Susp_Dropper (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ae2754f750de0db49bf0e15dc2ca86c1
SHA1: 322301b67de30a10ecf8278862137bc877d492f9
SHA256: 595f23b40de5053d37076766497fab7b4ce966deba21f172b526d2c49ca909df
SSDeep: 196608:oDqrnohPviEX2tf81ASkbfNPplo6kqOj:oDqrnohPqEGt y4
Size: 6952448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphiv60v70_v2, UPolyXv05_v6, BorlandDelphi30, BorlandDelphiv30, ACProtect141
Company: no certificate found
Created at: 2014-05-15 11:42:51
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
optprosetup.exe:1416
optprosetup.tmp:1536
LiveSupport.exe:860
rundll32.exe:968
rundll32.exe:408
LiveSupport_setup.exe:1588
regsvr32.exe:420
regsvr32.exe:484
%original file name%.exe:240
LiveSupport_setup.tmp:1260
The Backdoor injects its code into the following process(es):
LiveSupport.exe:568
OptProStart.exe:1804
File activity
The process optprosetup.exe:1416 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-NSSAQ.tmp\optprosetup.tmp (7386 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-NSSAQ.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-NSSAQ.tmp\optprosetup.tmp (0 bytes)
The process optprosetup.tmp:1536 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\Optimizer Pro\is-U4TB9.tmp (48 bytes)
%Program Files%\Optimizer Pro\is-HCT3Q.tmp (31891 bytes)
%Program Files%\Optimizer Pro\is-CD3E9.tmp (22 bytes)
%Program Files%\Optimizer Pro\is-GTPPI.tmp (673 bytes)
%Program Files%\Optimizer Pro\is-AJ4U3.tmp (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\OptProCrash.dll (21387 bytes)
%Program Files%\Optimizer Pro\is-D2FRB.tmp (4545 bytes)
%Program Files%\Optimizer Pro\is-MV8DA.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-L9B0O.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-3NPU4.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-T52DK.tmp (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-2JNRV.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-11LHC.tmp (54 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (182552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-VPCA9.tmp (601 bytes)
%Program Files%\Optimizer Pro\is-MP9AJ.tmp (898 bytes)
%Program Files%\Optimizer Pro\is-D3906.tmp (2321 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Program Files%\Optimizer Pro\unins000.dat (15301 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-6I6K9.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-Q97IO.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-VN9TO.tmp (185630 bytes)
%Program Files%\Optimizer Pro\is-GINHL.tmp (7433 bytes)
%Program Files%\Optimizer Pro\is-6V79U.tmp (7547 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\OptProCrash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\optpro2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\LiveSupport.exe (0 bytes)
The process LiveSupport.exe:568 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXYNCP2F\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1220 bytes)
The process LiveSupport.exe:860 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
The process LiveSupport_setup.exe:1588 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-DK69S.tmp\LiveSupport_setup.tmp (7386 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-DK69S.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DK69S.tmp\LiveSupport_setup.tmp (0 bytes)
The process regsvr32.exe:420 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
The process %original file name%.exe:240 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{AF8CE15C-A159-4D6F-9380-16AC9D23F3AF}\optprosetup.exe (46331 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{AF8CE15C-A159-4D6F-9380-16AC9D23F3AF}\optprosetup.exe (0 bytes)
The process LiveSupport_setup.tmp:1260 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6AQ0K.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Program Files%\LiveSupport\is-E4I8P.tmp (1281 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Program Files%\LiveSupport\is-D3BTA.tmp (34256 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-DLOU2.tmp (7385 bytes)
%Program Files%\LiveSupport\is-313NV.tmp (673 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-6AQ0K.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6AQ0K.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6AQ0K.tmp (0 bytes)
Registry activity
The process optprosetup.exe:1416 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 E0 A1 DB 80 A3 7F F2 EC 4B 9C 89 62 2B 3A AB"
