MD5: 89e0913adeecdd75df30124d88706ccb
SHA1: 572e09f091ae7efa88bb97b336ec5c8a5da0901f
SHA256: c211a115953e9f04de6b412bcd852a1af0399699d3c62682b9f44782f58f7545
SSDeep: 768:H24gVhXXOHDYCoaBXcrhTnmI0tSda/qA/Nx/MgyxCc PnW/HC2dNze0JjJ2uUSsh:HcgjYCnXsALqoP/k0PnW/HC22YJGTjYU
Size: 61499 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Popeler
Created at: 2014-07-27 00:58:31
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

PCSpeedUp.exe:1792
taskkill.exe:1044
taskkill.exe:1772
taskkill.exe:1628
taskkill.exe:456
taskkill.exe:228
taskkill.exe:1888
taskkill.exe:1032
taskkill.exe:1656
taskkill.exe:424
MSI87.tmp:444
install.exe:664
PCSUService.exe:340
PCSUService.exe:532
PCSpeedUp.tmp:1508
Silverlight.exe:1476
coregen.exe:832
coregen.exe:204
coregen.exe:1060
coregen.exe:1156
coregen.exe:1064
coregen.exe:1276
coregen.exe:588
coregen.exe:1352
coregen.exe:1464
coregen.exe:240
PCSULauncher.exe:1664
MsiExec.exe:1788
sllauncher.exe:336
regsvr32.exe:1744
regsvr32.exe:536
PCSUSD.exe:752
PCSUSD.exe:640
%original file name%.exe:468
mscorsvw.exe:1912
PCSUNotifier.exe:1164
PCSUNotifier.exe:1772
PCSUNotifier.exe:1060
PCSUNotifier.exe:864
PCSUNotifier.exe:736
PCSUNotifier.exe:1756

The Trojan injects its code into the following process(es):

sllauncher.exe:632
PCSUQuickScan.exe:2668

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process PCSpeedUp.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (0 bytes)

The process install.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\c575b8170f28869a833ee80321b1\Silverlight.msp (149529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Silverlight0.log (6424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SilverlightMSI.log (94845 bytes)

The Trojan deletes the following file(s):

C:\c575b8170f28869a833ee80321b1\Silverlight.msp (0 bytes)

The process PCSUService.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Speed Up\PCSUService-Timer.log (58 bytes)
%Program Files%\PC Speed Up\PCSUService.log (708958 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db (1040924 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (2213480 bytes)

The Trojan deletes the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)

The process PCSUService.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db (13272 bytes)
%Program Files%\PC Speed Up\PCSUService.log (523 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (27928 bytes)

The Trojan deletes the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)

The process PCSpeedUp.tmp:1508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MT0V4.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-V0L2Q.tmp (4 bytes)
%Program Files%\PC Speed Up\unins000.msg (864 bytes)
%Program Files%\PC Speed Up\is-TASLC.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (2105 bytes)
%Program Files%\PC Speed Up\is-8N8LB.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-NE98B.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-L177B.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (715 bytes)
%Program Files%\PC Speed Up\is-VM1SV.tmp (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (735 bytes)
%Documents and Settings%\%current user%\Desktop\PC Speed Up.lnk (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp (4 bytes)
%Program Files%\PC Speed Up\is-LIRCS.tmp (601 bytes)
%Program Files%\PC Speed Up\is-E9A56.tmp (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (1526144 bytes)
%Program Files%\PC Speed Up\is-EQ1MK.tmp (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-8F289.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (13 bytes)
%Program Files%\PC Speed Up\is-2JPPF.tmp (2105 bytes)
%Program Files%\PC Speed Up\unins000.dat (50325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BU0HK.tmp (5 bytes)
%Program Files%\PC Speed Up\is-JOC2L.tmp (4185 bytes)
%Program Files%\PC Speed Up\is-LIUB1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (8 bytes)
%Program Files%\PC Speed Up\is-QQIDO.tmp (31891 bytes)
%Program Files%\PC Speed Up\is-SFCGG.tmp (2321 bytes)
%Program Files%\PC Speed Up\is-V6O7K.tmp (2321 bytes)
%Program Files%\PC Speed Up\App.config (4199 bytes)
%Program Files%\PC Speed Up\is-D44GU.tmp (3361 bytes)
%Program Files%\PC Speed Up\PCSUService.conf (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-2LMEU.tmp (53142 bytes)
%Program Files%\PC Speed Up\is-P9DQG.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (2321 bytes)
%Program Files%\PC Speed Up\is-GE08A.tmp (601 bytes)
%Program Files%\PC Speed Up\uninstaller.dat (673 bytes)
%Program Files%\PC Speed Up\is-7RHIK.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup Log 2014-10-30 #001.txt (477286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-5HERK.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\PC Speed Up\is-G763Q.tmp (40 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_installOffer.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (0 bytes)

