Backdoor.Win32.PcClient_585bec0a92

by malwarelabrobot on November 27th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.kgwg (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 585bec0a922f9a40c097411d622d0c4b
SHA1: afd1581e80249ac4b1e5fa5cf7cb853bab0d7a5a
SHA256: ce6eaa1410b2688d99531d6b35dcb425634098009f739ee627cb4ef6d97dc901
SSDeep: 1536:HNgjYCnXsALqoP/k0PnW/LC2npj4wa6SY2CeV:H2dTqoP/BPngLC2np4wa6SZT
Size: 61880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Applications Install
Created at: 2014-07-27 00:58:31
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Backdoor creates the following process(es):

OptimizerPro.exe:952
optprosetup.exe:228
optprosetup.tmp:872
%original file name%.exe:1808
rundll32.exe:572
rundll32.exe:392
OptProStart.exe:1368

The Backdoor injects its code into the following process(es):

OptimizerPro.exe:2020

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process OptimizerPro.exe:952 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\optprosetup.exe (772918 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (3912 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3140 bytes)

The process OptimizerPro.exe:2020 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\Optimizer Pro\CookiesException.txt (68 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OptimizerPro.madExcept (0 bytes)

The process optprosetup.exe:228 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-AASM2.tmp\optprosetup.tmp (7386 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-AASM2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AASM2.tmp\optprosetup.tmp (0 bytes)

The process optprosetup.tmp:872 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Optimizer Pro 3.11\is-TR6E8.tmp (673 bytes)
%Program Files%\Optimizer Pro 3.11\is-E3484.tmp (6841 bytes)
%Program Files%\Optimizer Pro 3.11\unins000.msg (646 bytes)
%Program Files%\Optimizer Pro 3.11\is-3SLA7.tmp (56 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\OptProHelper.dll (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Optimizer Pro 3.11\is-TO9VA.tmp (54 bytes)
%Program Files%\Optimizer Pro 3.11\is-QVLMI.tmp (65 bytes)
%Program Files%\Optimizer Pro 3.11\is-TPSS7.tmp (1281 bytes)
%Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (774 bytes)
%Program Files%\Optimizer Pro 3.11\is-BDSVP.tmp (601 bytes)
%Program Files%\Optimizer Pro 3.11\is-LLJ0P.tmp (712 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (786 bytes)
%Program Files%\Optimizer Pro 3.11\is-RR476.tmp (25426 bytes)
%Program Files%\Optimizer Pro 3.11\is-43TRA.tmp (898 bytes)
%Program Files%\Optimizer Pro 3.11\is-L971N.tmp (22 bytes)
%Program Files%\Optimizer Pro 3.11\is-J1K23.tmp (7971 bytes)
%Program Files%\Optimizer Pro 3.11\is-HI554.tmp (4545 bytes)
%Program Files%\Optimizer Pro 3.11\is-SNNIV.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\OptProCrash.dll (22430 bytes)
%Program Files%\Optimizer Pro 3.11\is-D6QOP.tmp (48 bytes)
%Program Files%\Optimizer Pro 3.11\is-2FL25.tmp (3073 bytes)
%Program Files%\Optimizer Pro 3.11\is-4N3QU.tmp (20 bytes)
%Program Files%\Optimizer Pro 3.11\is-J8HPO.tmp (2321 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (766 bytes)
%Program Files%\Optimizer Pro 3.11\is-NNTPB.tmp (2321 bytes)
%Program Files%\Optimizer Pro 3.11\OptProCrash.dll (194716 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (786 bytes)
%Program Files%\Optimizer Pro 3.11\is-J9RQN.tmp (6841 bytes)
%Program Files%\Optimizer Pro 3.11\is-FA4RE.tmp (32054 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (814 bytes)
%Program Files%\Optimizer Pro 3.11\unins000.dat (20665 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\OptProCrash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\OptProHelper.dll (0 bytes)

The process %original file name%.exe:1808 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2301MF\OptimizerPro[1].exe (390352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DJ0YBMZ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WPR\OptimizerPro.exe (390352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\26KWB2BR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2301MF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (1852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AZEFELSH\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\inetc.dll (0 bytes)

Registry activity

The process OptimizerPro.exe:952 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 94 4A 49 7F A2 28 F1 C8 EC E1 BD 93 42 0E 8A"

[HKCU\Software\Optimizer Pro]
"setupname" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WPR\OptimizerPro.exe"

The process OptimizerPro.exe:2020 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Optimizer Pro]
"SpeedGuard" = "0"
"ShowRebootMessage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Optimizer Pro]
"Stat1a" = "185"
"s_Enable" = "0"
"UndoDir" = "%Documents and Settings%\%current user%\Application Data\Optimizer Pro\Undo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Optimizer Pro]
"LastScanChecked" = "1101010"
"AppStart" = "1"
"Reminder" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Optimizer Pro]
"RunDate" = "11 50 CD A5 33 7E E4 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Optimizer Pro]
"s_Time" = "DE 7D 2C A0 33 7E E4 40"
"LOGDIR" = "%Documents and Settings%\%current user%\Application Data\Optimizer Pro\Log"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Optimizer Pro]
"QuerryDate" = "70 8F CC A5 33 7E E4 40"
"Version" = "3.2"
"LastVersionChecking" = "DE 7D 2C A0 33 7E E4 40"
"ItemsToFix" = "185"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Optimizer Pro]
"ItemsCleaned" = "0"
"UpgradeID" = "BZDV_PCSM_ML_PCUP_OPTIMIZERPRO_RED"
"ProblemsFixed" = "0"
"UseExceptionList" = "1"
"LastScanFound" = "237"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 95 A5 8C 80 1A 5F 96 CE 8F C8 51 F4 C2 1B 3C"

[HKCU\Software\Optimizer Pro]
"DisplayName" = "Optimizer Pro"
"s_SmartScan" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Optimizer Pro]
"ResidualFilesCleaned" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Optimizer Pro]
"ItemsToScan" = "1111111111"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Optimizer Pro]
"s_SmartMode" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Optimizer Pro]
"InstallStat" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Optimizer Pro]
"ItemsToClean" = "52"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"s_SmartExec" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process optprosetup.exe:228 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 A7 15 52 57 D3 DE 35 C3 A6 70 49 5C B2 8E A1"

The process optprosetup.tmp:872 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"QuietUninstallString" = "%Program Files%\Optimizer Pro 3.11\unins000.exe /SILENT"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"c61b66f6" = "%Program Files%\Optimizer Pro 3.11\OptProCrash.dll"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: Setup Version" = "5.5.3 (u)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"usr.1" = "Y0y8/vxztvqomjlhab"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"0e93c3f3" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"date" = "1416998472"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"URLUpdateInfo" = "http://www.pcutilitiespro.com"
"InstallDate" = "20141126"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"2e22d94e" = "///%"
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"7f69fa1f" = "///%"

[HKCU\Software\Optimizer Pro]
"Ir" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c24899a6" = "Vx/g/C//M/////%%"

[HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
"n" = "1"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"DisplayIcon" = "%Program Files%\Optimizer Pro 3.11\OptProLauncher.exe"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"0c230bcb" = "///%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"UninstallString" = "%Program Files%\Optimizer Pro 3.11\unins000.exe"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c99a5f5c" = "///%"
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"48bd1aff" = "VP/l/C//N//l////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"dlpath" = "c:\progra~1\optimi~1.11\optpro~2.dll"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro 3.11]
"OptProStart.exe" = "Optimizer Pro Launcher"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f0bf0bde" = "///%"
"340d3099" = "/P////%%"
"0c230bcb" = "///%"
"a1dcff5b" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"usr.0" = "pwlOIySUMOQIKEG xz"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"LRTS" = "0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"2e22d94e" = "///%"

"7f69fa1f" = "///%"
"a0743acc" = "N/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: Icon Group" = "Optimizer Pro v3.2"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"a2e3b941" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Optimizer Pro]
"Language" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"uuid" = "754687653"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"DisplayName" = "Optimizer Pro v3.2"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_268bbfe0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c5705860" = "Vx////%%"
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: App Path" = "%Program Files%\Optimizer Pro 3.11"
"HelpLink" = "http://www.pcutilitiespro.com"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: Language" = "en"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 0C C6 7F 4A 5F BD D4 8C 41 2D F5 F5 36 80 44"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"svi" = "0"
"svn" = "Optimizer Pro Crash Monitor"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\Optimizer Pro]
"SessionID" = "BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"svx" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"svt" = "1417005781"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"InstallLocation" = "%Program Files%\Optimizer Pro 3.11\"
"Publisher" = "PC Utilities Software Limited"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"414bc593" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"65114b36" = "VP/ ////"

[HKCU\Software\Optimizer Pro]
"cufValue" = "CUF=0"
"culValue" = ""

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CZ/V//l/Cx////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"URLInfoAbout" = "http://www.pcutilitiespro.com"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"MinorVersion" = "2"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"MajorVersion" = "3"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"data.0" = "VR6yul3WbQjSkiCDWY RUre89aBRmyHfgMJws0TcNS 19/E230elFqs5vgN0OI6/CNDmO8RrL8 DcG 8M97K3m144YdsIUees1sLhYKExh"
"data.1" = "KWMhbgeAQjUfFqcdefSEosAhAOVEaDR6ZBtvUA4WxUhgli2YlIbfI5ksRsitq53eoEV8AyOKAwWVHGqC2 QlIpxeTaaURmroj12ojLKpAxYyXvD3gdbkmFry1bcd"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c24899a6" = "Vx/g/C//M/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"DisplayVersion" = "3.2.0.3"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"Version" = "22022104"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"svpath" = "c:\Program Files\Optimizer Pro 3.11\OptProCrash.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"iiid" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"appid.0" = "8/iVPRFsM2mGqomjlh/3 AMK/nGGGfKV 5vhADB1vo"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"a1dcff5b" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"usr.1" = "Y0y8/vxztvqomjlhab"
"usr.0" = "pwlOIySUMOQIKEG xz"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"65114b36" = "VP/ ////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"date" = "1416998472"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_268bbfe0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"1520c6f1" = "V/////%%"
"2d71d5ab" = "V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"data.1" = "KWMhbgeAQjUfFqcdefSEosAhAOVEaDR6ZBtvUA4WxUhgli2YlIbfI5ksRsitq53eoEV8AyOKAwWVHGqC2 QlIpxeTaaURmroj12ojLKpAxYyXvD3gdbkmFry1bcd"
"data.0" = "VR6yul3WbQjSkiCDWY RUre89aBRmyHfgMJws0TcNS 19/E230elFqs5vgN0OI6/CNDmO8RrL8 DcG 8M97K3m144YdsIUees1sLhYKExh"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"72758a5d" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"c6c5dd44" = "V/////%%"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f6ad6fa6" = "VP/l/C//V/////%%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"uuid" = "754687653"
"iiid" = "1"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CZ/V//l/Cx////%"
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"493c7345" = ""

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro v3.2_is1]
"Inno Setup: Deselected Tasks" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"414bc593" = "///%"

[HKCU\Software\Optimizer Pro]
"CBM" = "1"

[HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro" = "%Program Files%\Optimizer Pro 3.11\OptProLauncher.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1808 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B BC 13 7F BE D6 1A 55 B8 D2 EA 66 39 45 69 7E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:572 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 00 8F 67 B0 70 51 3E F6 B4 40 37 58 41 AA 08"

The process rundll32.exe:392 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"c6c5dd44" = "V/////%%"
"a2e3b941" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"72758a5d" = "///%"
"c99a5f5c" = "///%"
"3c09c42b" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"65114b36" = "VP/ ////"
"2e22d94e" = "///%"
"d94388d2" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"fe94ce1e" = "V/////%%"
"e46c271e" = "///%"
"8b9e4cbc" = "V/////%%"
"51d2f2ea" = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CZ/V//l/Cx////%"
"48bd1aff" = "VP/l/C//N//l////"
"414bc593" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"
"c24899a6" = "Vx/g/C//M/////%%"
"060df2cd" = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"
"2d71d5ab" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"d1abcdb6" = "///%"
"a0743acc" = "N/////%%"
"bbf88800" = "///%"
"f6ad6fa6" = "VP/l/C//V/////%%"
"0dc3ee96" = "/P////%%"
"a1dcff5b" = "V/////%%"
"6185d035" = "VP/h/CP/V//l////"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 36 2D 0A 06 EC B9 17 09 93 46 8F 9C 43 D6 C9"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"0e93c3f3" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06I0px1O02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1T0700i01P06I0ox1S07b0i01e06U0n01U0780nU0S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0ox1S06q0nU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1T0700i01U0780nU1M06t0nx1T07q0qx1Y02I0qU1T06O0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06h0nl1A06E0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1T0700i01D06O0ox1K06t0ml1P06I0ox1S07b0i01e06U0n00S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"340d3099" = "/P////%%"
"c5705860" = "Vx////%%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"3efeb33e" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"27ddcf6f" = "///%"
"f0bf0bde" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\00000000]
"370856c7" = "nU1U07x0m01M06E0ql1M06E0iU1N06t0ml0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl1D06I0pU0S06h0nl1A06E0, nU1U07x0m01M06E0ix1O06h0n01D07x0jx0S06h0nl1A06E0, nU1U07x0m01M06E0mU1P0780pl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_c61b66f6\eae10f9d]
"587b5709" = "V/////%%"
"7367429f" = "///%"
"0c230bcb" = "///%"
"7f69fa1f" = "///%"

The process OptProStart.exe:1368 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Optimizer Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"BuyNowURL" = "http://gen.securedshopgate.com/?t=01&tid=111001409-UA-002_2243A96D-99C2-911D-F3E3-039903414C5C&a=pcup224"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Optimizer Pro]
"UseAds" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"ShowEUA" = "1"
"AdsDownloadURL" = "http://dl.repairlabshost.com/121001409/DriverPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Optimizer Pro]
"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Optimizer Pro]
"UninstallURL" = "https://safecart.com/pcutilitiespro/.op-special/purchase?sid=111001409-UA-002"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Optimizer Pro]
"DelayedStart" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Optimizer Pro]
"WelcomeURL" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Optimizer Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