The process optprosetup.tmp:1536 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svpath" = "c:\Program Files\Optimizer Pro\OptProCrash.dll"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "72310599"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro]
"OptProStart.exe" = "Optimizer Pro Launcher"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"appid.0" = "BybKGec6u4u7cfABCDFRCZpopjOAn/Ht7CBO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"dlpath" = "c:\progra~1\optimi~1\optpro~2.dll"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"n" = "1"
[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.0" = "B1GfBzBNUtfevynikg9leBxaibbbhTCa 3 mOOswA3lG194KayYTcPiGEcnI12xkeQhRth45k3tsx55CRYXvr5T1xHXdYAtEEA cJkni0G"
"data.1" = "bijMQFadLyYXOIKEG mnHLECbVmxdx1mEgKppxjmIlAU6LWwQuWJpHLQozjZAdoBnxO4OsgW793XbVUIcRIZn /M l5YpBXvcjrfwd79k0TbffV3I4X7xsHQYBXZnv"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "72310599"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1401139145"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/f/Ct////%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Optimizer Pro]
"Language" = "1"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cf2620e3\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\optimi~1\optpro~2.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
"f0bf0bde" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"InstallDate" = "20140527"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1520c6f1" = "V/////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.0" = "DsbKGdg0123456789/"
"usr.1" = "amy8/vwysurpnikg01"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 95 3D 69 2F ED A1 C9 08 7C C8 5F 36 7C 07 1D"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"State" = "0"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7f69fa1f" = "///%"
"0e93c3f3" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Language" = "en"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svt" = "1401146345"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2e22d94e" = "///%"
"0e93c3f3" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0c230bcb" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"
[HKCU\Software\Optimizer Pro]
"culValue" = ""
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"
"0dc3ee96" = "/P////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.1" = "amy8/vwysurpnikg01"
"usr.0" = "DsbKGdg0123456789/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayName" = "Optimizer Pro v3.2"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
"Version" = "22022025"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"27ddcf6f" = "///%"
"d1abcdb6" = "///%"
"0c230bcb" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1401139145"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svn" = "Optimizer Pro Crash Monitor"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cf2620e3\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svi" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
"27ddcf6f" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svx" = ""
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"2e22d94e" = "///%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"7f69fa1f" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"
"DisplayIcon" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.1" = "bijMQFadLyYXOIKEG mnHLECbVmxdx1mEgKppxjmIlAU6LWwQuWJpHLQozjZAdoBnxO4OsgW793XbVUIcRIZn /M l5YpBXvcjrfwd79k0TbffV3I4X7xsHQYBXZnv"
"data.0" = "B1GfBzBNUtfevynikg9leBxaibbbhTCa 3 mOOswA3lG194KayYTcPiGEcnI12xkeQhRth45k3tsx55CRYXvr5T1xHXdYAtEEA cJkni0G"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/f/Ct////%"
"48bd1aff" = "VP/l/C//N//l////"
"414bc593" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Deselected Tasks" = ""
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-M7EJS.tmp]
"LiveSupport.exe" = "LiveSupport Installer"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C/////%"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"ca82e1a5" = "%Program Files%\Optimizer Pro\OptProCrash.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C/////%"
"a2e3b941" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"UninstallString" = "%Program Files%\Optimizer Pro\unins000.exe"
"InstallLocation" = "%Program Files%\Optimizer Pro\"
