MD5: 4ef3418c5e834ff17461aa45e500c2dc
SHA1: 7ef899adddb012b1be7e06e8cd3fd04cf8c247bd
SHA256: a12917dacb6274803ec0578c771a7f62416e4e12a4847d6b3a34afa9fa322bc6
SSDeep: 12288:Qgn2h0USnRkJBYIczVmjuldONAvA7KGbNuwoafu q67xCzsSIIf /nBiuLRc4:Qg2h07RkJiSudONgA7XUCG ZSIIMnh9R
Size: 748774 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Banker creates the following process(es):

EasySpeedCheckSetup.exe:1492
EasySpeedCheckSetup.exe:936
7za.exe:1100
7za.exe:1332
%original file name%.exe:632
easyspeedcheck.exe:1524

The Trojan-Banker injects its code into the following process(es):

EasyDriverPro.exe:580

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process EasySpeedCheckSetup.exe:1492 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F37BQHQW\EasySpeedCheckSetup[1].app (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\EasySpeedCheckSetup.exe (33816 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\EasySpeedCheckSetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

The process EasySpeedCheckSetup.exe:936 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SRAHW34L\log-install[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\easyspeedcheck.data (67199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\19R6ZDF2\easyspeedcheck_1_1_3[1].data (67199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\start_install.txt (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\ns8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\System.dll (11 bytes)
%Program Files%\Easy Speed Check\uninstall.exe (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\temp.txt (8 bytes)
%Program Files%\Easy Speed Check\esc.ico (1217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\7za.exe (15192 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\easyspeedcheck.data (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\start_install.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\ns8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\temp.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\7za.exe (0 bytes)

The process 7za.exe:1100 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\Easy Speed Check\ssleay32.dll (1127 bytes)
%Program Files%\Easy Speed Check\libstdc -6.dll (4515 bytes)
%Program Files%\Easy Speed Check\cwebpage.dll (496 bytes)
%Program Files%\Easy Speed Check\easyspeedcheck.exe (687 bytes)
%Program Files%\Easy Speed Check\libeay32.dll (9956 bytes)
%Program Files%\Easy Speed Check\libgcc_s_dw2-1.dll (250 bytes)
%Program Files%\Easy Speed Check\libidn-11.dll (1354 bytes)
%Program Files%\Easy Speed Check\zlib1.dll (861 bytes)
%Program Files%\Easy Speed Check\libcurl.dll (1903 bytes)

The process 7za.exe:1332 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\Probit Software\Easy Driver Pro\sqlite3.dll (6081 bytes)
%Program Files%\Probit Software\Easy Driver Pro\EDPTray.exe (9241 bytes)
%Program Files%\Probit Software\Easy Driver Pro\EasyDriverPro.exe (137539 bytes)
%Program Files%\Probit Software\Easy Driver Pro\7z.dll (8737 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\Exclusions.txt (2 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\Vendors.txt (4 bytes)

The process EasyDriverPro.exe:580 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.db (5243788 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\Devices.ini (25 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.7z (7386 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\Scan.ini (726 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\PCInfo.ini (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_0HwS6eufbKOuIzm (2213974 bytes)
%Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.db-journal (1178 bytes)

The Trojan-Banker deletes the following file(s):

%Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.db-journal (0 bytes)

The process %original file name%.exe:632 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\Probit Software\Easy Driver Pro\English.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\19R6ZDF2\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SRAHW34L\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\temp.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K3AC3W37\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\easydriverpro.data (78362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K3AC3W37\log-install[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F37BQHQW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\start_install.txt (16 bytes)
%Program Files%\Probit Software\Easy Driver Pro\EasyDriverPro.chm (17 bytes)
%Program Files%\Probit Software\Easy Driver Pro\scan.gif (2553 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Easy Driver Pro.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\EasySpeedCheckSetup.exe (5952 bytes)
%Program Files%\Probit Software\Easy Driver Pro\uninstall.exe (1382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsExec.dll (6 bytes)
%Program Files%\Probit Software\Easy Driver Pro\edp.ico (1128 bytes)
%Program Files%\Probit Software\Easy Driver Pro\file_id.diz (549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SRAHW34L\EasySpeedCheckSetup[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Help.lnk (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\19R6ZDF2\easydriverpro820[1].data (78362 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Uninstall.lnk (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Easy Driver Pro on the Web.lnk (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
%Program Files%\Probit Software\Easy Driver Pro\HomePage.url (53 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\EasySpeedCheckSetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\7za.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\easydriverpro.data (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\start_install.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\temp.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (0 bytes)

Registry activity

The process EasySpeedCheckSetup.exe:1492 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\EasySpeedCheckSetup.exe,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 1D 54 C6 B5 B2 8E 73 FA 28 C4 51 A3 25 4A FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process EasySpeedCheckSetup.exe:936 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Easy Speed Check]
"srid" = "8IHTP5H0PH"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\ClkApp]
"a1t" = "0"
"umid" = "A8A67A25"
"u1" = "18000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\ClkApp]
"u2" = "3600"
"vts" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB BF 83 CC 62 88 5B D4 21 5B E1 06 BE 3E 62 3B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Easy Speed Check]
"ver" = "1.1.3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\ClkApp]
"a1p" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"EasySpeedCheck" = "%Program Files%\Easy Speed Check\easyspeedcheck.exe"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 7za.exe:1100 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 6D 3F 2D 4C 91 A3 EB 6C FE EA 36 2F 80 31 3F"

The process 7za.exe:1332 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 FE B1 40 94 7B 1E 5F A1 30 46 54 2C 55 F4 C8"