The process Silverlight.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\c575b8170f28869a833ee80321b1 (4 bytes)
C:\c575b8170f28869a833ee80321b1\install.exe (2961 bytes)
C:\c575b8170f28869a833ee80321b1\$shtdwn$.req (788 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (973 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (92550 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (5848 bytes)

The Trojan deletes the following file(s):

C:\c575b8170f28869a833ee80321b1\install.exe (0 bytes)
C:\_665281_ (0 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.msi (0 bytes)
C:\c575b8170f28869a833ee80321b1 (0 bytes)
C:\c575b8170f28869a833ee80321b1\silverlight.7z (0 bytes)
C:\c575b8170f28869a833ee80321b1\install.res.dll (0 bytes)

The process coregen.exe:832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll (656923 bytes)

The process coregen.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ni.dll (77425 bytes)

The process coregen.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll (100641 bytes)

The process coregen.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll (425332 bytes)

The process coregen.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll (16757 bytes)

The process coregen.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll (75293 bytes)

The process coregen.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll (244582 bytes)

The process coregen.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll (141274 bytes)

The process coregen.exe:1464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll (45897 bytes)

The process coregen.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll (112277 bytes)

The process sllauncher.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\PCSpeedUp\App.log (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qs_limit[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)

The process PCSUSD.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db (14350 bytes)
%WinDir%\Tasks\PC SpeedUp Service Deactivator.job (312 bytes)
%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (6982 bytes)

The Trojan deletes the following file(s):

%Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (0 bytes)

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc7F.tmp (2100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (354400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (0 bytes)

Registry activity

The process PCSpeedUp.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A4 1D 05 82 E3 23 BE 9C EB 4A 90 A5 97 E5 5B"

The process taskkill.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 36 29 23 17 1A 20 06 60 D7 1A 06 25 AA 1A DA"

The process taskkill.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AB 7B 47 1C AC 8B 7B E9 81 E1 25 11 6A 25 E7"

The process taskkill.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 DF 46 80 B3 E3 EB 61 FC 7B D7 89 19 DE C1 F5"

The process taskkill.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 C0 1D 65 0C BB 7B 58 6E CA 62 A2 D6 F2 03 A8"

The process taskkill.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 B1 0A A7 A7 1E 57 9D 67 16 55 0E 06 76 71 3D"

The process taskkill.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 BB C4 FB 98 FA FD 24 D9 D3 3A 28 70 09 49 AE"

The process taskkill.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4C FC BF 0E C0 F7 74 33 90 8B D2 FB 6D AD C1"

The process taskkill.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 41 6D E8 85 54 8D 6E 63 61 42 D5 72 47 48 7B"

The process taskkill.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B CA D9 76 1B 50 99 AE D2 FB 55 90 FF 2E 87 74"

The process MSI87.tmp:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 0F 51 0E 8C 32 78 39 F2 C0 62 B5 6F 0D 70 E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Microsoft Silverlight\4.0.60310.0]
"coregen.exe" = "Microsoft Common Language Runtime native compiler"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process install.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 F4 3E 43 B9 FA A2 16 2E 2A 20 AA 94 38 72 07"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files%\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process PCSUService.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4E 07 8B 36 18 83 45 5D 6A 03 0E 83 AB BD E0"

The process PCSUService.exe:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 BE B7 05 67 99 21 02 56 6A 92 31 6F 13 DF 61"

