Susp_Dropper_f0b730bcab

by malwarelabrobot on July 9th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f0b730bcab8ac5d233689926129fd3b2
SHA1: 6628c54732d326c4339e418b8af2899459258b76
SHA256: a5a6319cc41053dbc3f434f44b6f4bec95593d97a2457f0b950e839ccef0d971
SSDeep: 196608:DYlty6y5IJc SS2bd9 iU3o3 7aWjpdO7kvB2U:EL0W6a2bd9Y38SXjdvI
Size: 7712800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphiv60v70_v2, UPolyXv05_v6, BorlandDelphi30, BorlandDelphiv30, ACProtect141
Company: no certificate found
Created at: 2014-06-03 11:50:32
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

optprosetup.exe:1944
optprosetup.tmp:912
LiveSupport.exe:852
rundll32.exe:664
rundll32.exe:1004
LiveSupport_setup.exe:920
regsvr32.exe:1724
regsvr32.exe:1728
%original file name%.exe:1852
LiveSupport_setup.tmp:208

The Malware injects its code into the following process(es):

LiveSupport.exe:228
OptProStart.exe:1556

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process optprosetup.exe:1944 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp\optprosetup.tmp (7386 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp\optprosetup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp (0 bytes)

The process optprosetup.tmp:912 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\Optimizer Pro\is-2OOOE.tmp (48 bytes)
%Program Files%\Optimizer Pro\is-7J528.tmp (54 bytes)
%Program Files%\Optimizer Pro\unins000.dat (15301 bytes)
%Program Files%\Optimizer Pro\is-S4A06.tmp (673 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
%Program Files%\Optimizer Pro\is-484KR.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\optpro2.bmp (673 bytes)
%Program Files%\Optimizer Pro\OptProCrash.dll (195505 bytes)
%Program Files%\Optimizer Pro\is-OH0KU.tmp (1425 bytes)
%Program Files%\Optimizer Pro\is-K0UL9.tmp (32054 bytes)
%Program Files%\Optimizer Pro\is-SBJOQ.tmp (3073 bytes)
%Program Files%\Optimizer Pro\is-J8QF8.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\OptProCrash.dll (22575 bytes)
%Program Files%\Optimizer Pro\is-OE54R.tmp (7433 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
%Program Files%\Optimizer Pro\is-PJNJ0.tmp (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Optimizer Pro\is-F9MM2.tmp (56 bytes)
%Program Files%\Optimizer Pro\is-V7ELF.tmp (7547 bytes)
%Program Files%\Optimizer Pro\is-5A7TN.tmp (4545 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\itdownload.dll (1281 bytes)
%Program Files%\Optimizer Pro\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro\is-JNCLJ.tmp (712 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
%Program Files%\Optimizer Pro\is-ITH3L.tmp (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\LiveSupport.exe (11493 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp (4 bytes)
%Program Files%\Optimizer Pro\is-T3840.tmp (601 bytes)
%Program Files%\Optimizer Pro\is-QNK15.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro\is-N2MUL.tmp (1281 bytes)
%Program Files%\Optimizer Pro\is-CBGOF.tmp (2321 bytes)
%Program Files%\Optimizer Pro\is-U8M6Q.tmp (185630 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\optpro2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\OptProCrash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\LiveSupport.exe (0 bytes)

The process LiveSupport.exe:852 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)

The process LiveSupport.exe:228 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_version[1].htm (5 bytes)
%Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1221 bytes)

The process LiveSupport_setup.exe:920 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp\LiveSupport_setup.tmp (7386 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp\LiveSupport_setup.tmp (0 bytes)

The process regsvr32.exe:1728 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)

The process %original file name%.exe:1852 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{98FEA671-CA18-4FFC-B57F-5ED480FEB1EA}\optprosetup.exe (47888 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{98FEA671-CA18-4FFC-B57F-5ED480FEB1EA}\optprosetup.exe (0 bytes)

The process LiveSupport_setup.tmp:208 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\LiveSupport\unins000.msg (646 bytes)
%Program Files%\LiveSupport\is-L33UU.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\LiveSupport\unins000.dat (8096 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
%Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
%Program Files%\LiveSupport\is-5D7HH.tmp (7385 bytes)
%Program Files%\LiveSupport\is-6RER9.tmp (34256 bytes)
%Program Files%\LiveSupport\is-674E2.tmp (673 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup (0 bytes)