The process EasyDriverPro.exe:580 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Probit Software\Easy Driver Pro]
"BackupPath" = "%Documents and Settings%\%current user%\My Documents\Probit Software\Easy Driver Pro\Backup\"
"s_SmartDate" = "88 CC 34 D2 1B 92 E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ScanExecuted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Probit Software\Easy Driver Pro]
"s_SmartScan" = "1"
"s_SmartExec" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ProxyAddress" = ""
"ProxyPort" = ""
"AppStart" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Probit Software\Easy Driver Pro]
"DownloadPath" = "%Documents and Settings%\%current user%\My Documents\Probit Software\Easy Driver Pro\Drivers\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Probit Software\Easy Driver Pro]
"nDownloads" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ShowUpdateWindow" = "0"
"TrayNotification" = "1"
"DatabaseDate" = "88 CC 34 D2 3B 92 E4 40"
"ShowRebootMessage" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Probit Software\Easy Driver Pro]
"OutdatedDrivers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Probit Software\Easy Driver Pro]
"LastDatabaseCheck" = "88 CC 34 D2 3B 92 E4 40"
"s_Enable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ProxyLogin" = ""
"s_Time" = "88 CC 34 D2 3B 92 E4 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Probit Software\Easy Driver Pro]
"UseProxy" = "0"
"TotalDrivers" = "63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 9B 57 1A 3A 49 00 30 2B BC 67 D9 CD A2 48 7C"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ShowAlertMessages" = "1"
"StartWithWindows" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Probit Software\Easy Driver Pro]
"InstallationDate" = "05-05-2015"
"InstallStat" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ForceUpdate" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Probit Software\Easy Driver Pro]
"s_SmartMode" = "0"
"UpdateWindowShown" = "0"
"s_Mode" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ShowSRPMessage" = "1"
"LastUpdate" = "88 CC 34 D2 3B 92 E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Probit Software\Easy Driver Pro]
"ProxyPassword" = ""
"LastScan" = "3E 5B 91 D4 3B 92 E4 40"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:632 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Easy Driver Pro]
"DisplayIcon" = "%Program Files%\Probit Software\Easy Driver Pro\EasyDriverPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Easy Driver Pro]
"UninstallString" = "%Program Files%\Probit Software\Easy Driver Pro\uninstall.exe"
"DisplayName" = "Easy Driver Pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Probit Software\Easy Driver Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Easy Driver Pro]
"Publisher" = "Probit Software LTD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 67 6F 9F A7 0F DB 10 82 30 1C 96 A8 47 61 C0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Easy Driver Pro]
"DisplayVersion" = "8.2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Probit Software\Easy Driver Pro]
"srid" = "6GFR8E14W5&iid=17801584&umi=A8A67A25&sst=0ce5017da4da14ae85d1f2366409f112"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Easy Driver Pro" = "%Program Files%\Probit Software\Easy Driver Pro\EDPTray.exe"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process easyspeedcheck.exe:1524 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 E6 2A BF 4D EA AF 28 31 0C E4 2C AA F4 F0 C3"

[HKCU\Software\ClkApp]
"u1" = "3600"
"u2" = "1800"
"a1t" = "1430846549"
"vts" = "1430848347"
"UID" = "TG1VCD443B"
"a1p" = "1430846849"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Probit Software LTD
Product Name: Easy Driver Pro
Product Version: 8.2.0
Legal Copyright: Probit Software LTD
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 8.2.0.161
File Description: Easy Driver Pro
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://d1ys4d6w5g5meo.cloudfront.net/publishers/3/815/EasySpeedCheckSetup.exe
hxxp://d1ys4d6w5g5meo.cloudfront.net/publishers/3/815/EasySpeedCheckSetup.app
hxxp://23.21.42.142/easyinstallprolib/easyinstallprolog/log-install.php?ins=6GFR8E14W5&ver=8.2.0.161&st=100&umi=A8A67A25&iid=17801584&comp=42-9-1
hxxp://lb1-1907411912.us-east-1.elb.amazonaws.com/easyinstallprolib/easyinstallprolog/log-install.php?ins=8IHTP5H0PH&ver=1.1.3.1267&st=1&umi=A8A67A25
hxxp://d1ys4d6w5g5meo.cloudfront.net/easyspeedcheck_1_1_3.data
hxxp://lb1-1907411912.us-east-1.elb.amazonaws.com/easyinstallprolib/easyinstallprolog/log-install.php?ins=8IHTP5H0PH&ver=1.1.3.1267&st=100&umi=A8A67A25&iid=17801588&comp=0
hxxp://service.smartpcupdate.com/rpc/getdatabasezx?arch=32&os=5	176.9.2.105
hxxp://d2.smartpcupdate.com/dbs/current_5_32_zx.7z	173.192.91.180
hxxp://service.smartpcupdate.com/rpc/sendinstall?partner=ProbitSoftware&build=8.2	176.9.2.105
hxxp://lb1-1907411912.us-east-1.elb.amazonaws.com/applib/appmsg/appmsg.php
hxxp://download.easyspeedcheck.com/publishers/3/815/EasySpeedCheckSetup.app	54.230.93.122
hxxp://download.easyspeedcheck.com/publishers/3/815/EasySpeedCheckSetup.exe	54.230.93.122
hxxp://www.easyspeedcheck.com/applib/appmsg/appmsg.php	23.21.42.142
hxxp://www.easydriverpro.com/easyinstallprolib/easyinstallprolog/log-install.php?ins=6GFR8E14W5&ver=8.2.0.161&st=100&umi=A8A67A25&iid=17801584&comp=42-9-1
hxxp://download.easyspeedcheck.com/easyspeedcheck_1_1_3.data	54.230.93.122
hxxp://www.easyspeedcheck.com/easyinstallprolib/easyinstallprolog/log-install.php?ins=8IHTP5H0PH&ver=1.1.3.1267&st=100&umi=A8A67A25&iid=17801588&comp=0	23.21.42.142
hxxp://www.easyspeedcheck.com/easyinstallprolib/easyinstallprolog/log-install.php?ins=8IHTP5H0PH&ver=1.1.3.1267&st=1&umi=A8A67A25	23.21.42.142

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY Executable served from Amazon S3

Traffic

POST /applib/appmsg/appmsg.php HTTP/1.1

Host: VVV.easyspeedcheck.com

Accept: */*

Content-Length: 126

Content-Type: application/x-www-form-urlencoded

msg=<?xml version="1.0" encoding="UTF-8"?><umid>A8A67A25</umid><ver>1.1.3</ver><srid>8IHTP5H0PH</srid><msg>get_unique_id</msg>
HTTP/1.1 200 OK

Cache-control: no-cache="set-cookie"

Content-Type: text/html; charset=UTF-8

Date: Tue, 05 May 2015 17:52:50 GMT

Server: Apache/2.2.15 (CentOS)

Set-Cookie: AWSELB=15A7D78B08CC57797F87EA072FDB431CC5F43D7E6805CB043F7D10C8CAEF9D741B6C6B22B7005C68D32C54628FF65B5B030134F9CD63D30CCDE9BF48A42927C7A2419F8E97;PATH=/

X-Powered-By: PHP/5.3.3

Content-Length: 95

Connection: keep-alive
..<?xml version="1.0" encoding="UTF-8"?>..                      
          <uid>TG1VCD443B</uid>..