"ScanAtStartup" = "0"
"Querry" = "http://bi.softservers.net/t/op?sid=111001409-UA-002&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=3786401416"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Optimizer Pro]
"AdsBuyNowURL" = "http://www.safeshopgate.com/r?s=121001409&g=2243A96D-99C2-911D-F3E3-039903414C5C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 5E 36 8C 38 CB 26 45 81 35 33 64 3F 74 6E 9C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Optimizer Pro]
"InstallDate" = "A8 18 E7 9F 33 7E E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Optimizer Pro 3.11]
"OptimizerPro.exe" = "Optimizer Pro"

[HKCU\Software\Optimizer Pro]
"AdsHost" = "dl.repairlabshost.com"
"OS" = "102"
"MachineGuid" = "2243A96D-99C2-911D-F3E3-039903414C5C"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
c55a8a5aab9b056186c0e32501d0c093 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WPR\OptimizerPro.exe
4b263e4a93008a93ee1bd0f264b98e88 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\optprosetup.exe
c55a8a5aab9b056186c0e32501d0c093 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SL2301MF\OptimizerPro[1].exe
a3532f3309674efb07ea99df440cea83 c:\Program Files\Optimizer Pro 3.11\OptProCrash.dll
991b7f488b00c6a4040746bf34775c0b c:\Program Files\Optimizer Pro 3.11\OptProGuard.exe
7c6026a5be76339d7c2ef893c84e5ff7 c:\Program Files\Optimizer Pro 3.11\OptProHelper.dll
9572d87543d27e62207cd920909b4d8a c:\Program Files\Optimizer Pro 3.11\OptProLauncher.exe
096742cad1a92b56502f1a33582f57e9 c:\Program Files\Optimizer Pro 3.11\OptProReminder.exe
7cd111f73418d88e9d9183f208d416c1 c:\Program Files\Optimizer Pro 3.11\OptProSchedule.exe
c0050c3af7819b8fa8f9728dcec18f4f c:\Program Files\Optimizer Pro 3.11\OptProSmartScan.exe
656b28a223a919bf79c20fed2cef7e61 c:\Program Files\Optimizer Pro 3.11\OptProStart.exe
2458c502ca55c217ba140c7cb23bed72 c:\Program Files\Optimizer Pro 3.11\OptProUninstaller.exe
1f692aba28e934452e9be1aef15b78e1 c:\Program Files\Optimizer Pro 3.11\OptimizerPro.exe
d82a429efd885ca0f324dd92afb6b7b8 c:\Program Files\Optimizer Pro 3.11\itdownload.dll
0f66e8e2340569fb17e774dac2010e31 c:\Program Files\Optimizer Pro 3.11\sqlite3.dll
5b331c4da719767ba4081efbad1a4123 c:\Program Files\Optimizer Pro 3.11\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 26526 26624 4.49045 71f6ed20ad21579b10cb8828a7bb6a5c
.rdata 32768 6438 6656 3.3982 31f148bd55194b44b534fe4099cbde16
.data 40960 419324 512 0.980766 4c7fd8b37c8cd61d9ada11edc15bc3b8
.ndata 462848 671744 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1134592 2552 2560 3.15805 919daff55b34fe53f8fecd66f9920434
.reloc 1138688 3728 4096 3.64592 ae49ddda368777327b9185985bc1093b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://optimizepro.biz/inst?hid=28cf1818c556ef78138876c88b33270aa8f8a0af&sid=BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65&tr=111001409-UA-002&a=NA&adm=1&os=5.1&x64=0&sil=1&st=20141120&e=200 104.28.31.14
hxxp://optimizepro.biz/inst?sid=BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65&st=0&e=210 104.28.31.14
hxxp://optpro.info/install/ 212.7.199.97
hxxp://www-bbc-com.bbc.net.uk/
hxxp://optpro.info/get/?q=8hbWSZDJlPUAHZDqomKa7ah18WML1O2FqMMX2tQvahfDkyTDxjBCdf7dUyTN+Chwp1avcuvasLhT24w30LyqtarPCSmQirhTInx5jM/YWvH0Ec0YTF7WToQOlg+xOKt/wCwIucfo/iW+bPHXkjUqh3fqYSoyfnK+3kCGlZBIz+kVO4T6HAx3MIlHypeS3xdp+EPxgB6Gcl0Ekg4fYR6dz2+9/jeMGKPlNACJmnJLwbitwM5kuYo7fweckCES2im4snsQICYcwQYQDV5xRSaIMeOtkhw9tPUU9fDLC3/j1LAdDhYNwCy67K9PHBue65zeb39KHWkYgBLzYVC9r0xdOncjwJ03G9mMwRRVcwPkuTVVuJN6BwiqeNbY386w/S2fSyVT6IJoHosWNltjqPiCLvO86i2mYBE1vrj9w0TVH/c3oSMyBSzy7RulG9242Mm18jMJVbuNV6p4mVF6VNllCFM+vX4gopAzMcG2MzcFV/RthxACDDM649XC4ENC+hHI6Df2OigPsO5mCbhF94x1G+CQqybJbg6ZLrozWjFCOXAcoAppp7tdfPArG0m7sNGV8ueLO73GPjXAOiJRIBfWOYmj 212.7.199.97
hxxp://bi.softservers.net/t/op?sid=111001409-UA-002&dt=1417012987&gid=2243A96D-99C2-911D-F3E3-039903414C5C&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=3786401416 198.20.86.29
hxxp://optimizepro.biz/inst?sid=BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65&st=0&du=9687&e=400 104.28.31.14
hxxp://www.bbc.com/ 212.58.244.66


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon
ET USER_AGENTS Suspicious Win32 User Agent
ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon

Traffic

GET /t/op?sid=111001409-UA-002&dt=1417012987&gid=2243A96D-99C2-911D-F3E3-039903414C5C&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=3786401416 HTTP/1.1
Host: bi.softservers.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 26 Nov 2014 12:41:18 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
content-type: text/html



HEAD / HTTP/1.1
Host: VVV.bbc.com
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)


HTTP/1.1 200 OK
Server: Apache
X-Cache-Action: MISS
Vary: X-CDN
Cache-Control: private, max-age=60
X-Cache-Age: 0
Content-Type: text/html
Date: Wed, 26 Nov 2014 12:41:12 GMT
Expires: Wed, 26 Nov 2014 12:42:12 GMT
Content-Language: en
Etag: "7541a097dcdd0c86b33920405112a3c2"
X-LB-NoCache: true
X-PAL-Host: pal114.telhc.bbc.co.uk:80
Connection: close
Set-Cookie: BBC-UID=c5047775cc8a665819165fa3e1f0cb79ada3468c3494e10efae144449cb4492c0Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1); expires=Sun, 25-Nov-18 12:41:12 GMT; path=/; domain=.bbc.com
Content-Length: 121869