The process PCSpeedUp.tmp:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Icon Group" = "PC Speed Up"
"MajorVersion" = "3"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"RequestID" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"QuietUninstallString" = "%Program Files%\PC Speed Up\unins000.exe /SILENT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"ApplicationPath" = "%Program Files%\PC Speed Up"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayName" = "PC Speed Up"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayIcon" = "%Program Files%\PC Speed Up\Icon.ico"
"Inno Setup: App Path" = "%Program Files%\PC Speed Up"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"UniqueID" = "08C4552D-D8DB-4386-8CE7-723FB995F06A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: User" = "%CurrentUserName%"
"InstallLocation" = "%Program Files%\PC Speed Up\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Language" = "uk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Speedchecker Limited\PC Speed Up]
"UniqueID" = "08C4552D-D8DB-4386-8CE7-723FB995F06A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"InstallDate" = "20141030"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"InstallDate" = "20141030"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"UninstallString" = "%Program Files%\PC Speed Up\unins000.exe"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CountryCode" = "uk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"Uninstaller" = "%Program Files%\PC Speed Up\unins000.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"MinorVersion" = "7"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"AVList" = "&av=300"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"keyword" = ""
"CampaignID" = "ppi_2712_installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Publisher" = "Speedchecker Limited"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 B8 10 07 48 BB 4A 78 75 F9 4B 0B CF C5 FC F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayVersion" = "3.7.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CrashDumpEnabled" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"Installer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\PCSpeedUp\pcsu_ppi_2712_installer_.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"URLInfoAbout" = "http://www.pcspeedup.com"
"Inno Setup: Setup Version" = "5.4.3 (u)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\System\CurrentControlSet\Services\PCSUService]
"Group" = "UIGroup"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"affid" = "2712"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files%\PC Speed Up\PCSUNotifier.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Silverlight.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 AC D0 88 CC 4D D8 80 03 3A 71 B8 D6 D5 DF B8"

The process coregen.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 EC 19 65 81 2B 01 19 D0 95 85 B3 41 50 8E F4"

The process coregen.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 10 47 D6 83 78 A1 DE 2B BE 55 E2 8A 80 28 B2"

The process coregen.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 9E 0B 38 CB 2B 92 A0 DE CA E2 EA 84 CB ED EE"

The process coregen.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 BC 44 03 3E 66 B4 30 0C 03 8A EB 72 3B 85 1D"

The process coregen.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 F0 A4 D1 6C 6E 13 EE 4D 46 76 C9 DF 46 56 86"

The process coregen.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 63 46 8E F3 36 58 04 BE 9F 25 71 9C 94 29 54"

The process coregen.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 DF F7 13 6E 9D 98 44 66 4C 99 AA 7A 6B D3 19"

The process coregen.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF BD F9 9B 99 CC E0 FF 3C 15 15 E2 7D FB 63 E0"

The process coregen.exe:1464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 D7 15 86 FA F4 FE 97 FC F7 9C D8 33 90 32 AA"

The process coregen.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 F3 7C 62 3D 0E CA B4 78 2C EF 2C BD D4 00 6D"

The process PCSULauncher.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 E9 73 37 F3 D4 1C 14 9C 0A 4B AF 83 8B BB 70"

The process MsiExec.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B B9 13 54 82 AC F6 25 E2 3E 95 48 31 68 36 FB"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\PlayReady]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Microsoft\PlayReady"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

The process sllauncher.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Type" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Count" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Type" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 21 00 2B 00 E7 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 21 00 2B 00 B8 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Count" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CachePrefix" = ":2014103020141031:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216" = "My Computer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}\iexplore]
"Type" = "1"
"Time" = "DE 07 0A 00 04 00 1E 00 0B 00 22 00 22 00 58 03"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 A3 9C 31 6E 0E F8 4B 9F EA AB 8F 19 C2 89 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014103020141031]
"CacheLimit" = "8192"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014103020141031\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}\iexplore]
"Count" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sllauncher.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 0B AE 10 B9 2B 5D 02 93 A4 3E 35 D3 CD 31 D3"

The process regsvr32.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B D8 E4 36 CE BD 65 39 6F 8A 09 95 F9 A7 BA 14"

The process regsvr32.exe:536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0]
"(Default)" = "PCSUHelperLib"

[HKCR\PCSU.Registry]
"(Default)" = "RegistryHelper Class"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\ProgID]
"(Default)" = "PCSU.Registry.1"