GET /publishers/3/815/EasySpeedCheckSetup.app HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download.easyspeedcheck.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 523501

Connection: keep-alive

Date: Tue, 05 May 2015 16:58:41 GMT

Last-Modified: Tue, 05 May 2015 16:34:24 GMT

ETag: "3475570f6707bf436b4f891eab11a764"

Accept-Ranges: bytes

Server: AmazonS3

Age: 3187

X-Cache: Hit from cloudfront

Via: 1.1 cde11d44c652a64c2d322a0ea1af139e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: PK5lCv6dHKxjyeBRLzoEou7m4tpjPmrNGIa1Lg_e2sxrDRN4ZlgmVg==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................0...............................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

GET /easyinstallprolib/easyinstallprolog/log-install.php?ins=8IHTP5H0PH&ver=1.1.3.1267&st=1&umi=A8A67A25 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.easyspeedcheck.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-control: no-cache="set-cookie"

Content-Type: text/html; charset=UTF-8

Date: Tue, 05 May 2015 17:50:59 GMT

Server: Apache/2.2.15 (CentOS)

Set-Cookie: AWSELB=15A7D78B08CC57797F87EA072FDB431CC5F43D7E688B432C396ED23AD5E167F15723427BB75CC75F4B3162CF96B2842607AADE49B42F4DDDBB2E18F30BBBBE8CA4962C6358;PATH=/

X-Powered-By: PHP/5.3.3

Content-Length: 16

Connection: keep-alive
17801588....HTTP/1.1 200 OK..Cache-control: no-cache="set-cookie"..Con
tent-Type: text/html; charset=UTF-8..Date: Tue, 05 May 2015 17:50:59 G
MT..Server: Apache/2.2.15 (CentOS)..Set-Cookie: AWSELB=15A7D78B08CC577
97F87EA072FDB431CC5F43D7E688B432C396ED23AD5E167F15723427BB75CC75F4B316
2CF96B2842607AADE49B42F4DDDBB2E18F30BBBBE8CA4962C6358;PATH=/..X-Powere
d-By: PHP/5.3.3..Content-Length: 16..Connection: keep-alive..17801588.
.......


GET /easyinstallprolib/easyinstallprolog/log-install.php?ins=8IHTP5H0PH&ver=1.1.3.1267&st=100&umi=A8A67A25&iid=17801588&comp=0 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.easyspeedcheck.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: AWSELB=15A7D78B08CC57797F87EA072FDB431CC5F43D7E688B432C396ED23AD5E167F15723427BB75CC75F4B3162CF96B2842607AADE49B42F4DDDBB2E18F30BBBBE8CA4962C6358

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 05 May 2015 17:51:04 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 8

Connection: keep-alive
....HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 05 May 2015 17:51:04 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-
By: PHP/5.3.3..Content-Length: 8..Connection: keep-alive..

HEAD /dbs/current_5_32_zx.7z HTTP/1.1

Content-Type: text/html

Host: d2.smartpcupdate.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.5.5

Date: Tue, 05 May 2015 17:51:59 GMT

Content-Type: application/x-7z-compressed

Content-Length: 1318955

Last-Modified: Wed, 11 Mar 2015 12:54:13 GMT

Connection: keep-alive

ETag: "55003af5-14202b"

Accept-Ranges: bytes
....


GET /dbs/current_5_32_zx.7z HTTP/1.1

Content-Type: text/html

Host: d2.smartpcupdate.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.5.5

Date: Tue, 05 May 2015 17:51:59 GMT

Content-Type: application/x-7z-compressed

Content-Length: 1318955

Last-Modified: Wed, 11 Mar 2015 12:54:13 GMT

Connection: keep-alive

ETag: "55003af5-14202b"

Accept-Ranges: bytes
7z..'....1.=........Y............).E.`...&d..&.1...!..m....8.Q.=..Uc..
..e.....^..../ ..0.v'.......Ja.....la...q(...m.....m|.N.G..........vp^
.4...q..s.[g#.p.Ly.(\ ..s..E.../..c.....&:.~4m...j'J.y.~,..Z.L.V..z...
.k.}.b3...`$B...@.@..../.[ e.-..R.V.W.LtD.........s.o..G#-P.y{.,...Q..
...d.....B...c...A..g..e..>....H}...?.\...6...7i7..\q.._YB.7T....8.
.W......$....eR...2=HBV.~r].[".q...'....!.9;4...{.......IrN..*#S...)..
.q..g..&.j.!.a....yT}.....'.IBI[.MS. ....8I}8.....Y.."..u..Y9....4Z..?
..c.....LD..~.N x..T..Ll........>5j..\[email protected].**...o n...n..........
........b....cX4.....B(.L.....>@............m.".4.6....V.vB......r.
:.}[email protected]...`UBc.....U~..U.N....b......I. ...,.
z/..X...e..1.......lq.Dj...MU....u..........n.j......._.......6`.....o
h.........oU=u..ZM... ...~...=...4...M........V.i.....P...'...N..w.b.!
".1.m...1..........b..\..<.~...`.......#....o.#...nE.. My.......44.
...~.Y.SI/t.-.J.]...[...C..KmS..0j...W..)....-..bV....u.mS^m.t.z..|%..
...p&`..S.Z.........."m8mr..s.......(Bu.XI........U.W..K.\<....eG02
........8=....$.'T@n...?..1.....<~b..D.x.o#...G|....9\....]K...P7.)
..I7..BJmw....>.....n.2..7!.f.........h._.....C..~v...`%....I.....x
.-.q~E...<fyV...E.<.../.r02as......ma......q.Yf3...'T.. 3..80.. 
..;\.W.P............-.L...0z....f..t9^y..!p...J.z31P........vd.F..w.u.
....T.......C.A......S.^.9..[...._.[}0.t.:E>........j..P...t.[T.D..
...4.a'....b'.].B..c.[..R..3..F..AU..-..8o.-6.......;.88.}..e.4q.....K
W [.....c")tGf....a....."..[_....~x.H..[0..X.H./1....*b..D.k...83Q
<<< skipped >>>