GET /get/?q=8hbWSZDJlPUAHZDqomKa7ah18WML1O2FqMMX2tQvahfDkyTDxjBCdf7dUyTN+Chwp1avcuvasLhT24w30LyqtarPCSmQirhTInx5jM/YWvH0Ec0YTF7WToQOlg+xOKt/wCwIucfo/iW+bPHXkjUqh3fqYSoyfnK+3kCGlZBIz+kVO4T6HAx3MIlHypeS3xdp+EPxgB6Gcl0Ekg4fYR6dz2+9/jeMGKPlNACJmnJLwbitwM5kuYo7fweckCES2im4snsQICYcwQYQDV5xRSaIMeOtkhw9tPUU9fDLC3/j1LAdDhYNwCy67K9PHBue65zeb39KHWkYgBLzYVC9r0xdOncjwJ03G9mMwRRVcwPkuTVVuJN6BwiqeNbY386w/S2fSyVT6IJoHosWNltjqPiCLvO86i2mYBE1vrj9w0TVH/c3oSMyBSzy7RulG9242Mm18jMJVbuNV6p4mVF6VNllCFM+vX4gopAzMcG2MzcFV/RthxACDDM649XC4ENC+hHI6Df2OigPsO5mCbhF94x1G+CQqybJbg6ZLrozWjFCOXAcoAppp7tdfPArG0m7sNGV8ueLO73GPjXAOiJRIBfWOYmj HTTP/1.1
Accept: */*
User-Agent: win32
Host: optpro.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Wed, 26 Nov 2014 12:41:16 GMT
Content-Length: 0
Connection: close



GET /inst?hid=28cf1818c556ef78138876c88b33270aa8f8a0af&sid=BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65&tr=111001409-UA-002&a=NA&adm=1&os=5.1&x64=0&sil=1&st=20141120&e=200 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: optimizepro.biz
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 26 Nov 2014 12:41:09 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Set-Cookie: __cfduid=ddbaa39b5013dfdc284159e97b536ac6e1417005669; expires=Thu, 26-Nov-15 12:41:09 GMT; path=/; domain=.optimizepro.biz; HttpOnly
Server: cloudflare-nginx
CF-RAY: 18f6289894ff0af0-WAW
HTTP/1.1 200 OK..Date: Wed, 26 Nov 2014 12:41:09 GMT..Content-Type: te
xt/plain..Content-Length: 0..Connection: keep-alive..Set-Cookie: __cfd
uid=ddbaa39b5013dfdc284159e97b536ac6e1417005669; expires=Thu, 26-Nov-1
5 12:41:09 GMT; path=/; domain=.optimizepro.biz; HttpOnly..Server: clo
udflare-nginx..CF-RAY: 18f6289894ff0af0-WAW......


GET /inst?sid=BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65&st=0&e=210 HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: optimizepro.biz
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 26 Nov 2014 12:41:10 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Set-Cookie: __cfduid=ddbaa39b5013dfdc284159e97b536ac6e1417005669; expires=Thu, 26-Nov-15 12:41:09 GMT; path=/; domain=.optimizepro.biz; HttpOnly
Server: cloudflare-nginx
CF-RAY: 18f6289c85360af0-WAW
HTTP/1.1 200 OK..Date: Wed, 26 Nov 2014 12:41:10 GMT..Content-Type: te
xt/plain..Content-Length: 0..Connection: keep-alive..Set-Cookie: __cfd
uid=ddbaa39b5013dfdc284159e97b536ac6e1417005669; expires=Thu, 26-Nov-1
5 12:41:09 GMT; path=/; domain=.optimizepro.biz; HttpOnly..Server: clo
udflare-nginx..CF-RAY: 18f6289c85360af0-WAW......


GET /inst?sid=BA95AFAC-BE29-4A4D-8B-6B-DF-87-D9-03-26-65&st=0&du=9687&e=400 HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: optimizepro.biz
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 26 Nov 2014 12:41:18 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Set-Cookie: __cfduid=d60b51a5bdf17a4818dbc218fe5f495981417005678; expires=Thu, 26-Nov-15 12:41:18 GMT; path=/; domain=.optimizepro.biz; HttpOnly
Server: cloudflare-nginx
CF-RAY: 18f628d1f8ad0af0-WAW
HTTP/1.1 200 OK..Date: Wed, 26 Nov 2014 12:41:18 GMT..Content-Type: te
xt/plain..Content-Length: 0..Connection: keep-alive..Set-Cookie: __cfd
uid=d60b51a5bdf17a4818dbc218fe5f495981417005678; expires=Thu, 26-Nov-1
5 12:41:18 GMT; path=/; domain=.optimizepro.biz; HttpOnly..Server: clo
udflare-nginx..CF-RAY: 18f628d1f8ad0af0-WAW..







The Backdoor connects to the servers at the folowing location(s):







rundll32.exe_392:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

OptimizerPro.exe_2020:




