e30d7d45c4c01151ecac	c:\Program Files\Optimizer Pro\OptProCrash.dll
c7592dd3323972629212388e5d9eefa4	c:\Program Files\Optimizer Pro\OptProGuard.exe
4c802ad91f3321e1a53593a1a00c1cc4	c:\Program Files\Optimizer Pro\OptProHelper.dll
8e5749dd396ce19f169d6a47bf338d6b	c:\Program Files\Optimizer Pro\OptProLauncher.exe
7bb855abe6e9e703c7306f6389005d08	c:\Program Files\Optimizer Pro\OptProReminder.exe
3f8b4a2075c30e6729170c0c2a2e89de	c:\Program Files\Optimizer Pro\OptProSchedule.exe
2e230b9aa4883e7588523a02367b6ec3	c:\Program Files\Optimizer Pro\OptProSmartScan.exe
e504e80812299f973857b1f078b8d6a4	c:\Program Files\Optimizer Pro\OptProStart.exe
7cb41f79f7c2f49666eab4fce940ee01	c:\Program Files\Optimizer Pro\OptProUninstaller.exe
0678749010d14066dfec7585b489803e	c:\Program Files\Optimizer Pro\OptimizerPro.exe
d82a429efd885ca0f324dd92afb6b7b8	c:\Program Files\Optimizer Pro\itdownload.dll
0f66e8e2340569fb17e774dac2010e31	c:\Program Files\Optimizer Pro\sqlite3.dll
1f299092079b35de7f56e5a3eb009831	c:\Program Files\Optimizer Pro\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
optprosetup.exe:540
optprosetup.tmp:336
LiveSupport.exe:184
mscorsvw.exe:1912
%original file name%.exe:1944
rundll32.exe:644
rundll32.exe:480
LiveSupport_setup.exe:348
regsvr32.exe:1528
regsvr32.exe:668
LiveSupport_setup.tmp:1616
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\is-N1KNB.tmp\optprosetup.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-UBJF4.tmp (673 bytes)
%Program Files%\Optimizer Pro\is-HVJ4U.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-GJGR8.tmp (1425 bytes)
%Program Files%\Optimizer Pro\is-7QDRM.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-BS4BG.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-0M3P3.tmp (7547 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (195505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\OptProCrash.dll (22575 bytes)
%Program Files%\Optimizer Pro\is-PTJV5.tmp (898 bytes)
%Program Files%\Optimizer Pro\is-3N91K.tmp (22 bytes)
%Program Files%\Optimizer Pro\unins000.dat (17017 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-TTQIU.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-E3QMJ.tmp (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Optimizer Pro\is-RJFNB.tmp (56 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro\is-5A403.tmp (185630 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-C32JC.tmp (31891 bytes)
%Program Files%\Optimizer Pro\is-A1634.tmp (712 bytes)
%Program Files%\Optimizer Pro\is-SPPPG.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0GK83.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-R6DJ3.tmp (4545 bytes)
%Program Files%\Optimizer Pro\is-7G7OI.tmp (7345 bytes)
%Program Files%\Optimizer Pro\is-2QV2M.tmp (54 bytes)
%Program Files%\Optimizer Pro\is-LEE6C.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-QGJL2.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\optprosetup.exe (829023 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-7IF6H.tmp\LiveSupport_setup.tmp (7386 bytes)
%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
%Program Files%\LiveSupport\is-CE05V.tmp (1281 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-1HUE8.tmp (7385 bytes)
%Program Files%\LiveSupport\is-BUP44.tmp (34256 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Program Files%\LiveSupport\is-S3OG5.tmp (673 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DCC6H.tmp\_isetup\_shfoldr.dll (23 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	83149	83456	4.55467	85b2050c503ac757a6d6465071ba1133
.rdata	90112	20754	20992	3.39397	f9d23b89c9b65d7875caa25e4a1f57ac
.data	114688	13444	5632	2.15756	2cef89c59f35f4fcafe95749186c0933
.rsrc	131072	6669284	6669312	5.54302	8f07758be821aefacb8639046021ecfe
.reloc	6803456	23904	24064	1.35457	44243c80b40d22f7b6768e62fbb1d104