[HKCR\PCSU.SysUtils.1\CLSID]
"(Default)" = "{B89F5C49-51DB-4974-AB5A-E25901AA339C}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PC Speed Up"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\0\win32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"

[HKCR\PCSU.SysUtils\CurVer]
"(Default)" = "PCSU.SysUtils.1"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}]
"(Default)" = "SysUtils Class"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.SysUtils.1]
"(Default)" = "SysUtils Class"

[HKCR\PCSU.SysUtils]
"(Default)" = "SysUtils Class"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}]
"(Default)" = "RegistryHelper Class"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry\CurVer]
"(Default)" = "PCSU.Registry.1"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\ProgID]
"(Default)" = "PCSU.SysUtils.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 CD 47 0E A1 81 D3 BA 7E D7 5B 07 BB 7B 90 CD"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"(Default)" = "%Program Files%\PC Speed Up\PCSUHelper.dll"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\VersionIndependentProgID]
"(Default)" = "PCSU.Registry"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PCSU.Registry.1\CLSID]
"(Default)" = "{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}"

[HKCR\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\VersionIndependentProgID]
"(Default)" = "PCSU.SysUtils"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry.1]
"(Default)" = "RegistryHelper Class"

The process PCSUSD.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB F1 AA 53 39 6E C3 22 82 17 5B 47 C1 7B 34 95"

The process PCSUSD.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5F 22 43 29 C8 2E DA 38 80 DB 70 A5 80 AF D3"

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 01 40 FE BE EF B1 6E 2F 6F 30 67 72 F6 7F 76"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process PCSUNotifier.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 FE 33 A8 C4 5B 0F 90 D2 94 3B E3 0F 6B 03 2D"

The process PCSUNotifier.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AD F0 5B 9C CD 3A 49 6A 48 62 8A 91 CC 3E 54"

The process PCSUNotifier.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB C7 90 76 AE 64 3D 09 3E 60 58 32 9E 5C FC 51"

The process PCSUNotifier.exe:864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD BD 30 F5 F3 2D C4 D1 73 33 EA 04 24 14 1F 77"

The process PCSUNotifier.exe:736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 8F FD 74 05 C9 4B 59 20 DD 54 42 F5 43 D8 E4"

The process PCSUNotifier.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 9D AE DE C0 E4 70 59 75 BE 6F 04 E3 BF 45 48"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://safedownloadapi.cloudapp.net/getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300
hxxp://a767.dscms.akamai.net/download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe
hxxp://212.71.248.160/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://li621-160.members.linode.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://li621-160.members.linode.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
hxxp://safedownloadapi.cloudapp.net/reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID=
hxxp://pcspeedup.go2cloud.org/SP4C?aff_id=2712&source=installer
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
hxxp://www.pcsuapi.net/reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID=	168.63.102.240
hxxp://www.pcsuservice.com/getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300	168.63.102.240
hxxp://download.microsoft.com/download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe	184.84.243.41
hxxp://link.pcspeedup.com/SP4C?aff_id=2712&source=installer	107.23.165.131
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
SURICATA STREAM SHUTDOWN RST invalid ack

Traffic

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 104

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceConnected":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:53 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

GET /reportInstall.aspx?productID=1&version=3.7.0.0&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&keyword=installer&campaignID=ppi_2712_installer&requestID= HTTP/1.1

User-Agent: PCSUInstaller

Accept: */*

Host: VVV.pcsuapi.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.0

Set-Cookie: ASP.NET_SessionId=gbph5e1vkpefgmdzcctunse0; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 30 Oct 2014 16:38:52 GMT

Content-Length: 8
ca..SP4C..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 216

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Silverlight":"Install","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:35 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 100

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceStart":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:53 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 204

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","installerStart":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:37:46 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 255

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","installerEnd":"WV-5.1.2600-SP3-DNF-4.0.30319-RID--TC0-ca-Silent-AX0","silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:57 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 102

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceRunning":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:53 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

GET /getinstalleroption.aspx?productID=1&silent=1&version=3.7.0.0&language=uk&uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A&affID=2712&requestID=&av=300 HTTP/1.0

Host: VVV.pcsuservice.com

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/8.0

Set-Cookie: ASP.NET_SessionId=ya1w5xo4fujobf443cti3g4k; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 30 Oct 2014 16:37:46 GMT

Connection: close

Content-Length: 0

GET /SP4C?aff_id=2712&source=installer HTTP/1.0

Host: link.pcspeedup.com

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html

Date: Thu, 30 Oct 2014 16:38:54 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

Server: nginx/1.4.4

tracking_id: 102c8f15e4ba45b7a8266467b35b34

Content-Length: 13

Connection: Close
success=true;..