GET /applib/appmsg/appmsg.php HTTP/1.1

Host: VVV.easyspeedcheck.com

Accept: */*

HTTP/1.1 200 OK

Cache-control: no-cache="set-cookie"

Content-Type: text/html; charset=UTF-8

Date: Tue, 05 May 2015 17:51:36 GMT

Server: Apache/2.2.15 (CentOS)

Set-Cookie: AWSELB=15A7D78B08CC57797F87EA072FDB431CC5F43D7E684950193DFB88BE41987C7E156D7F91AC5CC75F4B3162CF96B2842607AADE49B42F4DDDBB2E18F30BBBBE8CA4962C6358;PATH=/

X-Powered-By: PHP/5.3.3

Content-Length: 2

Connection: keep-alive
....

GET /easyinstallprolib/easyinstallprolog/log-install.php?ins=6GFR8E14W5&ver=8.2.0.161&st=100&umi=A8A67A25&iid=17801584&comp=42-9-1 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.easydriverpro.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: AWSELB=15A7D78B08CC57797F87EA072FDB431CC5F43D7E688B432C396ED23AD5E167F15723427BB75CC75F4B3162CF96B2842607AADE49B42F4DDDBB2E18F30BBBBE8CA4962C6358

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 05 May 2015 17:50:57 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 8

Connection: keep-alive
....HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 05 May 2015 17:50:57 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-
By: PHP/5.3.3..Content-Length: 8..Connection: keep-alive..

GET /publishers/3/815/EasySpeedCheckSetup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download.easyspeedcheck.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 79012

Connection: keep-alive

Date: Tue, 05 May 2015 16:58:37 GMT

Last-Modified: Tue, 05 May 2015 16:34:26 GMT

ETag: "c66be935b595dcbbc417b73e45f64b6c"

Accept-Ranges: bytes

Server: AmazonS3

Age: 3188

X-Cache: Hit from cloudfront

Via: 1.1 b560f1a5dbbad60caea612b91809a8f8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: -6tN3WQvV-IbaWCUU7WhPHHWKg9ru0MW7QwwB97VVpTI4Adc4NkscA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

GET /rpc/getdatabasezx?arch=32&os=5 HTTP/1.1

Content-Type: text/html

Host: service.smartpcupdate.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.0.4

Date: Tue, 05 May 2015 17:51:58 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.14
80..{"ok":1,"error":0,"url":"http:\/\/d2.smartpcupdate.com\/dbs\/curre
nt_5_32_zx.7z","file_hash":"e79cf4f9cf56271ed719fbe53a41c48b"}..0..

GET /rpc/sendinstall?partner=ProbitSoftware&build=8.2 HTTP/1.1

Content-Type: text/html

Host: service.smartpcupdate.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.0.4

Date: Tue, 05 May 2015 17:52:23 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.14
12..{"ok":1,"error":0}..0..

GET /easyspeedcheck_1_1_3.data HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download.easyspeedcheck.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 1224408

Connection: keep-alive

Date: Tue, 05 May 2015 07:19:20 GMT

x-amz-meta-cb-modifiedtime: Fri, 19 Dec 2014 21:42:23 GMT

Last-Modified: Fri, 19 Dec 2014 21:45:13 GMT

ETag: "e45b126418dcdd6ce225adb86a78692e"

Accept-Ranges: bytes

Server: AmazonS3

Age: 37952

X-Cache: Hit from cloudfront

Via: 1.1 660d1b60b9803f57ec0ebd5664934bd8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DBnC4XzOaFQF8WAESSSCY3ObPAFogXT6bYI6bXUvArNu4d4tLN3QbA==
7z..'.....N.........$........5`-.&..p.........../D.N..T.!.P.A? ....qt.
..\.....8..hnlX.P..OYt.45.Yi.J..........p.?9....x<..X.t..B.0..c....
...C.m5._Z..v(...U.Q8....y..NTnD'...E.^%...M..x....b`.3.O.S..y......(.
.H ...>.........2....k.e. .U..73.....z.....6.>.........:.8..OG/,
..DW...$T.R.}QP......:......(.....b...A]......vg.m..).......*.K..W.x..
. ..]....Cq..M\.MQ@p"gO...P.k..w..a..*.?([email protected]..."p.J..}.t
i$w..!.....46=;C>.G. .A.?...r..f.2..x.'Zi..K`A....#...o.t.K.......R
C.n_i.h..&.#.h.......*...`..zk..X^...........z[mT.G.=....A..9.........
It...(....n.B....."5..Ad?...1"8n..|1.yw.3>....LjzkI.D.t...@8..<.
30...=..&..dc..... ..7..............=F.*S..2[.9LAZL...i..RB.s....Y.6U.
....._M[U..W..6.?.r.^..\`a./c...@..._N....U%t..c)..=u9@\r.....?..A..Gu
..W.V..}.s.....#.j....t'.q...Z....o.....H'E...%...~r.MC......4%..GN.{.
...F.Y..B$......e..#...b#nE.H4u.K...&..)..\..~.....qb.1=7EK.......P..{
L7cP.~.I..|.")..5..M.x....D.....C?.....a..4C......i....%...%....C.-{.R
.4..e.}..8.{....,..=g.Zn%[email protected]....@..!~...}/.].?.^TpBAU..&=..
xy.*....}bg.^S.........B..Z9...IjG..!................o.....M."........
.....F<o.)......*.0..I..G8k.4.<".~...te....(......W.!..T...G.%%.
..`...b....d.....Mt..A.6..?O..9...0...A..m...)...iL.c......N........u.
.i."$2..a...][email protected]...*..[n..(z.!..... .y..]...G\...SY".:..
'...y../M....z.X!Or.%.....vT.d ...1}.q...B..L.?.=..'...C..4......."..B
1...y.SY..._..4..o....O..&.....B._.(.Y..x.B.......|J%.e.x../..0..Mygd.
.'..P........x....'.32......H,7..u`C..-.66........D..h...ez...f...
<<< skipped >>>