Registry activity

The process optprosetup.exe:1944 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 E2 F6 24 E6 2C 98 16 22 94 9B 1A B4 FD 79 61"

The process optprosetup.tmp:912 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svpath" = "c:\Program Files\Optimizer Pro\OptProCrash.dll"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_205c0720\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "2032275112"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2e22d94e" = "///%"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro]
"OptProStart.exe" = "Optimizer Pro Launcher"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"appid.0" = "Vx7srrvik9DjScdefARCH5Df0oEV5y8d8/jl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"dlpath" = "c:\progra~1\optimi~1\optpro~2.dll"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"n" = "1"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.0" = "lUoSMF8OBeItzIABCDEuChwgLJcqcKZp7XwAEzyXy7nqevDsJOhU3QCZLzRcJ2x8AiITRevKYQkqrF59yIu5 UH1xq8nMrXlhxfcnPbcfC"
"data.1" = "nVTk0RFpFONytwysur1W61bIGLCJPfVZU7MeW71I1WeFK7oCZ6QVvcmZQ/PUbhSCTryVrTgRjj5Kzv637H9RIAjYo8V83WdWByCrGlJgvpfqN14emR5UVYcznzlUxhxVR"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"uuid" = "2032275112"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1404761959"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\optimi~1\optpro~2.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"InstallDate" = "20140707"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.0" = "vjIceecdefABCDWYSU"
"usr.1" = "BPN02vxztvqomjlhab"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B CF AB 15 75 09 17 07 7D 7B 2E 8B B0 75 1C 66"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"State" = "0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7f69fa1f" = "///%"
"0e93c3f3" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Language" = "en"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-2HTP7.tmp]
"LiveSupport.exe" = "LiveSupport Installer"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svt" = "1404751394"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_205c0720\eae10f9d]
"340d3099" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\Optimizer Pro]
"culValue" = ""

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"340d3099" = "/P////%%"
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"usr.1" = "BPN02vxztvqomjlhab"
"usr.0" = "vjIceecdefABCDWYSU"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"DisplayName" = "Optimizer Pro v3.2"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"Mode" = "4026531840"
"Version" = "22022053"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"27ddcf6f" = "///%"
"d1abcdb6" = "///%"
"0c230bcb" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"date" = "1404761959"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svn" = "Optimizer Pro Crash Monitor"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svi" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"svx" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"a0743acc" = "N/////%%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"LRTS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"
"DisplayIcon" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"data.1" = "nVTk0RFpFONytwysur1W61bIGLCJPfVZU7MeW71I1WeFK7oCZ6QVvcmZQ/PUbhSCTryVrTgRjj5Kzv637H9RIAjYo8V83WdWByCrGlJgvpfqN14emR5UVYcznzlUxhxVR"
"data.0" = "lUoSMF8OBeItzIABCDEuChwgLJcqcKZp7XwAEzyXy7nqevDsJOhU3QCZLzRcJ2x8AiITRevKYQkqrF59yIu5 UH1xq8nMrXlhxfcnPbcfC"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
"48bd1aff" = "VP/l/C//N//l////"
"414bc593" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"65114b36" = "VP/ ////"
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"ca82e1a5" = "%Program Files%\Optimizer Pro\OptProCrash.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]
"UninstallString" = "%Program Files%\Optimizer Pro\unins000.exe"
"InstallLocation" = "%Program Files%\Optimizer Pro\"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport.exe:852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 E0 78 D1 9D 89 A0 EF 75 7F 26 71 7B 4A 35 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LiveSupport_setup.exe" = "LiveSupport Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process LiveSupport.exe:228 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\LiveSupport]
"SoftUpdateUrl" = "http://updates.livesupport.pcutilitiespro.com"
"ShowTitleBarBtn" = "1"
"Assistant" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"BtnCallPressed" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\LiveSupport]
"AppStart" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\LiveSupport]
"OS" = "102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\LiveSupport]
"SoftUpdateDate" = "0"
"RunOnOSRun" = "1"
"QueryDate" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\LiveSupport]
"SHOWTRAY" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\LiveSupport]
"FixHoverIconToTray" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 C5 3D C9 22 0C C2 3C E5 69 00 67 9B 5B D8 16"