GET /download/8/C/7/8C74F157-189C-47FD-8A75-AEF21E5D5F06/runtime/Silverlight.exe HTTP/1.1

User-Agent: PCSUInstaller

Accept: */*

Host: download.microsoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Thu, 10 Mar 2011 08:49:12 GMT

Accept-Ranges: bytes

ETag: "3075d70dfcb1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6280056

Date: Thu, 30 Oct 2014 16:37:46 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........K...K...
K.......D...K...!......._.......J.......J...RichK...................PE
[email protected]... ........... ..............
................k.`.......... .......................... .............
............_.x............!..........................................
..... ...............................text...`w... ...x................
.. ..`.data................|[email protected]............>_..
~..............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................n...D...4..............
.....................Z...............|................................
...&...2...:...T...n...........................................&...:..
.P...n...x...........................................>...L...f...~.
.............................."...<...R...h.......N...\...8...(....
...................................b...........>...&...............
....n...:...H...T...`.................................................
..................................Hn.@.............&..............
<<< skipped >>>

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: WinHttpClient

Host: VVV.pcspeeduplog.com

Content-Length: 111

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","serviceAction":"--install"
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:52 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 206

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Link":"SP4C","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:55 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 326

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","ReportInstall":"affID=2712|keyword=installer|campaignID=ppi_2712_installer|uniqueID=08C4552D-D8DB-4386-8CE7-723FB995F06A|requestID=","OK":1,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:38:54 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Content-Type: text/plain

Connection: close

User-Agent: PCSUNotifier

Host: VVV.pcspeeduplog.com

Content-Length: 219

"uniqueID":"08C4552D-D8DB-4386-8CE7-723FB995F06A","productID":1,"version":"3.7.0.0","Silverlight":"Download","OK":200,"silent":1,"affID":"2712","srcExe":"PCSpeedUp.exe","OS":"5.1.2600-SP3","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Thu, 30 Oct 2014 16:37:50 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes
log completed: OK..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

127.0.0.1

C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb

WS2_32.dll

IPHLPAPI.DLL

sqlite3_exec

sqlite3_free

sqlite3_open16

sqlite3_close

sqlite3_extended_result_codes

sqlite3.dll

CreatePipe

GetProcessHeap

KERNEL32.dll

RegEnumKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

pdh.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WINHTTP.dll

Secur32.dll

GetCPInfo

PeekNamedPipe

zcÁ

.PA_W

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

1&282R2<3a3

58W8

55f5

4!4&4,454;4

8"8&8*8.82868

8 8$8(8,808

9 9@9\9`9

>,>4>@>`>

2 2$2(2,20242

srclient.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

PCSUService-Timer.log

Wevtapi.dll

ERROR: GetWindowsBoottimes(): could not load Wevtapi.dll

Subscribing for Microsoft-Windows-Diagnostics-Performance/Operational - Event/System[EventID=100]

Microsoft-Windows-Diagnostics-Performance/Operational

ntdll.dll

ERROR: WaitUntilSystemIdle(): could not load Wevtapi.dll

ERROR: InitializePerformanceCounters(): check the registry keys in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

iexplore.exe

firefox.exe

chrome.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

RemoveExeImageHook(%s)...

DeleteValue failed: %d

DeleteKey failed: %d

registry key is not empty!