[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process LiveSupport.exe:568 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\LiveSupport]
"SoftUpdateUrl" = "http://updates.livesupport.pcutilitiespro.com"
"ShowTitleBarBtn" = "1"
"Assistant" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\LiveSupport]
"BtnCallPressed" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\LiveSupport]
"AppStart" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\LiveSupport]
"Language" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\LiveSupport]
"OS" = "102"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\LiveSupport]
"SoftUpdateDate" = "0"
"RunOnOSRun" = "1"
"QueryDate" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\LiveSupport]
"SHOWTRAY" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\LiveSupport]
"FixHoverIconToTray" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 69 C1 C7 57 7D AD 82 37 E5 37 D0 78 70 2B AF"
[HKCU\Software\LiveSupport]
"InstallDate" = "1401146364"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\LiveSupport]
"MachineGuid" = "fafb00f9-c582-4b60-a9d2-0136e3971d53"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process LiveSupport.exe:860 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 6B 1B 38 AF 98 44 49 BD 90 91 37 D3 87 B8 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LiveSupport_setup.exe" = "LiveSupport Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process rundll32.exe:968 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"fe94ce1e" = "V/////%%"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"7367429f" = "///%"
"340d3099" = "/P////%%"
"1520c6f1" = "V/////%%"
"3c09c42b" = "///%"
"2d71d5ab" = "V/////%%"
"a2e3b941" = "///%"
"c6c5dd44" = "V/////%%"
"f6ad6fa6" = "VP/l/C/////%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"c99a5f5c" = "///%"
"c5705860" = "Vx////%%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"a0743acc" = "N/////%%"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"587b5709" = "V/////%%"
"48bd1aff" = "VP/l/C//N//l////"
"0c230bcb" = "///%"
"0e93c3f3" = "///%"
"72758a5d" = "///%"
"a1dcff5b" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/f/Ct////%"
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 A4 6B 10 5C F8 54 BC AF 4B A0 A6 0B E2 EB 0A"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"8b9e4cbc" = "V/////%%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
"493c7345" = ""
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"
"65114b36" = "VP/ ////"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"27ddcf6f" = "///%"
"bbf88800" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"
The process rundll32.exe:408 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A FD D0 96 0E 63 B3 89 C4 F5 F7 A1 B7 C8 CB 16"
The process OptProStart.exe:1804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://www.safeshopgate.com/r?s=111001356-KE-042&g=6FC446C8-CEB8-68CC-2F52-AE85E6AE868D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Optimizer Pro]
"UseAds" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Optimizer Pro]
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.softservers.net/121001356/DriverPro.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Optimizer Pro]
"AppStart" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111001356-KE-042"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Optimizer Pro]
"DelayedStart" = "5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"
"Querry" = "http://bi.softservers.net/t/op?sid=111001356-KE-042&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=2975919160"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Optimizer Pro]
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121001356&g=6FC446C8-CEB8-68CC-2F52-AE85E6AE868D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 67 C3 03 DD 82 05 9C A9 7E 40 4E 6B 19 76 C8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Optimizer Pro]
"InstallDate" = "CC 8F D2 17 43 67 E4 40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Optimizer Pro]
"AdsHost" = "dl.softservers.net"
"OS" = "102"
"MachineGuid" = "6FC446C8-CEB8-68CC-2F52-AE85E6AE868D"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process LiveSupport_setup.exe:1588 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B A4 07 EF 56 CC 5B 0E E5 06 43 B7 39 50 75 C9"
The process regsvr32.exe:420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A D8 A1 F3 8B 02 00 0B 10 10 F7 9D E7 04 BD 1D"