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 22
143a980a442a3172b0faa30d42c41ab1
435e11c64a49860740066341ab23c03b
e20212eccde2978daa4359828b987b5c
70fc42b26ac527a4b68b39f05ce3ff02
abd2eec75e3ec6f014921ebd92088d1e
dd13a08676d920a4212494eea7a247bd
17d15526da0489f06ad332b267ef17a1
173b44035ed6706913a2d3bdcedf75aa
32e756a6be1e7990acb835b1e36914d8
bc4e3b500e43bea73e3ce0f233646fcc
99e3c78c50a94a77622ece75ac7086a9
e235254ad2d2fa4165e35cf4bd5d40e9
0052052a33eafa25205a16810709d915
ab531b084fa687feacbbdad031ff935e
01dd675b1ae0e2c0767a10eebe204f3c
08896295ac4eede46cb4181a81039d79
7c5aa89360b66f43f6ed0350fbcc3f7b
83da85b6d0f0883dd1589cec9211d91e
cf09fcb5ce6184c1f9bced6a69bc8fc7
a624ada922ba34726d72620fc47aba20
91ae2ca39fa7885da95f66ec9e22bfd7
53810a48e7d4a0b6d500da292844fd48

Network Activity

URLs

URL	IP
hxxp://207.244.66.33/get/?q=NMy0JcK+LXjo66iVNP6M2AtGYa0Op79S39o1rn9onWEIh3H56mnWeBycqNmY7Y6ZubY87QWpFdwqBDU/QtTYIoxSnETxkmL+CiE+5XAhUKsQhd9OKnArlZJKLbkN8poWzAqwZsQDniAo8wZ3WsB7JW4/3P5fsVlc3whgSoIoILD32/wiIqf9y1EUM7F8n3o74POfahoO7z9W8JcWukMJ8W9lHWO0knVHUBDDBrD3iZFJU28UnlrtDdr23Ty/6PkkLdat4x9gowH6N2wyvJR56E4XBasBk4rrdB6TGzM1S0N7DPtphN/fbe8V6ZssJX47QZbOnTmDr6e+5u53PZYkLQN4aHYmbuxWNzayinQLdNaSqv+jGaNmeNslsLfE3BtYY6yMOkE24ku9dUHu725batau04T0c3oamc/us65y6G7TwFHgHWKk2okUx0WUiAYQraTxmWf7+iRR3ggzFXHhZVZDK4Tg6CgBdOquvNfznxzXxNmJwCOS1kXgi3uziJdHZSAdaICH/yBTZO0oisViIqOcc+0PpqKoyeDa5W7L6GocvMDAdlgsgJMDAkDzDySQIsVJ65LIxDU2Gh0FR8DhNtFi4E
hxxp://207.244.66.33/install/
hxxp://dl.softservers.net/171001356/LiveSupport.exe	198.20.70.67
hxxp://bi.softservers.net/t/op?sid=111001356-SE-042&dt=1403602311&gid=48E230C6-CE2C-7E75-C900-8272EFE4B5DA&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1939276919	198.20.86.29
hxxp://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=1403591518&gid=c1bb9bfd-28e0-4a5d-9991-bf2582770261&tz=1403598718&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400	198.20.86.29
hxxp://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=1403591518&gid=c1bb9bfd-28e0-4a5d-9991-bf2582770261&tz=1403598718&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400	198.20.86.29
hxxp://ls.callbanner.pcutilitiespro.com/?sid=171001356	69.175.108.139
hxxp://ls.callbanner.pcutilitiespro.com/get_version/	69.175.108.139
hxxp://updates.livesupport.pcutilitiespro.com/get_version/	69.175.108.139
hxxp://optpro.info/get/?q=NMy0JcK+LXjo66iVNP6M2AtGYa0Op79S39o1rn9onWEIh3H56mnWeBycqNmY7Y6ZubY87QWpFdwqBDU/QtTYIoxSnETxkmL+CiE+5XAhUKsQhd9OKnArlZJKLbkN8poWzAqwZsQDniAo8wZ3WsB7JW4/3P5fsVlc3whgSoIoILD32/wiIqf9y1EUM7F8n3o74POfahoO7z9W8JcWukMJ8W9lHWO0knVHUBDDBrD3iZFJU28UnlrtDdr23Ty/6PkkLdat4x9gowH6N2wyvJR56E4XBasBk4rrdB6TGzM1S0N7DPtphN/fbe8V6ZssJX47QZbOnTmDr6e+5u53PZYkLQN4aHYmbuxWNzayinQLdNaSqv+jGaNmeNslsLfE3BtYY6yMOkE24ku9dUHu725batau04T0c3oamc/us65y6G7TwFHgHWKk2okUx0WUiAYQraTxmWf7+iRR3ggzFXHhZVZDK4Tg6CgBdOquvNfznxzXxNmJwCOS1kXgi3uziJdHZSAdaICH/yBTZO0oisViIqOcc+0PpqKoyeDa5W7L6GocvMDAdlgsgJMDAkDzDySQIsVJ65LIxDU2Gh0FR8DhNtFi4E

