Adware.GenericKD.3687544_d62f9772fb

by malwarelabrobot on November 20th, 2016 in Malware Descriptions.

Adware.GenericKD.3687544 (AdAware), GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Worm, EmailWorm, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d62f9772fbb0838bb3a9d57af85ebdf7
SHA1: abf0fbaa7112739584f57e9525b2ea2bb74355da
SHA256: 7d59ce7add416b141c259a43d95e7ec55b1c0351dfc3aba103027022dfe78bb0
SSDeep: 98304:O3bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzS:Ubeirfa1GZN PhLIZ2
Size: 3655704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-11-01 11:22:02
Analyzed on: Windows7 SP1 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Adware creates the following process(es):

DriverPro.exe:2848
%original file name%.exe:2472
drvprosetup.tmp:2600
DPStartScan.exe:2700
drvprosetup.exe:3768

The Adware injects its code into the following process(es):

DriverPro.exe:3976
DPTray.exe:1804

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process DriverPro.exe:2848 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\program.log (127 bytes)
%Program Files%\Driver Pro\sqlite3.dll (524 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DriverPro.madExcept (0 bytes)

The process DriverPro.exe:3976 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers32.db (1848677 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Devices.ini (34 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\program.log (1012 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\PCInfo.ini (151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\current_7_32_zxw.7z (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Scan.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers32.db-journal (1090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers.db (2721 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DriverPro.madExcept (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\current_7_32_zxw.7z (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers32.db-journal (0 bytes)

The process %original file name%.exe:2472 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (4288 bytes)
C:\$Directory (96 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (5000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\drvprosetup.exe (395085 bytes)

The process drvprosetup.tmp:2600 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\Driver Pro\is-SD69O.tmp (56 bytes)
%Program Files%\Driver Pro\is-DF84H.tmp (54 bytes)
%Program Files%\Driver Pro\is-AINVJ.tmp (8281 bytes)
%Program Files%\Driver Pro\is-EGG83.tmp (23811 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\Driver Pro\is-G2N3S.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\DrvProHelper.dll (8330 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\cfg.exe (65 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Driver Pro.lnk (984 bytes)
%Program Files%\Driver Pro\is-71E3E.tmp (31745 bytes)
%Program Files%\Driver Pro\unins000.msg (646 bytes)
%Program Files%\Driver Pro\is-GA554.tmp (5873 bytes)
%Program Files%\Driver Pro\unins000.dat (12949 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro\Driver Pro.lnk (1 bytes)
%Program Files%\Driver Pro\is-TE8DJ.tmp (12 bytes)
%Program Files%\Driver Pro\is-68VBQ.tmp (547 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro\Help.lnk (1 bytes)
%Program Files%\Driver Pro\is-DDQ2K.tmp (3073 bytes)
%Program Files%\Driver Pro\DPTray.exe (831 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\is-HBDQG.tmp (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\is-RLDHK.tmp (4 bytes)
%Program Files%\Driver Pro\DPStartScan.exe (839 bytes)
%Program Files%\Driver Pro\is-TN7QN.tmp (26 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro\Driver Pro on the Web.lnk (997 bytes)
%Program Files%\Driver Pro\DriverPro.exe (291 bytes)
%Program Files%\Driver Pro\is-PVF8N.tmp (6841 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\DrvProHelper.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\cfg.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\_isetup (0 bytes)

The process drvprosetup.exe:3768 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O46C2.tmp\drvprosetup.tmp (50 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O46C2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O46C2.tmp\drvprosetup.tmp (0 bytes)

Registry activity

The process DriverPro.exe:3976 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"s_Enable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Driver Pro]
"UpdateWindowShown" = "0"
"LastUpdate" = "2C 7F 83 DC AA D8 E4 40"
"s_SmartExec" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Driver Pro]
"InstallStat" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Driver Pro]
"ShowAlertMessages" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Driver Pro]
"s_SmartMode" = "0"
"ShowUpdateWindow" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Driver Pro]
"TotalDrivers" = "80"
"ProxyPassword" = ""