HKEY_LOCAL_MACHINE

ERROR: ProcessHelper.Start: hChildProcess != NULL

CreateOutputPipe

CreateInputPipe

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

RegistryHelper::GetValue():RegOpenKeyEx()

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

WinHttpClient

3.7.0.0

dddddd.d000

WindowsBoottimes

|userlogin|

PCSUBootTimes.log

,"LoginToIdle":

INSERT OR REPLACE INTO Boots(Idle, LoginToIdle, WinlogonToIdle, UptimeAtIdle, USBCacheActive) VALUES('

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

/update.aspx?uniqueID=

\PCSpeedUp-Silent-Update.exe

/SP- /VERYSILENT /updateMode=true /LOG=update.log /countryCode=

HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up

ERROR:RegistryHelper::CreateValue(HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up, UpdateChecked):

FileUploader.exe

Checking HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up key for USBCacheFill value...

DELETE FROM UC_STAT WHERE file LIKE '%.sys';

DELETE FROM UC_STAT WHERE file LIKE '%.tmp' AND read_counter<1000;

DELETE FROM UC_STAT WHERE file NOT LIKE '%.exe%' AND file NOT LIKE '%.dll%' AND read_counter=1;

hXXp://VVV.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service

PCSUService: WinHttpClient.SendHttpRequest():

PCSUService: SendHTTPRequestAsync:

PCSUSD.exe

PCSUUCC.exe

PCSUQuickScan.exe

hXXp://qslimit.pcspeedup.co/qs_limit.aspx?productID=1&uniqueID=

SendHttpRequest

RegistryHelper.SetValue

RegistryHelper.DeleteValue

RegistryHelper.CreateKey

RegistryHelper.DeleteKey

SysUtils.SetRestorePoint

IOHelper.FileCopy

IOHelper.Delete

Process.Start

The Process.Start didn't receive 7 arguments.

Process.HasExited

The Process.HasExited didn't receive 2 arguments.

Process.Stop

The Process.Stop didn't receive 2 arguments.

Process.Terminate

DB.ExecuteNonQuery

The DB.ExecuteNonQueryEx didn't receive the query/sql to execute.

DB.ExecuteScalar

The DB.ExecuteScalarEx didn't receive the query/sql to execute.

DB.ExecuteReader

The DB.ExecuteReader didn't receive the query/sql to execute.

NetworkHelper.GetAllMACAddresses

Service.Start

Service.Stop

Remove.IFEO

PCSUSD.Scan

PCSUSD.Enable

PCSUSD.Disable

Process.CheckBrowsers

PCSUUCC.Scan

PCSUUCC.Refresh

PCSUUCC.Update

PCSUUCC.Clean

PCSUUCC.Fill

PCSUUCC.Install

PCSpeedUp.sys"

PCSUService.exe

PCSUUCC.Uninstall

PCSUUCC.On

PCSUUCC.Off

PCSUUCC.Status

PCSUUCC.Usage

cmd /c PCSUUCC.exe /usage > CacheUsage.txt

HTTP.Send

server_port

PCSUService.conf

service status: PID = %d, state = %s, CheckPoint = %d, WaitHint = %d

EnumDependentServices failed (err=%d)

Stop dependent service "%s"...

OpenService failed (err=%d)

ControlService failed (err=%d)

QueryServiceStatusEx failed (err=%d)

Timeout! (%d sec)

StartService(%s)...

ERROR! OpenSCManager failed! (err=%d)

ERROR! OpenService(%s) failed! (err=%d)

ERROR! StartService failed! (err=%d)

ERROR! QueryServiceStatusEx failed (err=%d)

Current State: %d

Exit Code: %d

Check Point: %d

Wait Hint: %d

StopService(%s)...

Service stop timed out. (%d sec)

ERROR! StopDependentServices failed! (err = %d)

ERROR! ControlService failed (err=%d)

Wait timed out (%d sec)

ExecuteNonQuery: sqlite3_exec:

ExecuteScalar: sqlite3_exec:

ExecuteReader: sqlite3_exec:

LocalExecuteNonQuery: sqlite3_exec:

LocalExecuteScalar: sqlite3_exec:

LocalExecuteReader: sqlite3_exec:

sqlite3_open16:

sqlite3_close:

PRAGMA foreign_keys = ON;