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /?sid=171001356 HTTP/1.1

User-Agent: LiveSupport

Host: ls.callbanner.pcutilitiespro.com

HTTP/1.1 200 OK

Server: nginx/1.5.4

Date: Tue, 24 Jun 2014 11:26:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=4

X-Powered-By: PHP/5.4.19

0..

GET /get_version/ HTTP/1.1

User-Agent: LiveSupport

Host: updates.livesupport.pcutilitiespro.com

HTTP/1.1 200 OK

Server: nginx/1.5.4

Date: Tue, 24 Jun 2014 11:27:33 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=4

X-Powered-By: PHP/5.4.19

5..1.2.7..0..

GET /t/op?sid=111001356-SE-042&dt=1403602311&gid=48E230C6-CE2C-7E75-C900-8272EFE4B5DA&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1939276919 HTTP/1.1

Host: bi.softservers.net

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 11:26:52 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

GET /171001356/LiveSupport.exe HTTP/1.0

Host: dl.softservers.net

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 11:26:51 GMT

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 15:25:14 GMT

Connection: close

content-length: 1503528

ETag: "5328655a-16d478"

Content-Disposition: attachment; filename=LiveSupport.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................3.......................2.....................Rich............................PE..L....((S.................(...........g.......@....@.......................... ......(.....@.....................................P.......p...............(............................................q..@............@..P............................text....'.......(.................. ..`.rdata...L...@...N...,..............@..@.data....4...........z..............@....rsrc...p...........................@..@.reloc...'.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................U.........l.A.3..E.V.u.W.}.h..........j.P..;...........Qj.j.j(j...8AA.....j.........#.PWVh.AA.j...<AA.3... ..._^...M.3...;....].U...U....@$R.U.R.U.R..]............AA..:C.......U..V.....AA..$C...E..t.V..:.......^]............U..QV..j..M..:0...F....s.@.F..M..N0..^..].......U..QVW..j..M...0...G...t....s.H.G..w........M.#...0.._..^..].......AA...........U..QW.9..t;j..M.../...G...t....s.H.G.V.w......M...../..#.t.....j.....^_..]......................................U...E....u..y..r....E..U....]....y..r....M.P.

<<< skipped >>>

GET /get/?q=NMy0JcK+LXjo66iVNP6M2AtGYa0Op79S39o1rn9onWEIh3H56mnWeBycqNmY7Y6ZubY87QWpFdwqBDU/QtTYIoxSnETxkmL+CiE+5XAhUKsQhd9OKnArlZJKLbkN8poWzAqwZsQDniAo8wZ3WsB7JW4/3P5fsVlc3whgSoIoILD32/wiIqf9y1EUM7F8n3o74POfahoO7z9W8JcWukMJ8W9lHWO0knVHUBDDBrD3iZFJU28UnlrtDdr23Ty/6PkkLdat4x9gowH6N2wyvJR56E4XBasBk4rrdB6TGzM1S0N7DPtphN/fbe8V6ZssJX47QZbOnTmDr6e+5u53PZYkLQN4aHYmbuxWNzayinQLdNaSqv+jGaNmeNslsLfE3BtYY6yMOkE24ku9dUHu725batau04T0c3oamc/us65y6G7TwFHgHWKk2okUx0WUiAYQraTxmWf7+iRR3ggzFXHhZVZDK4Tg6CgBdOquvNfznxzXxNmJwCOS1kXgi3uziJdHZSAdaICH/yBTZO0oisViIqOcc+0PpqKoyeDa5W7L6GocvMDAdlgsgJMDAkDzDySQIsVJ65LIxDU2Gh0FR8DhNtFi4E HTTP/1.1

Accept: */*

User-Agent: win32

Host: optpro.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Tue, 24 Jun 2014 11:29:33 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

X-Powered-By: PHP/5.4.16

0..