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Driver Pro]
"s_Time" = "2C 7F 83 DC AA D8 E4 40"
"LastScan" = "69 3E 4A DE AA D8 E4 40"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Driver Pro]
"DownloadPath" = "C:\Users\"%CurrentUserName%"\Documents\Driver Pro\Drivers\"
"TrayNotification" = "1"

"ShowRebootMessage" = "1"
"UseProxy" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Driver Pro]
"ForceUpdate" = "0"
"OutdatedDrivers" = "2"
"nDownloads" = "3"
"LastDatabaseCheck" = "2C 7F 83 DC AA D8 E4 40"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Driver Pro]
"s_SmartDate" = "2C 7F 83 DC 8A D8 E4 40"
"DatabaseDate" = "2C 7F 83 DC AA D8 E4 40"
"ShowSRPMessage" = "1"
"ScanExecuted" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Driver Pro]
"s_SmartScan" = "1"
"StartWithWindows" = "0"
"s_Mode" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\DriverPro_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Driver Pro]
"AppStart" = "1"
"InstallationDate" = "11-19-2016"
"QuerryDate" = "E8 73 51 DE AA D8 E4 40"
"ProxyPort" = ""
"ProxyAddress" = ""
"ProxyLogin" = ""
"BackupPath" = "C:\Users\"%CurrentUserName%"\Documents\Driver Pro\Backup\"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2472 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"setupname" = "c:\%original file name%.exe眀T"

The process drvprosetup.tmp:2600 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash" = "C3 18 60 4C 83 1A BE 2A C9 E6 7F D3 94 E5 F4 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\Driver Pro\DriverPro.chm, %Program Files%\Driver Pro\DrvProHelper.dll, %Program Files%\Driver Pro\DriverPro.exe, %Program Files%\Driver Pro\DPTray.exe, %Program Files%\Driver Pro\DPStartScan.exe, %Program Files%\Driver Pro\sqlite3.dll, %Program Files%\Driver Pro\7z.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"Inno Setup: Deselected Tasks" = ""
"URLUpdateInfo" = "http://www.pcutilitiespro.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"DisplayVersion" = "3.2.0.2"
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Driver Pro]
"Ir" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Inno Setup: Icon Group" = "Driver Pro"
"Inno Setup: Setup Version" = "5.5.3 (u)"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "DC 9B DA AA 59 1E 1F 1F 2C 72 DE C6 13 8F 31 F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"QuietUninstallString" = "%Program Files%\Driver Pro\unins000.exe /SILENT"
"MajorVersion" = "3"
"UninstallString" = "%Program Files%\Driver Pro\unins000.exe"
"DisplayName" = "Driver Pro v3.2.0.2"
"Inno Setup: App Path" = "%Program Files%\Driver Pro"
"DisplayIcon" = "%Program Files%\Driver Pro\DriverPro.exe"

[HKCU\Software\Driver Pro]
"BuyNowURL" = "http://pcup197.pcutilitiespro.revenuewire.net/driverpro/xsell?121001322-US-003_853B4A7D-6581-6B28-0449-F1EB8E626DE5"
"Querry" = "http://bi.secure-download.net/t/dp?sid=121001322-US-003&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=1472282701"
"SessionID" = "7EB5B28C-D25F-4131-9ECC9DA69BA8D717"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"InstallLocation" = "%Program Files%\Driver Pro\"

[HKCU\Software\Driver Pro]
"CBM" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"URLInfoAbout" = "http://www.pcutilitiespro.com"

[HKCU\Software\Driver Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"HelpLink" = "http://www.pcutilitiespro.com"
"InstallDate" = "20161119"
"Publisher" = "PC Utilities Software Limited"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "28 0A 00 00 0D 79 DA 57 2B 42 D2 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"NoModify" = "1"