[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}]
"(Default)" = "LiveSupport"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll"
The process regsvr32.exe:484 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 38 92 16 3C D8 D7 2B 03 0B 3D 34 37 12 3D C4"
The process %original file name%.exe:240 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 9F 9F 23 E7 2A DD 0E 5B 26 D6 10 2A 42 71 3E"
[HKCU\Software\Optimizer Pro]
"setupname" = "c:\%original file name%.exe"
The process LiveSupport_setup.tmp:1260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Language" = "en"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"MajorVersion" = "1"
[HKCU\Software\LiveSupport]
"AdsDownloadUrl1" = "http://dl.softservers.net/121001356/DriverPro.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayVersion" = "1.2.8.0"
[HKCU\Software\LiveSupport]
"SupportURL" = "http://support.pcutilitiespro.com"
"AdsLandingPageLink2" = "http://www.pcutilitiespro.com/optimizerpro.php"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\LiveSupport]
"AdsLandingPageLink1" = "http://www.pcutilitiespro.com/driverpro.php"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Selected Tasks" = "desktopicon"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\LiveSupport]
"AdsDescription1" = "Driver Updater"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\LiveSupport]
"AdsDescription2" = "System Performance Optimizer"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\LiveSupport]
"LiveSupport.exe" = "LiveSupport"
[HKCU\Software\LiveSupport]
"DelayedStart" = "0"
"homepageurl" = "http://www.pcutilitiespro.com/livesupport.php"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayName" = "LiveSupport"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"QuietUninstallString" = "%Program Files%\LiveSupport\unins000.exe /SILENT"
"Inno Setup: App Path" = "%Program Files%\LiveSupport"
"MinorVersion" = "2"
[HKCU\Software\LiveSupport]
"CallbannerUrl" = "http://ls.callbanner.pcutilitiespro.com/?sid=171001356"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\LiveSupport]
"Query" = "http://bi.softservers.net/t/ls?sid=171001356-UA-035&dt=%dt%&gid=%gid%&tz=%tz%&ln=%ln%&os=%os%&bis=%bis%&bipc=%bipc%&lc1=%lc1%&lc2=%lc2%&lc3=%lc3%&f=2182739400"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayIcon" = "%Program Files%\LiveSupport\LiveSupport.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\LiveSupport]
"AdsDownloadUrl2" = "http://dl.softservers.net/191001356/OptmizerPro.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Deselected Tasks" = ""
[HKCU\Software\LiveSupport]
"PhoneNumber" = " 1-855-544-6024"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\LiveSupport]
"AdsCheckName2" = "Optimizer Pro"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 AB BD 3A BA 3B BB C1 1B EA AB DD B5 24 39 16"
[HKCU\Software\LiveSupport]
"UninstallURL" = "http://www.pcutilitiespro.com/uninstall-livesupport.php?sid=171001356-UA-035"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\LiveSupport]
"AdsCheckName1" = "Driver Pro"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"InstallLocation" = "%Program Files%\LiveSupport\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: Icon Group" = "LiveSupport"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"UninstallString" = "%Program Files%\LiveSupport\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"Publisher" = "PC Utilities Software Limited"
[HKCU\Software\LiveSupport]
"AdsLicenseKey2" = "LicenseDate"
"AdsLicenseKey1" = "User"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoRepair" = "1"
"InstallDate" = "20140527"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| d2d6341a87cc3995abe80f505b6e112a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LiveSupport_setup.exe |
| 83b23770542fa3beea79bda888ccf932 | c:\Program Files\Optimizer Pro\OptProCrash.dll |
| cad09dbc0856f9491fba84b90d3074b5 | c:\Program Files\Optimizer Pro\OptProGuard.exe |
| e198b8dd71029180ebed601b26c6e233 | c:\Program Files\Optimizer Pro\OptProHelper.dll |
| 22634aa340d3f394096c3c4b6c3ec278 | c:\Program Files\Optimizer Pro\OptProLauncher.exe |
| 01c609c02ba4dc299fa8cf80f3dd71e7 | c:\Program Files\Optimizer Pro\OptProReminder.exe |
| 50b1bde9dee9de6fdc5db312ee7b2e00 | c:\Program Files\Optimizer Pro\OptProSchedule.exe |
| 2ffe69b7bfa12fa9d1a8c5eaf4046402 | c:\Program Files\Optimizer Pro\OptProSmartScan.exe |