The Trojan-Banker connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

HKEY

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

comctl32.dll

USER32.DLL

uxtheme.dll

Proportional

MAPI32.DLL

vsReport

OnKeyDownX

OnKeyPress

OnKeyUp0

OnKeyUp

TComboBoxExEnumerator

ole32.dll

PasswordChar

ssHorizontal

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword<

crSQLWait

%s (%s)

imm32.dll

HelpKeywordX

OnExecute

AutoHotkeys,

AutoHotkeyst

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowStateX

tagMSG

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

EDPTray.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

OnActionExecute

WNNC_NET_FTP_NFS

Uh.WH

olepro32.dll

TCommonShellExecuteThreadU

%Program Files%\Borland\Common Library\Source\MPThreadManager.pas

shell32.dll

\\.\vwin32

shlwapi.dll

Mpr.dll

%Program Files%\Borland\Common Library\Source\MPShellUtilities.pas

To show a Context Menu using TNamespace you must pass a valid Owner TWinControl

THKeyArray

TCommonKeyState

cksShift

TCommonKeyStates

%Program Files%\Borland\Common Library\Source\MPCommonUtilities.pas

user32.dll

gdi32.dll

advapi32.dll

Userenv.dll

ShellExecuteExW

ShellExecuteW

GetWindowsDirectoryW

RegOpenKeyW

RegOpenKeyExW

SHFileOperationW

%Program Files%\Borland\EasyListview\Source\EasyListviewAccessible.pas

TEasyAccessibleManager.Create not a TCustomEasyListview type

TEasyGroupAccessibleManager.Create not a TEasyGroup type

TEasyItemAccessibleManager.Create not a TEasyItem type

TEasyColumnAccessibleManager.Create not a TEasyColumn type

TEasyHeaderAccessibleManager.Create not a TEasyHeader type

elsReport

elsReportThumb

TAutoGroupGetKeyEvent

TColumnGetImageIndexEvent

TColumnSetImageIndexEvent

KeyState

KeyStates

TGroupGetImageIndexEvent

TGroupSetImageIndexEvent

HintWindowShown

TItemGetGroupKeyEvent

GroupKey

TItemGetImageIndexEvent

TItemSetGroupKeyEvent

TItemSetImageIndexEvent

MouseMsg

TEasyKeyActionEvent

EscapeKeyPressed

TEasyViewReportItem4

TEasyViewReportItemx

TEasyViewReportThumbItem

TEasyGridReportGroup

TEasyGridReportThumbGroup

TEasyCellSizeReport`

TEasyCellSizeReport(

TEasyCellSizeReportThumb

TEasyCellSizeReportThumbH

ReportThumb0

Report

AlwaysShow

OnAutoGroupGetKey

OnItemGetGroupKey

OnItemSetGroupKey

OnKeyAction

%Program Files%\Borland\EasyListview\Source\EasyListview.pas

FTPf

Can not find TEasyGroups.AdjacentItem of an Invisible Item

Uh.KM

Uh.uM

EasyListview.Header

!"#$%&*;<=>@[]^_`{|}

TNT Internal Error: TWideComponentHelper.Create should never be encountered.

%Program Files%\TntWare\Delphi Unicode Controls\Source\TntClasses.pas

%Program Files%\TntWare\Delphi Unicode Controls\Source\TntActnList.pas

%Program Files%\TntWare\Delphi Unicode Controls\Source\TntForms.pas

%Program Files%\TntWare\Delphi Unicode Controls\Source\TntMenus.pas

Internal Error: SyncHotKeyPosition Failed ("%s" <> "%s").

%Program Files%\TntWare\Delphi Unicode Controls\Source\TntControls.pas

Internal Error: SubClassUnicodeControl.Control is not Unicode.

.UnicodeClass

TntUnicodeVcl.DestroyWindow

%Program Files%\TntWare\Delphi Unicode Controls\Source\TntStdCtrls.pas

TMonochromeLookup

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

"%s" : %s

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

SQLite is Busy

<%s> invalid zipfile

Shell.Application

<%s> invalid source

<%s> invalid target folder

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

%s, %d %s %d %s %s

ftpTransfer

ftpReady

ftpAborted

ClientPortMinT

ClientPortMax

Port\"P

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

saUsernamePassword

PasswordT

Port

0.0.0.1

TIdTCPStream

End of stream: %s at %d

TIdTCPConnection

IdTCPConnection

EIdTCPConnectionError

EIdObjectTypeNotSupported

password

Password

IdHTTPHeaderInfo

ProxyPasswordT

ProxyPort

Mozilla/3.0 (compatible; Indy Library)

libeay32.dll

ssleay32.dll

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_certificate_file

SSL_get_peer_certificate

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_check_private_key

X509_STORE_CTX_get_current_cert

des_set_key

sslvrfFailIfNoPeerCert

TPasswordEvent

Certificate

RootCertFilep

CertFilep

KeyFile8

OnGetPassword

EIdOSSLLoadingRootCertError

EIdOSSLLoadingCertErrorh

EIdOSSLLoadingKeyError

TIdTCPClient

IdTCPClient

BoundPort

PortU

CommentURL

TIdHTTPMethod

IdHTTP

TIdHTTPOption

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPResponse

TIdHTTPResponsel

TIdHTTPRequest

TIdHTTPRequest$

TIdHTTPProtocol8

TIdCustomHTTP

TIdCustomHTTP8

TIdHTTP

TIdHTTPh

HTTPOptions

Port@

EIdHTTPProtocolException

HTTPS

https

This request method is supported in HTTP 1.1

HTTP/1.0 200 OK

HTTP/

LicenseKey

\SOFTWARE\Microsoft\Windows\CurrentVersion\Settings\Easy Driver Pro

EInvalidGridOperation

goAlwaysShowEditor

doKeyColFixed

TKeyOption

keyEdit

keyAdd

keyDelete

keyUnique

TKeyOptions

KeyName

KeyValue

KeyOptions

KeyDescH

%s=%s

FormKeyDown

Check the email you received after you purchased the product for the correct license key.