[HKCU\Software\Driver Pro]
"setupname" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\cfg.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"MinorVersion" = "2"
"EstimatedSize" = "8975"

To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Driver Pro" = "%Program Files%\Driver Pro\DPLauncher.exe"

The Adware deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash"
"Owner"

[HKCU\Software\Driver Pro]
"Querry"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000"

The process DPTray.exe:1804 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"s_Enable" = "0"
"s_Exec" = "0"
"s_SmartMode" = "0"
"s_SmartScan" = "1"
"s_SmartDate" = "50 4F 95 DB 8A D8 E4 40"
"TrayNotification" = "1"
"StartWithWindows" = "0"
"s_Mode" = "0"

The process DPStartScan.exe:2700 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Driver Pro]
"MachineGuid" = "853B4A7D-6581-6B28-0449-F1EB8E626DE5"
"UninstallURL" = "https://safecart.com/pcutilitiespro/.dp-xsell-special/purchase?sid=121001322-US-003"
"DelayedStart" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKCU\Software\Driver Pro]
"UseAds" = "0"
"OS" = "106"
"BuyNowURL" = "http://pcup197.pcutilitiespro.revenuewire.net/driverpro/xsell?121001322-US-003_853B4A7D-6581-6B28-0449-F1EB8E626DE5"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"EnableConsoleTracing" = "0"

[HKCU\Software\Driver Pro]
"Querry" = "http://bi.secure-download.net/t/dp?sid=121001322-US-003&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=1472282701"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Driver Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Driver Pro]
"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Driver Pro]
"InstallDate" = "8F 73 AF DB AA D8 E4 40"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Driver Pro]
"QuerryDate" = "E9 74 BD DB AA D8 E4 40"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\DPStartScan_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
04ad4b80880b32c94be8d0886482c774 c:\Program Files\Driver Pro\7z.dll
fe31b439855c9bc8af54bc83b61e3d4e c:\Program Files\Driver Pro\DPStartScan.exe
01f6a32f6b28d37b3155325a83d96410 c:\Program Files\Driver Pro\DPTray.exe
ec1edf352b54ab579353bf043c2014ee c:\Program Files\Driver Pro\DriverPro.exe
dfd23a69f1a7f5385eafafde8f5582f4 c:\Program Files\Driver Pro\DrvProHelper.dll
0f66e8e2340569fb17e774dac2010e31 c:\Program Files\Driver Pro\sqlite3.dll
91c38c395631d57254356e90b9a6e554 c:\Program Files\Driver Pro\unins000.exe
3107c28da15cc8db52ecaeb41e92fa27 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\drvprosetup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PC Utilities Software Limited
Product Name: Driver Pro v3.2
Product Version: 3.2.0.2
Legal Copyright: PC Utilities Software Limited
Legal Trademarks:
Original Filename: Driver Pro
Internal Name: Driver Pro
File Version: 3.2.0.2
File Description: Keep your PC drivers up to date
Comments:
Language: English

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 83149 83456 4.55483 153c25a894558c86b486e20495de16f9
.rdata 90112 20754 20992 3.39534 8ea5d734322df60fcdfe41193e6c3d59
.data 114688 13444 5632 2.15756 2cef89c59f35f4fcafe95749186c0933
.rsrc 131072 3522340 3522560 5.44986 4fb8f31a4c2c45c1f8b028908219e86a
.reloc 3653632 16224 16384 1.86676 55998d3b6241dc40b18743b0cdd28cca

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
00368c72f5834184ebcfcaccef9debc5
1020524be552b49e1838284a4baee05a
fec95fc43983eaa0d83785e310c6f183
c490bfef8cf510c52e03b965880ea396
9073e28b355a361b8e18e1639c861dae
130d3f59843ab596dd9130dcd236ef41
86c261d9ea0eed43985e875993eb876b
8003697fb4e6e026f6fce25bf3e852c2
51b320b5fac6eded2a2956f48b91f233
5190c4d7fe16eb6a969317cceabe2c2f