| 3cadbc73150e1a3950a46e29eb6cce79 | c:\Program Files\Optimizer Pro\OptProStart.exe |
| 1bf6cdd94b9612dd2502275b4377b728 | c:\Program Files\Optimizer Pro\OptProUninstaller.exe |
| a1ee0f69d64b414571a5c17985d3ae10 | c:\Program Files\Optimizer Pro\OptimizerPro.exe |
| d82a429efd885ca0f324dd92afb6b7b8 | c:\Program Files\Optimizer Pro\itdownload.dll |
| 0f66e8e2340569fb17e774dac2010e31 | c:\Program Files\Optimizer Pro\sqlite3.dll |
| e78a0bece217e686077372b8e3f6a975 | c:\Program Files\Optimizer Pro\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
optprosetup.exe:1416
optprosetup.tmp:1536
LiveSupport.exe:860
rundll32.exe:968
rundll32.exe:408
LiveSupport_setup.exe:1588
regsvr32.exe:420
regsvr32.exe:484
%original file name%.exe:240
LiveSupport_setup.tmp:1260 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\is-NSSAQ.tmp\optprosetup.tmp (7386 bytes)
%Program Files%\Optimizer Pro\is-U4TB9.tmp (48 bytes)
%Program Files%\Optimizer Pro\is-HCT3Q.tmp (31891 bytes)
%Program Files%\Optimizer Pro\is-CD3E9.tmp (22 bytes)
%Program Files%\Optimizer Pro\is-GTPPI.tmp (673 bytes)
%Program Files%\Optimizer Pro\is-AJ4U3.tmp (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\OptProCrash.dll (21387 bytes)
%Program Files%\Optimizer Pro\is-D2FRB.tmp (4545 bytes)
%Program Files%\Optimizer Pro\is-MV8DA.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-L9B0O.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\LiveSupport.exe (11493 bytes)
%Program Files%\Optimizer Pro\is-3NPU4.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-T52DK.tmp (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\is-2JNRV.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-11LHC.tmp (54 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (182552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\is-VPCA9.tmp (601 bytes)
%Program Files%\Optimizer Pro\is-MP9AJ.tmp (898 bytes)
%Program Files%\Optimizer Pro\is-D3906.tmp (2321 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-M7EJS.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Program Files%\Optimizer Pro\unins000.dat (15301 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-6I6K9.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-Q97IO.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-VN9TO.tmp (185630 bytes)
%Program Files%\Optimizer Pro\is-GINHL.tmp (7433 bytes)
%Program Files%\Optimizer Pro\is-6V79U.tmp (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXYNCP2F\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DK69S.tmp\LiveSupport_setup.tmp (7386 bytes)
%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AF8CE15C-A159-4D6F-9380-16AC9D23F3AF}\optprosetup.exe (46331 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6AQ0K.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Program Files%\LiveSupport\is-E4I8P.tmp (1281 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Program Files%\LiveSupport\is-D3BTA.tmp (34256 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-DLOU2.tmp (7385 bytes)
%Program Files%\LiveSupport\is-313NV.tmp (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 243824 | 244224 | 4.48763 | f9f0aade14c67d09468be18f630a5e6f |
| .itext | 249856 | 1892 | 2048 | 3.91845 | 447acc7987383d9f97199f129fc1d0b0 |
| .data | 253952 | 4712 | 5120 | 2.2301 | 743dd9c4dbbfcd9574a730a56d3ca04d |
| .bss | 262144 | 20376 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 282624 | 4294 | 4608 | 3.31905 | 56d2896c70e78f1f97b8791d190e30d1 |
| .tls | 290816 | 16 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 294912 | 24 | 512 | 0.143426 | 90ab2ceba4abe840b1324b1917bebffd |
| .reloc | 299008 | 23032 | 23040 | 4.60435 | f84e43f159f7c101ce7704bfd268cef5 |
| .rsrc | 323584 | 6665216 | 6665216 | 5.54053 | 4973348c6fd510dae0db11a2ae7c89f9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://optpro.info/get/?q=l1Vyukb3K3/7hlhQIKCt/wH6tgTC8P3jFPzcbRe8Ggndb8hKdg8rgml08CzLe7G1DFEXfT+EU9rr79YNoMD5XcKCYJk8zOrmdgrl/PdE2ybvRIVLCpj13H4Abp56g2Z7aLdgLwjX/XFrsklewSOEno1lI8qvBe+hPLsrM4Ibf9Fszl4j7zTaaNuL/N4fMN/9PugGTJt2o8UYKuCbrkH9VmjiREHdy2KC2H1gMGfWsKgiaym+6bizA6MwdCRVh/c/x2VBH4i57LkpXphYVu06f/4rlER27g4ssVGPZDjU9xeuNand4qkyHhs2fG0cjOxk9wOqtSjaM9i1djjjL3ImgGfhljPZgoLVRxjBz6/6JHRC2Oz5s6CJ+3MKPzIXrQYxM+39xZtAxp1oUrk6dVXt/F7Tv3VzKU04kgWgIMS7WSxU+Qc4kdXE8p/q7TxPTigpxxXbO4wxJhy0xKBSIm8OGZSZqsH2k+a7o3k7iG1iw+iQ80hZAUsaIUxU6kSBU/5amoBslS2qSq7ZJyGodec9ID/GktB93vA9rKF8YKefThpeoUJXtnuozxUb0kfcw0L86RO1x1KAJhBltfd8NGSIy084cdef | 207.244.66.33 |