SELECT DISTINCT s.ID, s.ValueName, s.ValueData, l.Path, s.ValueType FROM Startups s, ScanStartupApplications ssa, Locations l WHERE (s.Action = 2) AND (s.ID = ssa.IDStartup) AND (ssa.IDLocation = l.ID) ORDER BY s.ValueType DESC;

hXXp://VVV.pcsuapi.com

hXXp://VVV.pcsuapi.net

hXXp://VVV.pcsuservice.com

hXXp://VVV.pcsuapi.info

hXXp://VVV.pcsuapi.org

hXXp://VVV.sdapi.co

hXXp://VVV.sdltdapi.com

hXXp://VVV.sdservice.co

hXXp://VVV.sdltdapi.net

hXXp://VVV.safedownloadapi.com

ERROR:CheckUpdateURL():ResponseContent:

%Program Files%\PC Speed Up\PCSUService.exe

sllauncher.exe_632:

.text

`.data

.rsrc

@.reloc

CWebBrowser2

hhctrl.ocx

CCmdTarget

CNotSupportedException

Client hook allocation failure at file %hs line %d.

Memory allocated at %hs(%d).

Client hook re-allocation failure at file %hs line %d.

HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.

CRT detected that the application wrote to memory after end of heap buffer.

HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.

CRT detected that the application wrote to memory before start of heap buffer.

CRT detected that the application wrote to a heap buffer that was freed.

crt block at 0x%p, subtype %x, %Iu bytes long.

client block at 0x%p, subtype %x, %Iu bytes long.

%hs(%d) :

#File Error#(%d) :

Data: <%s> %s

mscoree.dll

kernel32.dll

f:\sp\vctools\crt_bld\self_x86\crt\src\stdenvp.c

f:\sp\vctools\crt_bld\self_x86\crt\src\stdargv.c

KERNEL32.DLL

.mixcrt

This is an unsupported way to load Visual C   DLLs. You need to modify your application to build with a manifest.

- Attempt to initialize the CRT more than once.

- CRT not initialized

Please contact the application's support team for more information.

- floating point support not loaded

_CrtDbgReport: String too long or Invalid characters in String

_CrtDbgReport: String too long or IO Error

Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s%s

f:\sp\vctools\crt_bld\self_x86\crt\src\output.c

GetProcessWindowStation

USER32.DLL

%s(%d) : %s

convrtcp.c

operator

MSPDB80.DLL

OLEACC.dll

sllauncher.pdb

SSSSh

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

RegEnumKeyW

RegOpenKeyW

RegCreateKeyExW

ADVAPI32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

CreateDialogIndirectParamW

USER32.dll

WINSPOOL.DRV

SHLWAPI.dll

SHFileOperationW

SHELL32.dll

ole32.dll

COMDLG32.dll

OLEAUT32.dll

oledlg.dll

VERSION.dll

sllauncher.exe

.?AVCCmdTarget@@

.PAVCException@@

.PAVCMemoryException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCOleException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

.PAVCFileException@@

zcÁ

1411989{989

9<999<99989{989

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="sllauncher" type="win32"></assemblyIdentity><description>SLLauncher</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

7 7$7(7,7074787

5'535_5{5

;.<4<8<<<@<

6&6 6=6}6

6&7 7=7|7

4 4<4@4`4

WindowStartupLocation

<meta http-equiv='X-UA-Compatible' content='IE=EmulateIE7'/>

<!-- saved from url=(0014)about:internet -->

WindowStyle

npctrl.dll

agcore.dll

CLSID\{DFEAF541-F3E1-4c24-ACAC-99C30715084A}\InprocServer32

Usage: SLLauncher.exe [app_id] [debug] [/install:<file path to XAP>] [/emulate:<file path to XAP>] [/overwrite] /origin:<original app uri> /uninstall /shortcut:<desktop|startmenu|desktop startmenu|none> [/pid]

durlmon.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

mfcm90u.dll

comctl32.dll

comdlg32.dll

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

user32.dll

F:\SP\vctools\crt_bld\SELF_X86\crt\src\tcscat_s.inl

F:\SP\vctools\crt_bld\SELF_X86\crt\src\tcscpy_s.inl

_CrtCheckMemory()

_CrtIsValidHeapPointer(pUserData)

_CrtSetDbgFlag

(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)

_CrtIsValidHeapPointer

_CrtMemCheckpoint

F:\SP\vctools\crt_bld\SELF_X86\crt\src\tcsncpy_s.inl

f:\sp\vctools\crt_bld\self_x86\crt\src\vswprint.c

crt0dat.c

f:\sp\vctools\crt_bld\self_x86\crt\src\xtoa.c

strcat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), rterrs[tblindx].rterrtxt)

strcat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), "\n\n")

strcpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), "Runtime Error!\n\nProgram: ")