URLs

URL IP
hxxp://idriverpro.com/inst?hid=58cea4c2cdd9129ef839585540a264dcc2c9c697&sid=7EB5B28C-D25F-4131-9ECC9DA69BA8D717&tr=121001322-US-003&a=NA&adm=1&os=6.1&x64=0&sil=1&st=201611012&xtr=&xsid=&chid=&brid=&lpid=&ref=&e=200 104.28.21.75
hxxp://idriverpro.com/inst?sid=7EB5B28C-D25F-4131-9ECC9DA69BA8D717&st=0&e=210 104.28.21.75
hxxp://idriverpro.com/inst?sid=7EB5B28C-D25F-4131-9ECC9DA69BA8D717&st=0&du=6194&e=400 104.28.21.75
hxxp://bi.secure-download.net/t/dp?sid=121001322-US-003&dt=1479542917&gid=853B4A7D-6581-6B28-0449-F1EB8E626DE5&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=106&f=1472282701 107.6.170.117
hxxp://service.smartpcupdate.com/rpc/sendinstall?partner=PCUtilitiesPro&build=3.2 176.9.2.105
hxxp://service.smartpcupdate.com/rpc/getdatabasezxw?arch=32&os=7 176.9.2.105
hxxp://d2.smartpcupdate.com/dbs/current_7_32_zxw.7z 173.192.91.180


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Adware connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    DriverPro.exe:2848
    %original file name%.exe:2472
    drvprosetup.tmp:2600
    DPStartScan.exe:2700
    drvprosetup.exe:3768

  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\program.log (127 bytes)
    %Program Files%\Driver Pro\sqlite3.dll (524 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers32.db (1848677 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Devices.ini (34 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\PCInfo.ini (151 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\current_7_32_zxw.7z (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Scan.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers32.db-journal (1090 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\Drivers.db (2721 bytes)
    C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (4288 bytes)
    C:\$Directory (96 bytes)
    C:\Users\"%CurrentUserName%"\NTUSER.DAT (5000 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\drvprosetup.exe (395085 bytes)
    %Program Files%\Driver Pro\is-SD69O.tmp (56 bytes)
    %Program Files%\Driver Pro\is-DF84H.tmp (54 bytes)
    %Program Files%\Driver Pro\is-AINVJ.tmp (8281 bytes)
    %Program Files%\Driver Pro\is-EGG83.tmp (23811 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files%\Driver Pro\is-G2N3S.tmp (5873 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\DrvProHelper.dll (8330 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HTDF8.tmp\cfg.exe (65 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\Driver Pro.lnk (984 bytes)
    %Program Files%\Driver Pro\is-71E3E.tmp (31745 bytes)
    %Program Files%\Driver Pro\unins000.msg (646 bytes)
    %Program Files%\Driver Pro\is-GA554.tmp (5873 bytes)
    %Program Files%\Driver Pro\unins000.dat (12949 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro\Driver Pro.lnk (1 bytes)
    %Program Files%\Driver Pro\is-TE8DJ.tmp (12 bytes)
    %Program Files%\Driver Pro\is-68VBQ.tmp (547 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro\Help.lnk (1 bytes)
    %Program Files%\Driver Pro\is-DDQ2K.tmp (3073 bytes)
    %Program Files%\Driver Pro\DPTray.exe (831 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\is-HBDQG.tmp (61 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Driver Pro\is-RLDHK.tmp (4 bytes)
    %Program Files%\Driver Pro\DPStartScan.exe (839 bytes)
    %Program Files%\Driver Pro\is-TN7QN.tmp (26 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Pro\Driver Pro on the Web.lnk (997 bytes)
    %Program Files%\Driver Pro\DriverPro.exe (291 bytes)
    %Program Files%\Driver Pro\is-PVF8N.tmp (6841 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O46C2.tmp\drvprosetup.tmp (50 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Driver Pro" = "%Program Files%\Driver Pro\DPLauncher.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now