.idata
.edata
P.tls
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
HKEY
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
;!199{199
;0!8&2{199
"<;=!!%{199
Windows 95
Windows 95 OSR-2
Windows 98
Windows 98 SE
Windows ME
Windows 9x New
Windows NT 3
Windows NT 4
Windows 2000
Windows XP
Windows 2003
Windows Vista
Windows 2008
Windows 7
Windows 2008 R2
Windows 8
Windows Server 8
Windows NT New
user.exe
TMsgHandlers
madToolsMsgHandlerWindow
user32.dll
>0';0974&0{199
cmovÌ
setÌ
pop %seg
push %seg
Uh.GA
msvcrt.dll
Uh.wA
VVV.madshi.net
dbghelp.dll
comctl32.dll
4.0.10
ntdll.dll
advapi32.dll
The import table is invalid.
shell32.dll
WindowsLogo
ReportLeaks
UploadViaHttp
HttpServer
HttpSsl
HttpPort
HttpAccount
HttpPassword
BugTrPassword
MailAsSmtpServer
MailAsSmtpClient
SmtpServer
SmtpSsl
SmtpTls
SmtpPort
SmtpAccount
SmtpPassword
bugreport.mbr
screenshot.png
ExceptMsg
FrozenMsg
BitFaultMsg
send bug report
save bug report
print bug report
show bug report
%appname%, %exceptMsg%
bug report
please find the bug report attached
Sending bug report...
PrepAttMsg
MxLookMsg
ConnMsg
SendMailMsg
FieldMsg
SendAttMsg
SendFinalMsg
SendFailMsg
Sorry, sending the bug report didn't work.
TDABugReportCallback
TDABugReportCallbackOO
ShellExecuteExW
madExceptIde_.bpl
wininet.dll
VVV.google.com
SMTP:
mapi32.dll
IpHlpApi.dll
A.ROOT-SERVERS.NET
K.ROOT-SERVERS.NET
VVV.madshi.net_multipart_boundary
TSmtpU
LOGIN
AUTH LOGIN
security.dll
secur32.dll
TWinHttp
winhttp.dll
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpSetOption
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryAuthSchemes
WinHttpSetCredentials
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpCloseHandle
/api.xml
<url>
password
?cmd=
/xmlrpc.cgi
Bugzilla.version
Product.get_enterable_products
Product.get
Bug.fields
Bugzilla_login
Bugzilla_password
Bug.create
Bug.add_attachment
/api/soap/mantisconnect.php
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="hXXp://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><ns1:
</username><password xsi:type="xsd:string">
</password>
*.txt
TSendBugReportExRec
wtsapi32.dll
idapi32.dll
kernelbase.dll
madExcept32.dll
c:\sources\madshi\madExcept32.dll
ReportLeaksNow
GetLeakReport
ShowLeakReport
madExcept32.dll has the wrong version.
coreide70.bpl
ReportFault
FaultRep.dll
internal error. please notify [email protected]
@System@@StartExe$qqrp23System@PackageInfoTablep17System@TLibModule
HardWareKey
setupapi.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
Uh.xH
USER32.DLL
uxtheme.dll
PasswordChar
OnKeyDown4RJ
OnKeyPress
OnKeyUp
ssHorizontal
Proportional
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword`}G
crSQLWait
%s (%s)
imm32.dll
OnExecute
HelpKeyword|}G
AutoHotkeys
AutoHotkeys(
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
Password
IdHTTPHeaderInfo
ProxyPasswordl
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMinl
ClientPortMax
PortH
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Passwordl
Port
0.0.0.1
TIdTCPConnection
TIdTCPConnectionl
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile VF
CertFile VF
KeyFiled
OnGetPassword
EIdOSSLLoadingRootCertError0
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnHeadersAvailable
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
1.2.3
Portable Network Graphics
%s, ClassID: %s
ole32.dll
TNT Internal Error: TWideComponentHelper.Create should never be encountered.
D:\SmartPC\Components\Delphi Unicode Controls\Source\TntClasses.pas
!"#$%&*;<=>@[]^_`{|}
D:\SmartPC\Components\Delphi Unicode Controls\Source\TntControls.pas
Internal Error: SubClassUnicodeControl.Control is not Unicode.
.UnicodeClass
TntUnicodeVcl.DestroyWindow
MAPI32.DLL
vsReport
OnKeyUp`UJ
TComboBoxExEnumerator
Uh.XQ
D:\SmartPC\Components\Delphi Unicode Controls\Source\TntActnList.pas
D:\SmartPC\Components\Delphi Unicode Controls\Source\TntStdCtrls.pas
D:\SmartPC\Components\Delphi Unicode Controls\Source\TntForms.pas
D:\SmartPC\Components\Delphi Unicode Controls\Source\TntMenus.pas
Internal Error: SyncHotKeyPosition Failed ("%s" <> "%s").
driverpro.exe
Driver Pro\DriverPro.exe
hXXp://VVV.pcutilitiespro.com
UninstallURL
AdsDownloadURL
HomePageURL
SupportURL
BuyNowURL
AdsBuyNowURL
%Program Files% (x86)\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
PathToExe
%Program Files% (x86)\Google\Chrome\Application\chrome.exe
%Program Files%\Google\Chrome\Application\chrome.exe
C:\Users\
\AppData\Local\Google\Chrome\Application\chrome.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
%Program Files% (x86)\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
Software\Opera Software
\opera.exe
\launcher.exe
%Program Files% (x86)\Opera\Opera.exe
%Program Files%\Opera\Opera.exe
%Program Files% (x86)\Opera\launcher.exe
%Program Files%\Opera\launcher.exe
BrowserExe
%Program Files% (x86)\Safari\Safari.exe
%Program Files%\Safari\Safari.exe
http\shell\open\command
Launcher.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SrClient.dll
1111111111
s_SmartExec
English.ini
French.ini
German.ini
Spanish.ini
Italian.ini
Portuguese.ini
Danish.ini
Dutch.ini
Swedish.ini
Polish.ini
Russian.ini
Brazilian.ini
Finnish.ini
Norwegian.ini
Turkish.ini
Czech.ini
Japanese.ini
Chinese.ini
Arabic.ini
\$RECYCLE.BIN\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Mozilla\Firefox\
profiles.ini
\cookies.sqlite
\formhistory.sqlite
Google\Chrome\User Data\Default\Cache\
Content.IE5\
regedit.exe
%SYSTEMROOT%\
%Program Files%\
%Program Files% (x86)\
%COMMONPROGRAMFILES%\
%Program Files%\Common Files\
%COMMONPROGRAMFILES(X86)%\
%Program Files% (x86)\Common Files\
%COMMONPROGRAMW6432%\
%USERPROFILE%\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
\tmp.reg" "
\tmp.reg
WNNC_NET_FTP_NFS
olepro32.dll
\\.\vwin32
shlwapi.dll
Mpr.dll
Uh|%S
D:\SmartPC\Components\EasyListview\Common Library\Source\MPShellUtilities.pas
To show a Context Menu using TNamespace you must pass a valid Owner TWinControl
THKeyArray
TCommonShellExecuteThreadU
D:\SmartPC\Components\EasyListview\Common Library\Source\MPThreadManager.pas
TCommonKeyState
cksShift
TCommonKeyStates
D:\SmartPC\Components\EasyListview\Common Library\Source\MPCommonUtilities.pas
gdi32.dll
Userenv.dll
ShellExecuteW
GetWindowsDirectoryW
RegOpenKeyW
RegOpenKeyExW
SHFileOperationW
D:\SmartPC\Components\EasyListview\Source\EasyListviewAccessible.pas
TEasyAccessibleManager.Create not a TCustomEasyListview type
TEasyGroupAccessibleManager.Create not a TEasyGroup type
TEasyItemAccessibleManager.Create not a TEasyItem type
TEasyColumnAccessibleManager.Create not a TEasyColumn type
TEasyHeaderAccessibleManager.Create not a TEasyHeader type
elsReport
elsReportThumb
TAutoGroupGetKeyEvent
TColumnGetImageIndexEvent
TColumnSetImageIndexEvent
KeyState
KeyStates
TGroupGetImageIndexEvent
TGroupSetImageIndexEvent
HintWindowShown
TItemGetGroupKeyEvent
GroupKey
TItemGetImageIndexEvent
TItemSetGroupKeyEvent
TItemSetImageIndexEvent
MouseMsg
TEasyKeyActionEvent
EscapeKeyPressed
TEasyViewReportItem`>U
TEasyViewReportItem
TEasyViewReportThumbItem
TEasyGridReportGroup
TEasyGridReportThumbGroup
TEasyCellSizeReport
TEasyCellSizeReportTeU
TEasyCellSizeReportThumb
TEasyCellSizeReportThumbtfU
ReportThumb\aU
Report
AlwaysShow
OnAutoGroupGetKey
OnItemGetGroupKey
OnItemSetGroupKey
OnKeyAction
D:\SmartPC\Components\EasyListview\Source\EasyListview.pas
Can not find TEasyGroups.AdjacentItem of an Invisible Item
Uh.uX
EasyListview.Header
TChangesShortForm
An updated version of %s is now available
FormKeyDown
\chrome.exe
\Internet Explorer\iexplore.exe
hXXp://softupdates.smartpcupdate.com/data/update-versions-%s.txt?upgrade_id=%s
\SOFTWARE\Microsoft\Windows\CurrentVersion\Settings\Optimizer Pro
&user_major_version=%s&upgrade_id=%s&user_version=%s
hXXp://softupdates.smartpcupdate.com/scripts/get_link_%s.php?license_key=%s&purchase_date=%s
You are already using the latest version of %s
OnActionExecutep\K
windows-1251
sqlite3.dll
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_busy_handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_close
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes16
sqlite3_column_count
sqlite3_column_double
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_text
sqlite3_column_text16