GET /t/ls?sid=171001356-CA-035&dt=1403591518&gid=c1bb9bfd-28e0-4a5d-9991-bf2582770261&tz=1403598718&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1

User-Agent: LiveSupport

Host: bi.softservers.net

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 11:26:59 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

....

GET /t/ls?sid=171001356-CA-035&dt=1403591518&gid=c1bb9bfd-28e0-4a5d-9991-bf2582770261&tz=1403598718&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1

User-Agent: LiveSupport

Host: bi.softservers.net

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Tue, 24 Jun 2014 11:26:59 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

content-type: text/html

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_480:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

OptProStart.exe_324:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

!"#$%d

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyworddRA

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys\

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewP

WindowState

OnKeyDown

OnKeyPress

OnKeyUp

tagMSG

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

UhExE

%s, %.2d %s %.4d %s %s

%s, %d %s %d %s %s

password

Password

IdHTTPHeaderInfo

ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword(<F><pre>EIdOSSLLoadingRootCertErrorlFF</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient@dF</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnHeadersAvailable</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>PortP</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>OnActionExecuteX</pre><pre>%s, ClassID: %s</pre><pre>ole32.dll</pre><pre>\OptimizerPro.exe</pre><pre>WelcomeURL</pre><pre>SupportURL</pre><pre>HomePageURL</pre><pre>BuyNowURL</pre><pre>UninstallURL</pre><pre>AdsDownloadURL</pre><pre>AdsBuyNowURL</pre><pre>BannerURL</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>wininet.dll</pre><pre>6!606@6`6</pre><pre>5!5%5)5-515</pre><pre>> >$>(>,>0>4>8><>@>\>|></pre><pre>0#0'0 0/03070;0</pre><pre>= >$>(>,>0>4></pre><pre>3 3$3(3,30343</pre><pre>9%9u9</pre><pre>5 5$5(5,5:5</pre><pre>8"9&9*92989</pre><pre>2 2$2(2,20242</pre><pre>5"5&5*5.52565:5</pre><pre>2"292\2?3</pre><pre>3 3$3(3,3034383<3@3\3|3</pre><pre>9 9$9(9,90949\9|9</pre><pre>5&5*5>5`5</pre><pre>2-2`2</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>Icon.Data</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>%s is not a valid IP address.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>No help keyword specified.</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>Alt Clipboard does not support Icons/Menu '%s' is already being used by another form</pre><pre>Unsupported clipboard format</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><pre>3.0.0.0</pre><b>LiveSupport.exe_640:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>8%u:j</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>RegOpenKeyTransactedW</pre><pre>RegCreateKeyTransactedW</pre><pre>RegDeleteKeyTransactedW</pre><pre>FRegDeleteKeyExW</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>portuguese-brazilian</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>RPCRT4.dll</pre><pre>InternetOpenUrlW</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>GdiplusShutdown</pre><pre>gdiplus.dll</pre><pre>SHLWAPI.dll</pre><pre>VERSION.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyExW</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegFlushKey</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>OLEAUT32.dll</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>GetCPInfo</pre><pre>.?AV?$CFlagStateDlg@VCSupportContainerDlg@@@@</pre><pre>.?AV?$CDialogImpl@VCSupportContainerDlg@@VCWindow@ATL@@@ATL@@</pre><pre>.?AVCCmdLineOptions@@</pre><pre>.?AVCHttpHelper@@</pre><pre>.?AVCSupportContainerDlg@@</pre><pre>.?AVIHttpObserver@@</pre><pre>zcÁ</pre><pre>%c:^"</pre><pre>`%c:*</pre><pre>a).Wc@</pre><pre>50!