[HKCU\Software\LiveSupport]
"InstallDate" = "1404751405"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\LiveSupport]
"MachineGuid" = "8cc0ffbe-adc7-48f5-a8c5-a4e91704d732"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:664 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"fe94ce1e" = "V/////%%"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"7367429f" = "///%"
"340d3099" = "/P////%%"
"1520c6f1" = "V/////%%"
"3c09c42b" = "///%"
"2d71d5ab" = "V/////%%"
"a2e3b941" = "///%"
"c6c5dd44" = "V/////%%"
"f6ad6fa6" = "VP/l/C//V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"c99a5f5c" = "///%"
"c5705860" = "Vx////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d1abcdb6" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"a0743acc" = "N/////%%"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"587b5709" = "V/////%%"
"48bd1aff" = "VP/l/C//N//l////"
"0c230bcb" = "///%"
"0e93c3f3" = "///%"
"72758a5d" = "///%"
"a1dcff5b" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CD/NP/ /Cb////%"
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 1D 27 08 9A D9 81 3B 61 BA D8 34 4F AE 63 51"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"8b9e4cbc" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\eae10f9d]
"f0bf0bde" = "///%"
"65114b36" = "VP/ ////"
"c24899a6" = "MP/f/CF/MP/3/CZ////%"
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"27ddcf6f" = "///%"
"bbf88800" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_ca82e1a5\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

The process rundll32.exe:1004 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 79 4A EC A6 EF 1A CF C9 A3 63 64 B9 CE 0D D5"

The process OptProStart.exe:1556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://www.safeshopgate.com/r?s=111001356-GB-042&g=A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Optimizer Pro]
"UseAds" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.softservers.net/121001356/DriverPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Optimizer Pro]
"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111001356-GB-042"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"DelayedStart" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

"Querry" = "http://bi.softservers.net/t/op?sid=111001356-GB-042&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=2856268330"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121001356&g=A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 FB 6D 2F DC 28 7F 1B 2A 02 0F A6 0E EB 94 CF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Optimizer Pro]
"InstallDate" = "5B 87 A4 4B 7A 6C E4 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Optimizer Pro]
"AdsHost" = "dl.softservers.net"
"OS" = "102"
"MachineGuid" = "A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LiveSupport_setup.exe:920 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 69 60 08 F5 CF EF 78 1C 7B E5 4E 60 18 08 47"

The process regsvr32.exe:1724 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 59 9E A6 02 2C 12 1A 6C 37 21 E2 2A 27 1D F4"

The process regsvr32.exe:1728 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 32 8D 67 55 14 D9 B3 6B C8 B8 8C 3C BC 96 F9"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}]
"(Default)" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{EBFCF40E-A87B-463F-A782-55BDD4160B5E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll"

The process %original file name%.exe:1852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 DC 05 C9 F8 FA 6D 9B CF 1B 1D 16 70 75 61 72"

[HKCU\Software\Optimizer Pro]
"setupname" = "c:\%original file name%.exe"

The process LiveSupport_setup.tmp:208 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Language" = "en"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"MajorVersion" = "1"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl1" = "http://dl.softservers.net/121001356/DriverPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayVersion" = "1.2.8.0"

[HKCU\Software\LiveSupport]
"SupportURL" = "http://support.pcutilitiespro.com"
"AdsLandingPageLink2" = "http://www.pcutilitiespro.com/optimizerpro.php"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\LiveSupport]
"AdsLandingPageLink1" = "http://www.pcutilitiespro.com/driverpro.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\LiveSupport]
"AdsDescription1" = "Driver Updater"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\LiveSupport]
"AdsDescription2" = "System Performance Optimizer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\LiveSupport]
"LiveSupport.exe" = "LiveSupport"

[HKCU\Software\LiveSupport]
"DelayedStart" = "0"
"homepageurl" = "http://www.pcutilitiespro.com/livesupport.php"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayName" = "LiveSupport"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"QuietUninstallString" = "%Program Files%\LiveSupport\unins000.exe /SILENT"
"Inno Setup: App Path" = "%Program Files%\LiveSupport"
"MinorVersion" = "2"