sqlite3_column_type
sqlite3_column_decltype
sqlite3_column_decltype16
sqlite3_column_name
sqlite3_column_name16
sqlite3_complete
sqlite3_complete16
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_data_count
sqlite3_errcode
sqlite3_errmsg
sqlite3_errmsg16
sqlite3_exec
sqlite3_finalize
sqlite3_free
sqlite3_get_table
sqlite3_free_table
sqlite3_interrupt
sqlite3_last_insert_rowid
sqlite3_open
sqlite3_open16
sqlite3_prepare
sqlite3_prepare16
sqlite3_reset
sqlite3_step
sqlite3_total_changes
sqlite3_libversion
Yahoo.Messenger\CLSID
Yahoo.Messenger.1\CLSID
Software\Microsoft\Windows Live\Messenger
Software\Microsoft\MSNMessenger\PerPassportSettings
imApp.im.loggingLogPath
TMonochromeLookup
The Windows registry stores settings and options for Microsoft Windows. Over time, the registry becomes cluttered with invalid and obsolete data.
%s can remove these unnecessary and invalid registry entries. Check the items you wish to delete and click Save && Close.
\UserExceptionR.txt
Free up disk space and protect your privacy by removing web pages, images, videos and audio files saved by your browser as you surf the Internet.
Free up valuable disk space and protect your privacy by removing cookies and the list of web pages you visited.
When you remove an application there are often residual files or junk files leftover on your system. %s safely finds and removes these unnecessary files.
\UserExceptionF.txt
Registry keys
RegistryKeys
\ProgramExceptionR.txt
\ProgramExceptionF.txt
IdHTTP1
HTTP1Work
Thank you for purchasing %s!
We are now replacing your current version of %s with %s which includes these additional features:
ProVersionUrl
hXXp://
service.smartpcupdate.com
hXXp://service.smartpcupdate.com/rpc/sendspmpurchase
hXXp://service.smartpcupdate.com/rpc/sendpurchase
&key=
hXXp://service.smartpcupdate.com/rpc/sendspminstall
hXXp://service.smartpcupdate.com/rpc/sendspmuninstall
hXXp://service.smartpcupdate.com/rpc/sendinstall
hXXp://service.smartpcupdate.com/rpc/senduninstall
callbanner.png
BannerURL
Do you have a License Key?
If you purchased %s a license key will have been emailed to you. Please enter the license key below and click Activate Now.
License key
Do you need a License Key?
We recommend that you upgrade to the full version of %s
To purchase %s and obtain a license key click
Licensing key has reached its usage limit!
UserKey
Thank you for registering %s!
Support
Register %s
To optimize settings, fix problems and speed up your PC you need to register %s.
Would you like to register %s now?
To immediately fix these problems and speed up your PC you need to register %s.
To remove these privacy risks from your computer you need to register %s.
To immediately fix these problems and to remove invalid shortcuts you need to register %s
To immediately fix these problems and to remove programs from your startup menu you need to register %s.
%s is the leading and award-winning system optimization tool that cleans, repairs and optimizes your system.
To fix problems and speed up your PC, you need to register %s
This is normal and we have marked these items and will attempt to remove them later. It is best to close as many applications (browser, instant messanger, email, etc.) before running %s.
Specify registry key
SpecifyKey
Example: Software\%s
KeyExample
Key not found in the registry!
KeyNotFound
Offers direct access to key features
Guard.exe
Reminder.exe
s_Exec
Schedule.exe
SmartScan.exe
Example: twitter.com
\CookiesException.txt
PSAPI.dll
The startup menu contains programs that are automatically started by Windows every time you start your PC. As more and more programs insert themselves in your startup menu your PCs valuable resources are drained causing it to operate more slowly.
\StartupList.txt
*.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
\*.lnk
hXXp://VVV.google.com/search?hl=en&q=
hkey
d1.smartpcupdate.com
hXXp://d1.smartpcupdate.com/startup/set_deleted.php?names=
FormOptReport
Optimization Report
CleanEmptyKeys
ScanCustomRegKeys
ScanWindowsLogs
actDebugExecute
Welcome to %s
%s's benefits may include faster performance, increased startup speed and fewer error messages when regularly used.
Why register %s?
Remove invalid and unnecessary items to optimize your Windows registry.
Search histories, cookies, recently viewed web pages, videos, photos, music and more.
%s has found the following potential privacy risks on your computer. To keep your information private and free up valuable disk space we recommend deleting the selected items.
Optimize your settings to improve your computer's speed, security and efficiency. Run an optimization report to check the current condition of your PC.
Optimization report
Windows tracking of user actions
Send error reports to Microsoft
Ask password after quitting standby mode
Automatic login to system w/o password entry
Use autofill for URLs
Autofill of login names and passwords in forms
Request for password save
Get the maximum benefit from %s by customizing the settings to meet your needs.
Undo changes made by %s
Information about your version of %s
If there are certain registry keys, files or cookies that you do not want to have included in the %s scan you can use this feature to create an exclusion list.
Log && Undo makes it easy to undo changes made by %s
List of items that could not to be cleaned because they were locked or in use by another application. %s will attempt to remove these items each time you clean your PC.
IEXPLORE.EXE
FIREFOX.EXE
CHROME.EXE
SKYPE.EXE
\PendingExceptionR.txt
\PendingExceptionF.txt
\Scan.gif
SOFTWARE\Microsoft\Windows\Help
SOFTWARE\Microsoft\Windows\HTML Help
SOFTWARE\Microsoft\Windows\CurrentVersion\Fonts
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\
SOFTWARE\Microsoft\Internet Explorer\TypedURLs\
SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\
SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List\
SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
\places.sqlite
visited Web pages and cookies available for removal
.reg"
Cleaning visited webpages...
macromedia.com\support\flashplayer\sys\
Visited Web pages removed
System32\reg.exe
File Windows\System32\reg.exe not found!
\HKCR.reg
\HKCU.reg
\HKLM.reg
\HKU.reg
EXPORT HKCR "
\HKCR.reg"
EXPORT HKCU "
\HKCU.reg"
EXPORT HKLM "
\HKLM.reg"
EXPORT HKU "
\HKU.reg"
\*.reg
IMPORT "
dfrg.msc
DFRGUI.EXE
dfrgui.exe
DATA.BAK
CUSTOM.BAK
OPA11.BAK
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
DoReport
SOFTWARE\Microsoft\PCHealth\ErrorReporting
PromptPasswordOnResume
SOFTWARE\Policies\Microsoft\Windows\System\Power
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
FormSuggest Passwords
Register your copy of %s
\*.log
OptimizerPro.reg
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
=HKEY_LOCAL_MACHINE#
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#
=HKEY_CLASSES_ROOT#
[-HKEY_CLASSES_ROOT\Applications\
Empty key
EmptyKey
[-HKEY_CLASSES_ROOT\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
=HKEY_CURRENT_USER#
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
HKEY_CLASSES_ROOT\
[-HKEY_CLASSES_ROOT\CLSID\
[HKEY_CLASSES_ROOT\CLSID\
HKEY_LOCAL_MACHINE\
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
HKEY_CLASSES_ROOT\Interface\
[-HKEY_CLASSES_ROOT\Interface\
HKEY_CLASSES_ROOT\Typelib\
[-HKEY_CLASSES_ROOT\Typelib\
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\
: HKEY_CURRENT_USER\
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
: HKEY_LOCAL_MACHINE\
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache
SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders#
[HKEY_LOCAL_MACHINE\
AppEvents\Schemes\Apps\.Default
AppEvents\Schemes\Apps\.Default\
\.Current
\.Default
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\
[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\
\.Current]
\.Default]
HKEY_CURRENT_USER\
[HKEY_CURRENT_USER\
=HKEY_CURRENT_USER#SOFTWARE\
HKEY_CURRENT_USER\SOFTWARE\
[-HKEY_CURRENT_USER\SOFTWARE\
=HKEY_LOCAL_MACHINE#SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\
[-HKEY_LOCAL_MACHINE\SOFTWARE\
=HKEY_USERS\S-1-5-21-1060284298-1454471165-725345543-1004\SOFTWARE\
HKEY_USERS\...\SOFTWARE\