`A.egu</pre><pre>%SDDB</pre><pre>A.eu~</pre><pre>.Ny_>`_</pre><pre>vF%D@D</pre><pre>.bm' O</pre><pre>L:.KeBf</pre><pre>.Hj(^</pre><pre>-.uwl</pre><pre>f%s$o</pre><pre>V.LGm</pre><pre>.Dt!n\</pre><pre> K.eOpmd</pre><pre>RI.lvy</pre><pre>.ZKl/ Z,</pre><pre>\iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:D55BB01090EFE211ACDE8560C64C7E45" xmpMM:DocumentID="xmp.did:EA5144FCF05511E2B7E798039BD56FBF" xmpMM:InstanceID="xmp.iid:EA5144FBF05511E2B7E798039BD56FBF" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D55BB01090EFE211ACDE8560C64C7E45" stRef:documentID="xmp.did:D55BB01090EFE211ACDE8560C64C7E45" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5" xmpMM:InstanceID="xmp.iid:ABDDC127FAB511E2AF40EC6881A4C2FD" xmpMM:DocumentID="xmp.did:ABDDC128FAB511E2AF40EC6881A4C2FD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ABDDC125FAB511E2AF40EC6881A4C2FD" stRef:documentID="xmp.did:ABDDC126FAB511E2AF40EC6881A4C2FD" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:B65DA3C4FDF9E211A6FF95665BD7D125" xmpMM:DocumentID="xmp.did:12D33543FAB411E282A6DA328A34807F" xmpMM:InstanceID="xmp.iid:12D33542FAB411E282A6DA328A34807F" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B65DA3C4FDF9E211A6FF95665BD7D125" stRef:documentID="xmp.did:B65DA3C4FDF9E211A6FF95665BD7D125" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>></pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"></compatibility></assembly></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></pre><pre><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></pre><pre>6f6C6T6b6s6</pre><pre>: :$:(:,:0:4:8:</pre><pre>4 4$4(4,404|:</pre><pre>:(:4:<:\:</pre><pre>2 2<2@2`2</pre><pre>3 3@3\3`3</pre><pre>(0@0`0|0</pre><pre>Advapi32.dll</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>cmdonly</pre><pre>LiveSupport_MainDlg</pre><pre>LiveSupport</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>unins000.exe</pre><pre>_log.txt</pre><pre>AdsLicenseKey</pre><pre>AdsRunKey</pre><pre>CallbannerUrl</pre><pre>Cmd params:</pre><pre>24x7 Tech Support</pre><pre>Live Support</pre><pre>UrlTerms</pre><pre>UrlPrivacy</pre><pre>UrlAbout</pre><pre>UrlFAQ</pre><pre>Uninstall LiveSupport</pre><pre>New update package is available for LiveSupport.</pre><pre>Support</pre><pre>AdsDownloadUrl</pre><pre>http://www.pcutilitiespro.com/terms-and-conditions.aspx</pre><pre>http://www.pcutilitiespro.com/privacy.aspx</pre><pre>http://www.pcutilitiespro.com/livesupport.aspx</pre><pre>http://www.pcutilitiespro.com/faq.aspx</pre><pre>SoftUpdateUrl</pre><pre>http://updates.livesupport.pcutilitiespro.com</pre><pre>Software\LiveSupport</pre><pre>Display icon on all windows</pre><pre>@_update.exe</pre><pre>/LiveSupport_setup_%ver%.exe</pre><pre>Call us now for instant Technical Support and Assistance for PC issues such as network, printer, software installation and much more</pre><pre>Certified Trained Technicians</pre><pre>LiveSupport-</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>nKERNEL32.DLL</pre><pre>WUSER32.DLL</pre><pre>%Program Files%\LiveSupport\LiveSupport.exe</pre><pre>"GENERAL_CALL","24x7 Tech Support",</pre><pre>"MDLG_MAIN_PAGE","< Support","< Startseite"</pre><pre>"MDLG_TSKBAR_TOOLTIP","Click here for instant access to technical support from the %APP_BRAND%","Klicken Sie hier f</pre><pre>r sofortigen Zugriff auf technischen Support von der %APP_BRAND%"</pre><pre>"SPDLG_TITLE_2","Support","-Support"</pre><pre>"SPDLG_TITLE_3","Your Certified PC Expert","Certified geschulte Techniker"</pre><pre>r den sofortigen technischen Support und Unterst</pre><pre>"SPDLG_TABTITLE","Support","Support"</pre><pre>"SCDLG_NETERROR","Error occurred while downloading %UPSELL_BRAND%. ","Internet Fehler beim Herunterladen% UPSELL_BRAND%."</pre><pre>"FDLG_LINK_UNINSTALL","Uninstall LiveSupport","Deinstallieren Live Support"</pre><pre><a>Uninstall LiveSupport</a></pre><pre>1234567</pre><pre>Replace%Select the entire document</pre><pre>Arrange Icons/Arrange windows so they overlap</pre><pre>Cascade Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows(Split the active window into panes</pre><pre>1.2.8.0</pre><pre>LiveSupport.exe</pre></F></pre></pre></pre>