[HKCU\Software\LiveSupport]
"CallbannerUrl" = "http://ls.callbanner.pcutilitiespro.com/?sid=171001356"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\LiveSupport]
"Query" = "http://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=%dt%&gid=%gid%&tz=%tz%&ln=%ln%&os=%os%&bis=%bis%&bipc=%bipc%&lc1=%lc1%&lc2=%lc2%&lc3=%lc3%&f=2182739400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"DisplayIcon" = "%Program Files%\LiveSupport\LiveSupport.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsDownloadUrl2" = "http://dl.softservers.net/191001356/OptmizerPro.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\LiveSupport]
"PhoneNumber" = " 1-855-544-6024"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\LiveSupport]
"AdsCheckName2" = "Optimizer Pro"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 73 AE 32 23 74 81 72 8B E4 D4 18 76 D9 87 CC"

[HKCU\Software\LiveSupport]
"UninstallURL" = "http://www.pcutilitiespro.com/uninstall-livesupport.php?sid=171001356-CA-035"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\LiveSupport]
"AdsCheckName1" = "Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"InstallLocation" = "%Program Files%\LiveSupport\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: Icon Group" = "LiveSupport"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"UninstallString" = "%Program Files%\LiveSupport\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
"Publisher" = "PC Utilities Software Limited"

[HKCU\Software\LiveSupport]
"AdsLicenseKey2" = "LicenseDate"
"AdsLicenseKey1" = "User"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveSupport_is1]
"NoRepair" = "1"
"InstallDate" = "20140707"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
d2d6341a87cc3995abe80f505b6e112a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LiveSupport_setup.exe
87217247d99dd350a595399fb11b349a c:\Program Files\LiveSupport\LiveSupport.exe
a6127535670da8d8d0d338faf81112ec c:\Program Files\LiveSupport\LiveSupport_deskband_x32.dll
69c715189c3106946c5dc13bb563450a c:\Program Files\LiveSupport\LiveSupport_deskband_x64.dll
7c1fbcbbe0d2998719bbd6b73783bca5 c:\Program Files\LiveSupport\unins000.exe
9601309d3723fded3e836adb76f3875d c:\Program Files\Optimizer Pro\OptProCrash.dll
eefcfd57a4102195b9ac80b8d50a5f3f c:\Program Files\Optimizer Pro\OptProGuard.exe
73159250df28025dc4b7b20e6f6eb1e0 c:\Program Files\Optimizer Pro\OptProHelper.dll
175ca727b241f0538ac3f0be3d8c84a3 c:\Program Files\Optimizer Pro\OptProLauncher.exe
5000d42a3391fee44247878bb56515bd c:\Program Files\Optimizer Pro\OptProReminder.exe
7bf8547d995d75dc2e6c5daaeffdfe6e c:\Program Files\Optimizer Pro\OptProSchedule.exe
0e1398d9f38c7bf1ef5451cfc947ae56 c:\Program Files\Optimizer Pro\OptProSmartScan.exe
d3a8d68c2be395890bdbf00d108a5f61 c:\Program Files\Optimizer Pro\OptProStart.exe
910f229c039716dce3b7cca9525c83b3 c:\Program Files\Optimizer Pro\OptProUninstaller.exe
6feded4372041d43132f81b8d37ed4db c:\Program Files\Optimizer Pro\OptimizerPro.exe
d82a429efd885ca0f324dd92afb6b7b8 c:\Program Files\Optimizer Pro\itdownload.dll
0f66e8e2340569fb17e774dac2010e31 c:\Program Files\Optimizer Pro\sqlite3.dll
580fe2de2134cca7e854b5bb9f747166 c:\Program Files\Optimizer Pro\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 881040 881152 4.48236 31d1aff03f08ea465eab45db25c6337c
.itext 888832 2940 3072 4.25316 eaabfd280dbbf29b8547397600dc5ea0
.data 892928 14964 15360 3.63951 e7301e7e1334603f81823155ad7e91c9
.bss 909312 20528 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 933888 4530 4608 3.39002 dc54b0a1dbf85f50eb541da666e881e9
.didata 942080 464 512 2.16145 aa1bd1278a403125fffce2bf2717d356
.tls 946176 20 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 950272 24 512 0.146134 71fb01babd7aa03894831e303e70de3e
.reloc 954368 81236 81408 4.64935 c746ccff3d2c7880880b55749e4b4581
.rsrc 1036288 6718464 6718464 5.54042 53e1cde66875ad422ec560581a65a6f4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 17
78a08c3ec31ee72b259f07fc78807c89
3470380835d58a4c09b3248c2d922e6b
f85024be997b292762e57404f3e09013
57e4942e3f0f3c5a62471243c32261a1
2781c9afbb1aa8071627d508871f96c5
ed36ffa44669dde49df9ddb79b361c9b
1f3e614cc1c87c3792cf0644a13bf38c
263cf51ab452e7234ebaf90bda9649aa
64a746396eaa5409f851eda4e7560105
ff2a7c301d5d7f009b3c4ff2d4f2bd0b
75b4fa22bda4f8a3bd630eb7d66a069f
50c059403794fe5aa558fd68d6db919e
a14edf05e31a758d01c27ad6e2eb7f4b
4f592014898754c1d14e8ecc37746fdb
ba12b6b6fde9c7d7a340e06eb190a290
4d4a456cb5b7e77f36464804b1d8f8ac
46dfb75fed396aa32bf90db26a78d2cd