| hxxp://optpro.info/install/ | 207.244.66.33 |
| hxxp://dl.softservers.net/171001356/LiveSupport.exe | 198.20.70.67 |
| hxxp://bi.softservers.net/t/op?sid=111001356-KE-042&dt=1401157151&gid=6FC446C8-CEB8-68CC-2F52-AE85E6AE868D&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=2975919160 | 198.20.86.29 |
| hxxp://bi.softservers.net/t/ls?sid=171001356-UA-035&dt=1401146364&gid=fafb00f9-c582-4b60-a9d2-0136e3971d53&tz=1401153564&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 | 198.20.86.29 |
| hxxp://bi.softservers.net/t/ls?sid=171001356-UA-035&dt=1401146365&gid=fafb00f9-c582-4b60-a9d2-0136e3971d53&tz=1401153565&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 | 198.20.86.29 |
| hxxp://ls.callbanner.pcutilitiespro.com/?sid=171001356 | 69.175.108.139 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /get/?q=l1Vyukb3K3/7hlhQIKCt/wH6tgTC8P3jFPzcbRe8Ggndb8hKdg8rgml08CzLe7G1DFEXfT+EU9rr79YNoMD5XcKCYJk8zOrmdgrl/PdE2ybvRIVLCpj13H4Abp56g2Z7aLdgLwjX/XFrsklewSOEno1lI8qvBe+hPLsrM4Ibf9Fszl4j7zTaaNuL/N4fMN/9PugGTJt2o8UYKuCbrkH9VmjiREHdy2KC2H1gMGfWsKgiaym+6bizA6MwdCRVh/c/x2VBH4i57LkpXphYVu06f/4rlER27g4ssVGPZDjU9xeuNand4qkyHhs2fG0cjOxk9wOqtSjaM9i1djjjL3ImgGfhljPZgoLVRxjBz6/6JHRC2Oz5s6CJ+3MKPzIXrQYxM+39xZtAxp1oUrk6dVXt/F7Tv3VzKU04kgWgIMS7WSxU+Qc4kdXE8p/q7TxPTigpxxXbO4wxJhy0xKBSIm8OGZSZqsH2k+a7o3k7iG1iw+iQ80hZAUsaIUxU6kSBU/5amoBslS2qSq7ZJyGodec9ID/GktB93vA9rKF8YKefThpeoUJXtnuozxUb0kfcw0L86RO1x1KAJhBltfd8NGSIy084cdef HTTP/1.1
Accept: */*
User-Agent: win32
Host: optpro.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Mon, 26 May 2014 23:21:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.16
0..
GET /t/op?sid=111001356-KE-042&dt=1401157151&gid=6FC446C8-CEB8-68CC-2F52-AE85E6AE868D&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=2975919160 HTTP/1.1
Host: bi.softservers.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Mon, 26 May 2014 23:19:12 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
content-type: text/html
GET /t/ls?sid=171001356-UA-035&dt=1401146364&gid=fafb00f9-c582-4b60-a9d2-0136e3971d53&tz=1401153564&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1
User-Agent: LiveSupport
Host: bi.softservers.net
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Mon, 26 May 2014 23:19:25 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
content-type: text/html
....
GET /t/ls?sid=171001356-UA-035&dt=1401146365&gid=fafb00f9-c582-4b60-a9d2-0136e3971d53&tz=1401153565&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 HTTP/1.1
User-Agent: LiveSupport
Host: bi.softservers.net
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Mon, 26 May 2014 23:19:25 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
content-type: text/html
HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Mon, 26 May 2014 23:19:25 GMT..Content-Type: application/octet-stream..Content-Length: 0..Connection: keep-alive..content-type: text/html..
GET /171001356/LiveSupport.exe HTTP/1.0
Host: dl.softservers.net
User-Agent: InnoTools_Downloader
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Mon, 26 May 2014 23:19:11 GMT
Content-Type: application/octet-stream
Last-Modified: Tue, 18 Mar 2014 15:25:14 GMT
Connection: close
content-length: 1503528
ETag: "5328655a-16d478"
Content-Disposition: attachment; filename=LiveSupport.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................3.......................2.....................Rich............................PE..L....((S.................(...........g.......@....@.......................... ......(.....@.....................................P.......p...............(............................................q..@............@..P............................text....'.......(.................. ..`.rdata...L...@...N...,..............@..@.data....4...........z..............@....rsrc...p...........................@..@.reloc...'.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................U.........l.A.3..E.V.u.W.}.h..........j.P..;...........Qj.j.j(j...8AA.....j.........#.PWVh.AA.j...<AA.3... ..._^...M.3...;....].U...U....@$R.U.R.U.R..]............AA..:C.......U..V.....AA..$C...E..t.V..:.......^]............U..QV..j..M..:0...F....s.@.F..M..N0..^..].......U..QVW..j..M...0...G...t....s.H.G..w........M.#...0.._..^..].......AA...........U..QW.9..t;j..M.../...G...t....s.H.G.V.w......M...../..#.t.....j.....^_..]......................................U...E....u..y..r....E..U....]....y..r....M.P.