Your license key will look like this:

IdHTTP1

Do you have a License Key?

If you already have a License Key, please enter it in the form below and click "Activate Now".

License key

Do you need a License Key?

To purchase Easy Driver Pro and obtain a license key click

service.smartpcupdate.com

ProxyLogin

ProxyPassword

hXXp://service.smartpcupdate.com/rpc/sendpurchase?partner=ProbitSoftware&build=8.2&key=

Licensing key has reached its usage limit!

Current Windows version

Backuped driver Windows version

We NOT reccomend your use this driver for current Windows version.

5 (Windows XP)

6 (Windows Vista)

7 (Windows 7)

8 (Windows 8)

7z.dll

Error loading library %s

%s is not a 7z library

%s is not a Format library

HTTPWork

hXXp://service.smartpcupdate.com/rpc/getdatabasezx?arch=

/7z.dll

Drivers.db

Drivers_prev.db

SetupFiles.txt

%s <%s>

=?WINDOWS

Indy 9.00.10

atLogin

IdSMTP

TIdSMTP

AUTH LOGIN

Uh.uS

LOGIN

IdSMTP1<

Report a problem with a new driver!

mail.smartpctools.com

[email protected]

[email protected]

IdHTTP0

HTTP1Start

HTTP2Start

HTTP3Start

HTTP4Start

HTTP5Start

HTTP1Work

HTTP2Work

HTTP3Work

HTTP4Work

HTTP5Work

InstallExeDriver

Windows XP

Windows Vista

Windows 7

Windows 8

Windows 8.1

PCInfo.ini

English.ini

French.ini

German.ini

Spanish.ini

Italian.ini

Portuguese.ini

Danish.ini

Dutch.ini

Swedish.ini

Polish.ini

Russian.ini

Brazilian.ini

Finnish.ini

Norwegian.ini

Czech.ini

hXXp://VVV.easydriverpro.com/

hXXp://VVV.easydriverpro.com/go-register.php

hXXp://support.easydriverpro.com/

Login

StartWithWindows

Product information and support link

Support

: 8.2.0

Scan.ini

InstallLog.ini

Backups.ini

UpdateWindowShown

s_SmartExec

\SDUTray.exe

Devices.ini

\Easy Driver Pro.chm

CERTANCE

Keyboard

Ports

MultiPortSerial

Vendors.txt

ClassKey

EnumKey

ScanExecuted

\Scan.gif

Exclusions.txt

1.0.0.0

update1.smartpcupdate.com

hXXp://update1.smartpcupdate.com/rpc/getlastupdate

hXXp://service.smartpcupdate.com/rpc/getstatus?exedate=

hXXp://service.smartpcupdate.com/rpc/candownloadfiles?partner=ProbitSoftware&version=3.1&key=

hXXp://service.smartpcupdate.com/rpc/sendinstall?partner=ProbitSoftware&build=8.2

hXXp://update1.smartpcupdate.com/rpc/sendstats?partner=ProbitSoftware&build=8.2.0&files=

hXXp://update1.smartpcupdate.com/rpc/sendreport?filename=

UpdateList.txt

This version is no longer supported!

SrClient.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

hXXp://VVV.google.com/search?hl=en&q=

.SYS.DLL.INF.CAT.NFO.EXE.REG.AX.DRV.CPL

RUNDLL32.EXE

LAYOUT.INF

regedit.exe

\Enum.reg" "HKEY_LOCAL_MACHINE\

\Classes.reg" "HKEY_LOCAL_MACHINE\

\*.inf

\Log.txt

u.hd U

/s zipfldr.dll

regsvr32.exe

\.zip\CompressedFolder\ShellNew

\Classes.reg

\Classes.reg"

\Enum.reg

\Enum.reg"

*.exe

AUTORUN.EXE

32.EXE

64.EXE

*.inf

msiexec.exe

newdev.dll

advpack.dll,LaunchINFSectionEx "

rundll32.exe

01-01-2015

RunExe

hXXp://service.smartpcupdate.com/downloads/

\EDPTray.exe

s_Exec

#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%<!"%$%&%(%*% %-%/%1%3%5%7%9%;$=%?%A%D%F%H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%d%f%h%i%j%k%l%m%o%s% !,!

P%S%V%Y%\%

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123456789:;<=>?

&'()* ,-./0123456789:;<=>?

GetKeyboardType

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegEnumKeyExA

RegCreateKeyExA

GetWindowsDirectoryA

GetCPInfo

version.dll

SetViewportOrgEx

SetViewportExtEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExA

SetKeyboardState

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

GetKeyNameTextA

GetAsyncKeyState

ExitWindowsEx

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

ShellExecuteExA

ShellExecuteA

SHFileOperationA

wininet.dll

SHFolder.dll

oleacc.dll

winmm.dll

sqlite3.dll

sqlite3_finalize

sqlite3_column_type

sqlite3_column_text

sqlite3_column_int

sqlite3_column_double

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_step

sqlite3_column_decltype

sqlite3_column_name

sqlite3_column_count

sqlite3_prepare

sqlite3_free

sqlite3_errcode

sqlite3_errmsg

sqlite3_close

sqlite3_open

1 10191~1

5!5'575@5

2%3s3

9œ9q9

> >$>(>,>0>4>8><>@>\>|>

8#8'8 8/8]9

5!5%5)5-515

3 3$3(3,303

5 5$5(5,505

9 :(:7:|:

4W5D5

3,4044484<4

> >$>(>,>0>4>8><>`>

7)757:8\8

7,797@7_7

:#;'; ;/;3;8;

;,<0<4<8<

4 4(4,404

;";&;*;0;

=)>->1>5><>

2(3,30343

2#2'2 2/242

13171;1\1

2538687

6 6$6(6,606

: :$:(:,:0:4:8:@:

1$2f2

: :$:(:,:0:4:8:<:@:\:|:

0!0%0)000

3$4/494>4_4

8)9.9[9`9

?"?.?@?~?