[-HKEY_USERS\S-1-5-21-1060284298-1454471165-725345543-1004\SOFTWARE\
=HKEY_USERS#
HKEY_USERS\
[HKEY_USERS\
LOGIN
.EXE.DLL.SYS.CAB.MSI.DAT.INF.TLB.BIN.OCX.INI.XML.LOG
*.lo?
INDEX.DAT
/eula.php
/privacy.php
c:\debug.pc
Start.exe
6666666666666666
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
%Program Files%\Windows Media Player\wmplayer.exe
wmplayer.exe
GetKeyboardType
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
GetWindowsDirectoryA
GetCPInfo
CreatePipe
version.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
ShellExecuteExA
ShellExecuteA
SHFileOperationA
comdlg32.dll
wsock32.dll
shfolder.dll
oleacc.dll
winmm.dll
Shell32.dll
MainProgram.exe
:5;{;3<]<
; <=<_<|<
5Q5C5N5b5g5
2 2$2(2,20242
=#='= =/=
3o3
> >$>(>,>0>
5 5$5(5,5054585<5
2 2*242>2]2
5"6&62686
6"7&7*7.72787
7$8(80848
; <><`<{<
2 2$2(2,2024282
1,2Q2
3 3$3(3,3034383<3@3
7-7C7O7W7a7j7t7}7
3044484
;(<,<0<4<8<
3X3c3%4S4@5
?&?1?@?{?
:3;7;;;@;
0115191@1
23373;3@3
<!<)<-<1<5<<<
1 2$2(202
6!7%7)7-747
;.<2<6<:<@<
<.=2=6=@=
1*2.22262<2
4L4K4g4o4
5a6S7
;';1; =-=<=
3-4}4
55j5p5
0 0$0(0,020
4)42494>4
2#2?2]2}2
00Z0m0
4)40454{4
3$3)383[3
;#;/;6;;;
<#<(<4<;<@<
=#=/=6=;=
5%6s6
=&=/=6=;=
>,>3>=>[>
;";.;9;_;
;';.;3;^;
;!;';-;3;9;
00O0V0[0j0
<$=:=_={=
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
33333333330
3333338
3333333330
3333833330
3333330
333333330
3333333333
338333?330
33383?3330
3833830
paint.net 4.0;
~.gG@
u-..nkk#
.wJzP
%s}L8
N%uNU%1
kP?%u
m.Se;z
2.Rb;
.vyI$''
:.nuv
YG.txD
.FCRR
*  UUU%%%uuumm
hee%u
 ,*.*.
,-#33 ;;7
%&%SO
'%S?:B.B
pm%C\rlR
U.wqtt
.MgH3
1574674
,:$=73331
:.hf.V
7Dx.Dp
:!m.YW@0
%s`8&
C.zsSS
UuuUuU%UUEU
.dlv,>
.qj_qj]
m-9}h
}uWaeGAncrT
%'Åb
-   ###==
/-)-...--  - --/ -
KWindows
UrlMon
UrlHistory
wlibsqlite3
TntWindows
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
?.EDHaaR@
7'447""'"" $$
[3&&& @^
).6>*!!$)6!6!-.
< .mll
$<","2<2*"*:2:&*&
6'%**<<<55
cg.Br
ChangesShortForm
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Picture.Data
;A new version of %s (version %s) is available for download.
OnKeyDown
All windows
IconOptions.Arrangement
s%s's benefits may include faster performance, increased startup speed and fewer error messages when regularly used.
GRemove invalid and unnecessary items to optimize your Windows registry.
Windows tracking of user actions
(Ask password after quitting standby mode
,Automatic login to system w/o password entry
Optimize your settings to improve your computer's speed, security and efficiency. Run an optimization report to check the current condition of your PC.
3visited Web pages and cookies available for removal
%Scan selected areas for privacy risks
USearch histories, cookies, recently viewed web pages, videos, photos, music and more.
Windows .....
5Attention! %s found 0 privacy risks on your computer
When you remove an application there are often residual files or junk files leftover on your system. %s safely finds and removes these unnecessary files.
4Log && Undo makes it easy to undo changes made by %s
Lines.Strings
If there are certain registry keys or files that you do not want to have included in the %s scan you can use this feature to create an exclusion list.
.Autofill of login names and passwords in forms
OGet the maximum benefit from %s by customizing the settings to meet your needs.
$Information about your version of %s
Log files|*.log|All files|*.*
*.tmp
*.bak
*.old
ProxyParams.BasicAuthentication
ProxyParams.ProxyPort
Request.ContentLength
Request.ContentRangeEnd
Request.ContentRangeStart
Request.ContentType
Request.Accept
Request.BasicAuthentication
Request.UserAgent
&Mozilla/3.0 (compatible; Indy Library)
The Windows registry stores settings and options for Microsoft Windows. Overtime, the registry becomes cluttered with invalid and obsolete data.
m%s can help you clean and optimize your registry. Check the items you wish to delete and click Save && Close.
EditManager.Font.Charset
EditManager.Font.Color
EditManager.Font.Height
EditManager.Font.Name
EditManager.Font.Style
GroupFont.Charset
GroupFont.Color
GroupFont.Height
GroupFont.Name
GroupFont.Style
Header.Columns.Items
Header.Font.Charset
Header.Font.Color
Header.Font.Height
Header.Font.Name
Header.Font.Style
Header.Height
)PaintInfoGroup.MarginBottom.CaptionIndent
Selection.FullItemPaint
oFree up valuable disk space and protect your privacy by removing cookies and the list of web pages you visited
version %s
Support:
OTo immediately fix these problems and speed up your PC you need to register %s.
"Would you like to register %s now?
PTo optimize settings, fix problems and speed up your PC you need to register %s.
l%s is the leading and award winning system optimization tool that cleans, repairs and optimizes your system.
=To fix problems and speed up your PC, you need to register %s
{If you purchased %s a license key will have been emailed to you. Please enter the license key below and click Activate Now.
.To purchase %s and obtain a license key click
YCheck the email you received after you purchased the product for the correct license key.
&Your license key will look like this:
Thank you for purchasing PC %s!
eWe are now replacing your current version of %s with %s Pro which includes these additional features:
Items.Strings
All files|*.*
R* Monitor your PC's performance right from your desktop without having to start %s
&* Offers direct access to key features
pchelpsoft.com
<assemblyIdentity version="1.0.0.0"
name="OptimizerPro.exe"
<requestedExecutionLevel
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
.jdbg
madExcept.HandleContactForm
madExcept.HandleScreenshotForm
.madExcept
%exceptMsg%
%bugReport%
Úte%
Útetime%
%computerName%
Þsktop%
%userappdata%
%commonappdata%
screenShot.bmp
Tcpip\Parameters
VxD\MSTCP
.jpeg
hXXps://
%userappdata%\
BugReport
screenShot.png
operating system
<tr><td><button onClick="history.back();" style="height:19.5pt;"> 
<button onClick="document.getElementById('bugReport').style.visibility='visible';this.style.visibility='hidden';" style="height:19.5pt;"> 
<textarea id="bugReport" readonly cols="80" rows="20" style="width:100%;height:100%;
Software\Microsoft\Windows
GetThreadReport
GetCpuRegisters
\madExcept\Dlls\madExcept32.dll
psapi.dll
suser32.dll
Unspecified error (%d) from %s.
miranda32.exe
PIDLs to operate on are not siblings of the Namespace doing the operation.
Unable to find RegSvr32.exe executable.
RegSvr32.exe
*.dat
\msnmsgr.exe
\msgslang.dll
\msgslang.
Software\Microsoft\MSNMessenger\PerPassportSettings\
*.xml
*.html
\settings.xml
\config.xml
\main.db
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
"DoReport"=dword:00000001
"DoReport"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Power]
"PromptPasswordOnResume"=dword:00000001
"PromptPasswordOnResume"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete]
"FormSuggest Passwords"="YES"
"FormSuggest Passwords"="NO"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
66006666
FORMOPTREPORT
TCHANGESSHORTFORM
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design mode
Unsupported PixelFormat
Invalid stream operation
Unsupported GIF version7Invalid number of colors specified in Screen Descriptor6Invalid number of colors specified in Image Descriptor
Invalid extension introducerúiled to allocate memory for GIF DIB
Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size
Unknown GIF block type'Object type not supported for operation
"%s"8
úiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range
"%s".
"%s".%
oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
RichEdit line insertion error=This control requires version 4.70 or greater of COMCTL32.DLL
Date exceeds maximum of %s
Date is less than minimum of %s4You must be in ShowCheckbox mode to set to this date#Failed to set calendar date or time
jThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.7The png image could not be loaded from the resource ID.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
No help keyword specified.
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Value must be between %d and %d
Unable to insert a line Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
?#''%s'' is not a valid date and time
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
3.2.0.0