URLs

URL IP
hxxp://212.58.246.93/
hxxp://207.244.66.33/get/?q=CG7P2bk1PFkXs3zCDWarE1rWMzu6FUw+nJQuoE+SR2cSRRIQq5v00MQuwqEJbRReLrJhxyLT1wSkLire8Fez+ZDhlP4fTq4K5XXTLrUgkwRdDF1NWJHCIKloNvlOCo/QXHgqreJe2LmBuY1jVdktGoW47KxaSaDQ3HnowHqVEFEaf+iKOhWaHg0rPCVsZsIiljMKA+AjCx5pzoHmJE6AQYXgF5BJLPrAWmUDjFvcqNBrNd5UtQZQOP02epoy1r1JoL2V1A9qHTouf1fIEy7P6ef9ctsOZ92EvN6c19aKFZQvEKNaBawU8Mhev3CjN+8WQK0wcsge31mzMDAWMMXXZdeqDnW6kW/j8VwLtiDr72Skbhxfsf/L5q4aRcGn3YR+8BuiBCSCsHwEQCLMUzbBiCMeKkI4/Eue4lYL/u8WeoaoKposdXdAfkWv5S1GvSDE/knUyaIjdFAGgzckJKr8bqK/NXLo/ekGQo0HML2xwy+PmZDS4vC3zkaYUOp2vIApN5gMdxykBIdvC0u1lra1r79MFviFPZtB2tG6QHS5Z8AClr+uH310+N1y6A9mIOF1x+SMoOUG16f+0DZFLa5JbKde
hxxp://207.244.66.33/install/
hxxp://dl.softservers.net/171001356/LiveSupport.exe 198.20.70.75
hxxp://bi.softservers.net/t/op?sid=111001356-GB-042&dt=1404762198&gid=A6C904D0-69C8-A5DF-4DCC-0A9231B6A39B&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=2856268330 198.20.86.29
hxxp://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=1404751405&gid=8cc0ffbe-adc7-48f5-a8c5-a4e91704d732&tz=1404758605&ln=1&os=102&bis=0&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 198.20.86.29
hxxp://bi.softservers.net/t/ls?sid=171001356-CA-035&dt=1404751406&gid=8cc0ffbe-adc7-48f5-a8c5-a4e91704d732&tz=1404758606&ln=1&os=102&bis=1&bipc=0&lc1=0&lc2=0&lc3=0&f=2182739400 198.20.86.29
hxxp://ls.callbanner.pcutilitiespro.com/?sid=171001356 198.143.146.75
hxxp://ls.callbanner.pcutilitiespro.com/get_version/ 198.143.146.75
hxxp://updates.livesupport.pcutilitiespro.com/get_version/ 69.175.108.139
hxxp://optpro.info/get/?q=CG7P2bk1PFkXs3zCDWarE1rWMzu6FUw+nJQuoE+SR2cSRRIQq5v00MQuwqEJbRReLrJhxyLT1wSkLire8Fez+ZDhlP4fTq4K5XXTLrUgkwRdDF1NWJHCIKloNvlOCo/QXHgqreJe2LmBuY1jVdktGoW47KxaSaDQ3HnowHqVEFEaf+iKOhWaHg0rPCVsZsIiljMKA+AjCx5pzoHmJE6AQYXgF5BJLPrAWmUDjFvcqNBrNd5UtQZQOP02epoy1r1JoL2V1A9qHTouf1fIEy7P6ef9ctsOZ92EvN6c19aKFZQvEKNaBawU8Mhev3CjN+8WQK0wcsge31mzMDAWMMXXZdeqDnW6kW/j8VwLtiDr72Skbhxfsf/L5q4aRcGn3YR+8BuiBCSCsHwEQCLMUzbBiCMeKkI4/Eue4lYL/u8WeoaoKposdXdAfkWv5S1GvSDE/knUyaIjdFAGgzckJKr8bqK/NXLo/ekGQo0HML2xwy+PmZDS4vC3zkaYUOp2vIApN5gMdxykBIdvC0u1lra1r79MFviFPZtB2tG6QHS5Z8AClr+uH310+N1y6A9mIOF1x+SMoOUG16f+0DZFLa5JbKde
hxxp://www.bbc.com/