7$8(8,808

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

0IdHTTPHeaderInfo

 IdTCPServer

IdTCPStream

SQLite3

SQLiteTable3

#IdSMTP

TntWindows

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

X9}V9zT9vR8rP8nN7jL6eI5aG4\D3XB1T?0O<.QA6md]

^8~Q1uK-zP2}R2

c=|R2%d

Z;ü)^>&

_9wM.Bt

.7b%%%%%%%%	cG[

\%tV%YW0WU/[S0WJ6UJ6\M2mR%oT%uS"

_I&]I*bM-aM.aM.aM-aM-aM-aM-aM-aM.aK,[R3g

%Select the drivers you wish to backup

EditManager.Font.Charset

EditManager.Font.Color

EditManager.Font.Height

EditManager.Font.Name

EditManager.Font.Style

GroupFont.Charset

GroupFont.Color

GroupFont.Height

GroupFont.Name

GroupFont.Style

Header.Columns.Items

Header.Font.Charset

Header.Font.Color

Header.Font.Height

Header.Font.Name

Header.Font.Style

ImageList1)PaintInfoGroup.MarginBottom.CaptionIndent

Selection.FullRowSelect

%Select name, location and backup type

Items.Strings

%Driver backup successfully completed!

,,,888555

%Save downloded drivers to this folder

$Product information and support link

"!## "#!##"##"##"##"$#!#$!#$!##"$%"$$#$%#%%#%%$%%$%%$%%$%%$%%$%%$&%$%%$&&$%&$%%$%%$%'$%%#%%#%%#$$###"""

/;~/<|-8yYi}ds

/<}.;~/:

*u)6u 9w 9w 8y,9z-;z-;z-:x,7{-9}.:~/<~/;~/;~.:~/:

/<~/;~/;~/9

#p .}/=p"-y,7z-8}.9}/:|-8|.9}.9}.9}.:}/;~/;~/:

/;~/:}.:z-8{-8{-9|-9}.:|.:}cs

/;}.9~/;

/9~.8~.8

/:~.8}.8}.8}.9}.8

/:~/9~/9

/:~/:}.8~.:}.9z-7}.9}.9}.:

/:~/:}.9}.9}.9}.9}.9}.9}.9

|.8{-7}.8}.9~/:~/9~/9~/9}.8~/9

/:~/9}.8~/9}.9}.9}.8|.8|.8

~/9}.8~.8~/9

/9~/9~/9}.8}.8}.9}.9

/:~/9~/9~/9}.9}.8~.9}3>

/8~/9~/9~/:~/9~/:}.9

/9~/9~/9|.7|/8

/9}/8|.8

.5}& |#)

/9}.7}2;

0:}.9}.8

17~.5}.6

3@{%1~,6

:Gq"1s%1x 8z-:w 8s*7q)6o'4o

hXXp://support.easydriverpro.com

Support:

hXXp://VVV.easydriverpro.com

Version: 8.2.0

Webcam drivers

Windows system drivers

Keyboard drivers

TIdHTTP

ProxyParams.BasicAuthentication

ProxyParams.ProxyPort

Request.ContentLength

Request.ContentRangeEnd

Request.ContentRangeStart

Request.ContentType

Request.Accept

Request.BasicAuthentication

Request.UserAgent

&Mozilla/3.0 (compatible; Indy Library)

OnKeyDown

)))222666===

"""***333000

$$$"""^^^

93-81-3-)$

gA{R4lH.oJ/wP2

fK:nJ.yQ3

.NN outdated drivers have been found on your PC

If you purchased Easy Driver Pro a license key will have been emailed to you. Please enter the license key below and click Activate Now.

;To purchase Easy Driver Pro and obtain a license key click

.7b%%%%%%%%	cFX

YCheck the email you received after you purchased the product for the correct license key.

&Your license key will look like this:

BWe NOT reccomend your use this driver for current Windows version.

Current Windows version:

Backuped driver Windows version:

"Report a problem with a new driver

IdSMTP1

<assemblyIdentity version="1.0.0.0"

name="EasyDriverPro.exe"

<requestedExecutionLevel

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

PIDLs to operate on are not siblings of the Namespace doing the operation.

Unable to find RegSvr32.exe executable.

RegSvr32.exe

Unspecified error (%d) from %s.

miranda32.exe

SSL status: "%s"

Host field is emptyNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Command not supported.

Address type not supported.$Error accepting connection with SSL.

Error creating SSL context. Could not load root certificate.

Could not load certificate.#Could not load key, check password.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Socket Error # %d

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

Chunk StartedDThis authentication method is already registered with class name %s.

%s is not a valid service.

;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.

File "%s" not found1Only one TIdAntiFreeze can exist per application.

Object type not supported.

No data to read.$Can not bind in port range (%d - %d)

Invalid Port Range (%d - %d)

Invalid stream operation

Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size

Unknown GIF block type'Object type not supported for operation

Unsupported PixelFormat

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Unsupported GIF version7Invalid number of colors specified in Screen Descriptor6Invalid number of colors specified in Image Descriptor

Invalid extension introducerúiled to allocate memory for GIF DIB

RichEdit line insertion error=This control requires version 4.70 or greater of COMCTL32.DLL

Date exceeds maximum of %s

Date is less than minimum of %s4You must be in ShowCheckbox mode to set to this date#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range

No help keyword specified.