<<
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_968:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
OptProStart.exe_1804:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
!"#$%d
!"#$%d
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyworddRA
HelpKeyworddRA
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys\
AutoHotkeys\
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreviewP
KeyPreviewP
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
tagMSG
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
getservbyport
getservbyport
WSAAsyncGetServByPort
WSAAsyncGetServByPort
WSAJoinLeaf
WSAJoinLeaf
WS2_32.DLL
WS2_32.DLL
127.0.0.1
127.0.0.1
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsU
TIdStackWindowsU
IdStackWindows
IdStackWindows
UhExE
UhExE
%s, %.2d %s %.4d %s %s
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
%s, %d %s %d %s %s
password
password
Password
Password
IdHTTPHeaderInfo
IdHTTPHeaderInfo
ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword(<F><pre>EIdOSSLLoadingRootCertErrorlFF</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient@dF</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnHeadersAvailable</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>PortP</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>OnActionExecuteX</pre><pre>%s, ClassID: %s</pre><pre>ole32.dll</pre><pre>\OptimizerPro.exe</pre><pre>WelcomeURL</pre><pre>SupportURL</pre><pre>HomePageURL</pre><pre>BuyNowURL</pre><pre>UninstallURL</pre><pre>AdsDownloadURL</pre><pre>AdsBuyNowURL</pre><pre>BannerURL</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>wininet.dll</pre><pre>6!606@6`6</pre><pre>5!5%5)5-515</pre><pre>> >$>(>,>0>4>8><>@>\>|></pre><pre>0#0'0 0/03070;0</pre><pre>= >$>(>,>0>4></pre><pre>3 3$3(3,30343</pre><pre>9%9u9</pre><pre>5 5$5(5,5:5</pre><pre>8"9&9*92989</pre><pre>2 2$2(2,20242</pre><pre>5"5&5*5.52565:5</pre><pre>2"292\2?3</pre><pre>3 3$3(3,3034383<3@3\3|3</pre><pre>9 9$9(9,90949\9|9</pre><pre>5&5*5>5`5</pre><pre>2-2`2</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>Icon.Data</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>%s is not a valid IP address.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>No help keyword specified.</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>Alt Clipboard does not support Icons/Menu '%s' is already being used by another form</pre><pre>Unsupported clipboard format</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s' List capacity out of bounds (%d)</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><pre>3.0.0.0</pre><b>LiveSupport.exe_568:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>8%u:j</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>RegOpenKeyTransactedW</pre><pre>RegCreateKeyTransactedW</pre><pre>RegDeleteKeyTransactedW</pre><pre>FRegDeleteKeyExW</pre><pre>Visual C CRT: Not enough memory to complete call to strerror.</pre><pre>portuguese-brazilian</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>RPCRT4.dll</pre><pre>InternetOpenUrlW</pre><pre>HttpQueryInfoW</pre><pre>WININET.dll</pre><pre>GdiplusShutdown</pre><pre>gdiplus.dll</pre><pre>SHLWAPI.dll</pre><pre>VERSION.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyExW</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegFlushKey</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>OLEAUT32.dll</pre><pre>COMCTL32.dll</pre><pre>GDI32.dll</pre><pre>GetCPInfo</pre><pre>.?AV?$CFlagStateDlg@VCSupportContainerDlg@@@@</pre><pre>.?AV?$CDialogImpl@VCSupportContainerDlg@@VCWindow@ATL@@@ATL@@</pre><pre>.?AVCCmdLineOptions@@</pre><pre>.?AVCHttpHelper@@</pre><pre>.?AVCSupportContainerDlg@@</pre><pre>.?AVIHttpObserver@@</pre><pre>zcÁ</pre><pre>%c:^"</pre><pre>`%c:*</pre><pre>a).Wc@</pre><pre>50!