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET USER_AGENTS Suspicious Win32 User Agent
ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon
ET DROP Dshield Block Listed Source group 1
ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

Web Traffic was not found.

The Malware connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    optprosetup.exe:1944
    optprosetup.tmp:912
    LiveSupport.exe:852
    rundll32.exe:664
    rundll32.exe:1004
    LiveSupport_setup.exe:920
    regsvr32.exe:1724
    regsvr32.exe:1728
    %original file name%.exe:1852
    LiveSupport_setup.tmp:208

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\is-RQ2TP.tmp\optprosetup.tmp (7386 bytes)
    %Program Files%\Optimizer Pro\is-2OOOE.tmp (48 bytes)
    %Program Files%\Optimizer Pro\is-7J528.tmp (54 bytes)
    %Program Files%\Optimizer Pro\unins000.dat (15301 bytes)
    %Program Files%\Optimizer Pro\is-S4A06.tmp (673 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (729 bytes)
    %Program Files%\Optimizer Pro\is-484KR.tmp (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\optpro2.bmp (673 bytes)
    %Program Files%\Optimizer Pro\OptProCrash.dll (195505 bytes)
    %Program Files%\Optimizer Pro\is-OH0KU.tmp (1425 bytes)
    %Program Files%\Optimizer Pro\is-K0UL9.tmp (32054 bytes)
    %Program Files%\Optimizer Pro\is-SBJOQ.tmp (3073 bytes)
    %Program Files%\Optimizer Pro\is-J8QF8.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\OptProCrash.dll (22575 bytes)
    %Program Files%\Optimizer Pro\is-OE54R.tmp (7433 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (749 bytes)
    %Program Files%\Optimizer Pro\is-PJNJ0.tmp (898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\Optimizer Pro\is-F9MM2.tmp (56 bytes)
    %Program Files%\Optimizer Pro\is-V7ELF.tmp (7547 bytes)
    %Program Files%\Optimizer Pro\is-5A7TN.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\itdownload.dll (1281 bytes)
    %Program Files%\Optimizer Pro\unins000.msg (646 bytes)
    %Program Files%\Optimizer Pro\is-JNCLJ.tmp (712 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (777 bytes)
    %Program Files%\Optimizer Pro\is-ITH3L.tmp (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\LiveSupport.exe (11493 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (729 bytes)
    %Program Files%\Optimizer Pro\is-T3840.tmp (601 bytes)
    %Program Files%\Optimizer Pro\is-QNK15.tmp (3073 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (749 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-2HTP7.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\Optimizer Pro\is-N2MUL.tmp (1281 bytes)
    %Program Files%\Optimizer Pro\is-CBGOF.tmp (2321 bytes)
    %Program Files%\Optimizer Pro\is-U8M6Q.tmp (185630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LiveSupport_setup.exe (134522 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_version[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Application Data\LiveSupport.exe_log.txt (1221 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GMDFV.tmp\LiveSupport_setup.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Application Data\regsvr32.exe_log.txt (127 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98FEA671-CA18-4FFC-B57F-5ED480FEB1EA}\optprosetup.exe (47888 bytes)
    %Program Files%\LiveSupport\unins000.msg (646 bytes)
    %Program Files%\LiveSupport\is-L33UU.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-BRJSF.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\LiveSupport\unins000.dat (8096 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\LiveSupport.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (751 bytes)
    %Documents and Settings%\%current user%\Desktop\LiveSupport.lnk (1 bytes)
    %Program Files%\LiveSupport\is-5D7HH.tmp (7385 bytes)
    %Program Files%\LiveSupport\is-6RER9.tmp (34256 bytes)
    %Program Files%\LiveSupport\is-674E2.tmp (673 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Optimizer Pro" = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "LiveSupport" = "%Program Files%\LiveSupport\LiveSupport.exe /noshow /log"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.