8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Invalid clipboard format Clipboard does not support Icons

Text exceeds memo capacity/Menu '%s' is already being used by another form

Value*A key with the name of "%s" already exists

Key "%s" not found%goColMoving is not a supported option%Key may not contain equals sign ("=")

Error setting %s.Count

Value must be between %d and %d

Invalid input value7Invalid input value. Use escape key to abandon changes

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Cannot open file "%s". %s

Grid too large for operation

Unable to write to %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s1Fixed column count must be less than column count Fixed row count must be less than row count

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

8.2.0.0

easyspeedcheck.exe_1524:

.text

P`.data

.rdata

[email protected]

.idata

.rsrc

libgcc_s_dw2-1.dll

libgcj-13.dll

hXXp://VVV.easyspeedcheck.com

/applib/appmsg/appmsg.php

hXXp://download.easyspeedcheck.com/publishers/3/741/

EasySpeedCheckSetup.exe

cwebpage.dll

hXXp://VVV.easyspeedcheck.com/easyspeedcheck-1.php

msg=<?xml version="1.0" encoding="UTF-8"?>

curl_easy_perform() failed: %s

<msg>get_unique_id</msg>

<msg>get_popup_ad</msg>

window_url

<msg>get_system</msg>

<msg>get_tray_ad</msg>

SOFTWARE\Classes\http\shell\open\command

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

11CMsgDataInt

17CMsgUserIdDataImp

18CMsgTrayAdsDataImp

19CMsgPopupAdsDataImp

23CMsgCheckVersionDataImp

GCC: (GNU) 4.8.1

curl_easy_cleanup

curl_easy_getinfo

curl_easy_init

curl_easy_perform

curl_easy_setopt

curl_easy_strerror

curl_global_init

RegOpenKeyExA

ShellExecuteA

libcurl.dll

advapi32.dll

gdi32.dll

kernel32.dll

msvcrt.dll

shell32.dll

user32.dll

libstdc  -6.dll

GNU C 4.8.1 -mtune=generic -march=pentiumpro -g -O2

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/crt1.c

e:\p\giaw\src\pkg\mingwrt-4.0.3-1-mingw32-src\bld

cmdline

cmdbuf

cmdptr

*__mingw_CRTStartup

;mainCRTStartup

;WinMainCRTStartup

C_CRT_glob

C_CRT_fmode

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/tlssup.c

#_CRT_MT

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/CRTglob.c

_CRT_glob

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/CRTfmode.c

_CRT_fmode

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/txtmode.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/CRT_fp10.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/cpu_features.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/pseudo-reloc.c

__report_error

.abort

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/gccmain.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/main.c

szCmd

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/crtst.c

_CRT_MT

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/tlsthrd.c

__mingwthr_key_t

__mingwthr_key

__mingwthr_run_key_dtors

keyp

___w64_mingwthr_add_key_dtor

new_key

___w64_mingwthr_remove_key_dtor

prev_key

cur_key

!key_dtor_list

Êlloc

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt/pseudo-reloc-list.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/misc/glob.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/posix/libgen/dirname.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/tchar/dirent.c

%closedir

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/crt

e:/p/giaw/mingw/bin/../lib/gcc/mingw32/4.8.1/include

../mingwrt-4.0.3-1-mingw32-src/include

crt1.c

CRTglob.c

CRTfmode.c

CRT_fp10.c

crtst.c

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/misc

../mingwrt-4.0.3-1-mingw32-src/include/sys

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/posix/libgen

../mingwrt-4.0.3-1-mingw32-src/src/libcrt/tchar

,.jy}=

.jO7=

1.1.3.0

EasySpeedCheck.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   EasySpeedCheckSetup.exe:1492
   EasySpeedCheckSetup.exe:936
   7za.exe:1100
   7za.exe:1332
   %original file name%.exe:632
   easyspeedcheck.exe:1524

2. Delete the original Trojan-Banker file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Banker:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F37BQHQW\EasySpeedCheckSetup[1].app (33816 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inetc.dll (20 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\EasySpeedCheckSetup.exe (33816 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\inetc.dll (20 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SRAHW34L\log-install[1].htm (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\nsExec.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\easyspeedcheck.data (67199 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\19R6ZDF2\easyspeedcheck_1_1_3[1].data (67199 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\start_install.txt (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\ns8.tmp (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\System.dll (11 bytes)
   %Program Files%\Easy Speed Check\uninstall.exe (309 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\temp.txt (8 bytes)
   %Program Files%\Easy Speed Check\esc.ico (1217 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh7.tmp\7za.exe (15192 bytes)
   %Program Files%\Easy Speed Check\ssleay32.dll (1127 bytes)
   %Program Files%\Easy Speed Check\libstdc -6.dll (4515 bytes)
   %Program Files%\Easy Speed Check\cwebpage.dll (496 bytes)
   %Program Files%\Easy Speed Check\easyspeedcheck.exe (687 bytes)
   %Program Files%\Easy Speed Check\libeay32.dll (9956 bytes)
   %Program Files%\Easy Speed Check\libgcc_s_dw2-1.dll (250 bytes)
   %Program Files%\Easy Speed Check\libidn-11.dll (1354 bytes)
   %Program Files%\Easy Speed Check\zlib1.dll (861 bytes)
   %Program Files%\Easy Speed Check\libcurl.dll (1903 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\sqlite3.dll (6081 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\EDPTray.exe (9241 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\EasyDriverPro.exe (137539 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\7z.dll (8737 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Exclusions.txt (2 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Vendors.txt (4 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.db (5243788 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Devices.ini (25 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.7z (7386 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Scan.ini (726 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\PCInfo.ini (151 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_0HwS6eufbKOuIzm (2213974 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\Base\Drivers.db-journal (1178 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\English.ini (12 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\19R6ZDF2\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\md5dll.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SRAHW34L\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\temp.txt (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K3AC3W37\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\easydriverpro.data (78362 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K3AC3W37\log-install[1].htm (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\7za.exe (15192 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ns3.tmp (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F37BQHQW\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\start_install.txt (16 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\EasyDriverPro.chm (17 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\scan.gif (2553 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Easy Driver Pro.lnk (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\EasySpeedCheckSetup.exe (5952 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\uninstall.exe (1382 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsExec.dll (6 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\edp.ico (1128 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\file_id.diz (549 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SRAHW34L\EasySpeedCheckSetup[1].exe (5952 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Help.lnk (922 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\19R6ZDF2\easydriverpro820[1].data (78362 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Uninstall.lnk (902 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Easy Driver Pro on the Web.lnk (897 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
   %Program Files%\Probit Software\Easy Driver Pro\HomePage.url (53 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "EasySpeedCheck" = "%Program Files%\Easy Speed Check\easyspeedcheck.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Easy Driver Pro" = "%Program Files%\Probit Software\Easy Driver Pro\EDPTray.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.