`A.egu</pre><pre>%SDDB</pre><pre>A.eu~</pre><pre>.Ny_>`_</pre><pre>vF%D@D</pre><pre>.bm' O</pre><pre>L:.KeBf</pre><pre>.Hj(^</pre><pre>-.uwl</pre><pre>f%s$o</pre><pre>V.LGm</pre><pre>.Dt!n\</pre><pre> K.eOpmd</pre><pre>RI.lvy</pre><pre>.ZKl/ Z,</pre><pre>\iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:D55BB01090EFE211ACDE8560C64C7E45" xmpMM:DocumentID="xmp.did:EA5144FCF05511E2B7E798039BD56FBF" xmpMM:InstanceID="xmp.iid:EA5144FBF05511E2B7E798039BD56FBF" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D55BB01090EFE211ACDE8560C64C7E45" stRef:documentID="xmp.did:D55BB01090EFE211ACDE8560C64C7E45" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5" xmpMM:InstanceID="xmp.iid:ABDDC127FAB511E2AF40EC6881A4C2FD" xmpMM:DocumentID="xmp.did:ABDDC128FAB511E2AF40EC6881A4C2FD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ABDDC125FAB511E2AF40EC6881A4C2FD" stRef:documentID="xmp.did:ABDDC126FAB511E2AF40EC6881A4C2FD" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134342, 2010/01/10-18:06:43 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:B65DA3C4FDF9E211A6FF95665BD7D125" xmpMM:DocumentID="xmp.did:12D33543FAB411E282A6DA328A34807F" xmpMM:InstanceID="xmp.iid:12D33542FAB411E282A6DA328A34807F" xmp:CreatorTool="Adobe Photoshop CS5"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B65DA3C4FDF9E211A6FF95665BD7D125" stRef:documentID="xmp.did:B65DA3C4FDF9E211A6FF95665BD7D125" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>></pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"></compatibility></assembly></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS></pre><pre><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></pre><pre>6f6C6T6b6s6</pre><pre>: :$:(:,:0:4:8:</pre><pre>4 4$4(4,404|:</pre><pre>:(:4:<:\:</pre><pre>2 2<2@2`2</pre><pre>3 3@3\3`3</pre><pre>(0@0`0|0</pre><pre>Advapi32.dll</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>cmdonly</pre><pre>LiveSupport_MainDlg</pre><pre>LiveSupport</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>unins000.exe</pre><pre>_log.txt</pre><pre>AdsLicenseKey</pre><pre>AdsRunKey</pre><pre>CallbannerUrl</pre><pre>Cmd params:</pre><pre>24x7 Tech Support</pre><pre>Live Support</pre><pre>UrlTerms</pre><pre>UrlPrivacy</pre><pre>UrlAbout</pre><pre>UrlFAQ</pre><pre>Uninstall LiveSupport</pre><pre>New update package is available for LiveSupport.</pre><pre>Support</pre><pre>AdsDownloadUrl</pre><pre>http://www.pcutilitiespro.com/terms-and-conditions.aspx</pre><pre>http://www.pcutilitiespro.com/privacy.aspx</pre><pre>http://www.pcutilitiespro.com/livesupport.aspx</pre><pre>http://www.pcutilitiespro.com/faq.aspx</pre><pre>SoftUpdateUrl</pre><pre>http://updates.livesupport.pcutilitiespro.com</pre><pre>Software\LiveSupport</pre><pre>Display icon on all windows</pre><pre>@_update.exe</pre><pre>/LiveSupport_setup_%ver%.exe</pre><pre>Call us now for instant Technical Support and Assistance for PC issues such as network, printer, software installation and much more</pre><pre>Certified Trained Technicians</pre><pre>LiveSupport-</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>nKERNEL32.DLL</pre><pre>WUSER32.DLL</pre><pre>%Program Files%\LiveSupport\LiveSupport.exe</pre><pre>"GENERAL_CALL","24x7 Tech Support",</pre><pre>"MDLG_MAIN_PAGE","< Support","< Startseite"</pre><pre>"MDLG_TSKBAR_TOOLTIP","Click here for instant access to technical support from the %APP_BRAND%","Klicken Sie hier f</pre><pre>r sofortigen Zugriff auf technischen Support von der %APP_BRAND%"</pre><pre>"SPDLG_TITLE_2","Support","-Support"</pre><pre>"SPDLG_TITLE_3","Your Certified PC Expert","Certified geschulte Techniker"</pre><pre>r den sofortigen technischen Support und Unterst</pre><pre>"SPDLG_TABTITLE","Support","Support"</pre><pre>"SCDLG_NETERROR","Error occurred while downloading %UPSELL_BRAND%. ","Internet Fehler beim Herunterladen% UPSELL_BRAND%."</pre><pre>"FDLG_LINK_UNINSTALL","Uninstall LiveSupport","Deinstallieren Live Support"</pre><pre><a>Uninstall LiveSupport</a></pre><pre>1234567</pre><pre>Replace%Select the entire document</pre><pre>Arrange Icons/Arrange windows so they overlap</pre><pre>Cascade Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows(Split the active window into panes</pre><pre>1.2.8.0</pre><pre>LiveSupport.exe</pre></F></pre></pre></pre>