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    OptimizerPro.exe:952
    optprosetup.exe:228
    optprosetup.tmp:872
    %original file name%.exe:1808
    rundll32.exe:572
    rundll32.exe:392
    OptProStart.exe:1368
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\optprosetup.exe (772918 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (3912 bytes)
    %Documents and Settings%\%current user%\My Documents\Optimizer Pro\CookiesException.txt (68 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-AASM2.tmp\optprosetup.tmp (7386 bytes)
    %Program Files%\Optimizer Pro 3.11\is-TR6E8.tmp (673 bytes)
    %Program Files%\Optimizer Pro 3.11\is-E3484.tmp (6841 bytes)
    %Program Files%\Optimizer Pro 3.11\unins000.msg (646 bytes)
    %Program Files%\Optimizer Pro 3.11\is-3SLA7.tmp (56 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\itdownload.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\OptProHelper.dll (7971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\Optimizer Pro 3.11\is-TO9VA.tmp (54 bytes)
    %Program Files%\Optimizer Pro 3.11\is-QVLMI.tmp (65 bytes)
    %Program Files%\Optimizer Pro 3.11\is-TPSS7.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Desktop\Optimizer Pro.lnk (774 bytes)
    %Program Files%\Optimizer Pro 3.11\is-BDSVP.tmp (601 bytes)
    %Program Files%\Optimizer Pro 3.11\is-LLJ0P.tmp (712 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (786 bytes)
    %Program Files%\Optimizer Pro 3.11\is-RR476.tmp (25426 bytes)
    %Program Files%\Optimizer Pro 3.11\is-43TRA.tmp (898 bytes)
    %Program Files%\Optimizer Pro 3.11\is-L971N.tmp (22 bytes)
    %Program Files%\Optimizer Pro 3.11\is-J1K23.tmp (7971 bytes)
    %Program Files%\Optimizer Pro 3.11\is-HI554.tmp (4545 bytes)
    %Program Files%\Optimizer Pro 3.11\is-SNNIV.tmp (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-AM99O.tmp\OptProCrash.dll (22430 bytes)
    %Program Files%\Optimizer Pro 3.11\is-D6QOP.tmp (48 bytes)
    %Program Files%\Optimizer Pro 3.11\is-2FL25.tmp (3073 bytes)
    %Program Files%\Optimizer Pro 3.11\is-4N3QU.tmp (20 bytes)
    %Program Files%\Optimizer Pro 3.11\is-J8HPO.tmp (2321 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (766 bytes)
    %Program Files%\Optimizer Pro 3.11\is-NNTPB.tmp (2321 bytes)
    %Program Files%\Optimizer Pro 3.11\OptProCrash.dll (194716 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (786 bytes)
    %Program Files%\Optimizer Pro 3.11\is-J9RQN.tmp (6841 bytes)
    %Program Files%\Optimizer Pro 3.11\is-FA4RE.tmp (32054 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (814 bytes)
    %Program Files%\Optimizer Pro 3.11\unins000.dat (20665 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2301MF\OptimizerPro[1].exe (390352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DJ0YBMZ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WPR\OptimizerPro.exe (390352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\26KWB2BR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2301MF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (1852 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AZEFELSH\desktop.ini (67 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Optimizer Pro" = "%Program Files%\Optimizer Pro 3.11\OptProLauncher.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now