_NMSG_WRITE

crt0msg.c

f:\sp\vctools\crt_bld\self_x86\crt\src\dbgrpt.c

strcpy_s(szaFormat, 4096, "_CrtDbgReport: String too long or Invalid characters in String")

_CrtDbgReportWV

wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

wcsncpy_s(szShortProgName, 260 - (szShortProgName - szExeName), dotdotdot, 3)

wcscpy_s(szExeName, 260, L"<program name unknown>")

__crtMessageWindowW

((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))

__crtLCMapStringW_stat

strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")

_mbsnbcpy_s(szShortProgName, 260 - (szShortProgName - szExeName), dotdotdot, 3)

strcpy_s(szExeName, 260, "<program name unknown>")

__crtMessageWindowA

typname.cpp

__crtInitCritSecAndSpinCount

__crtMessageBoxA

crtmbox.c

wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")

strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")

_VCrtDbgReportA

strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")

wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")

_VCrtDbgReportW

__crtMessageBoxW

f:\sp\vctools\crt_bld\self_x86\crt\src\crtmbox.c

WUSER32.DLL

f:\sp\vctools\crt_bld\self_x86\crt\src\vsprintf.c

_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2

strcpy_s(resultstr, resultsize, autofos.man)

F:\SP\vctools\crt_bld\SELF_X86\crt\src\mbsncpy_s.inl

f:\sp\vctools\crt_bld\self_x86\crt\src\_flsbuf.c

../include\strgtold12.inl

("CRT Logic error during setenv",0)

__crtsetenv

index.html

update.html

update.meta

Microsoft.Silverlight.Offline.

%Program Files%\Microsoft Silverlight\sllauncher.exe

4.0.60310.0

sllauncher.exe_632_rwx_02490000_0000E000:

hY0.yd

sllauncher.exe_632_rwx_047B2000_00009000:

System.Windows.Browser

sllauncher.exe_632_rwx_047D6000_00001000:

Ph.bO

sllauncher.exe_632_rwx_047DC000_00004000:

Zh.bO

sllauncher.exe_632_rwx_05130000_00010000:

PCSpeedUp.resources

sllauncher.exe_632_rwx_05D30000_00010000:

%UBsPj

sllauncher.exe_632_rwx_05DE0000_00010000:

%7s;w

sllauncher.exe_632_rwx_05DF0000_00010000:

,.TsP

sllauncher.exe_632_rwx_06A30000_00010000:

.rrPj

PCSUQuickScan.exe_2668:

.text

`.rdata

@.data

.rsrc

@.reloc

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUQuickScan.pdb

KERNEL32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

GetCPInfo

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

1 131>1|1

?!?'? ?1?5?

:$:,:4:<:

0 0$0(0,00040`0

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

=%% %-60s

pcsuservice.exe

explorer.exe

Adding folder to scan: %s

Adding file to scan: %s

ERROR: ScannerAddFile(): %d

ERROR: FindNextFileW(): %d

ERROR: FindFirstFileW(): %d

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Opening key: %s

qs.dll

Failed to load: %s

PCSUQuickScan.log

PCSUQuickScan.xml

Scanned %d files and %d modules in %d seconds.

Uploaded files: %d

Scan result: %s

Installed AVs: %s

Warnings: %s

Infections: %d

%s: %s

Failed to unload: %s

%Program Files%\PC Speed Up\PCSUQuickScan.exe

PCSUQuickScan.exe_2668_rwx_10001000_00260000:

RSSSSSSh

u.VWj

xSSSh

FTPjKS

FtPj;S

C.PjRV

[%s %s %s]

Send failure: %s

Failed writing body (%d != %d)

Internal error removing splay node = %d

Internal error clearing splay node = %d

Pipe broke: handle 0x%x, url = %s

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Invalid LDAP URL

Unrecognized HTTP Content-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with known CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH md5 fingerprint was not OK

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: weird server reply

URL using bad/illegal format or missing URL

Unsupported protocol

Please call curl_multi_perform() soon

CURLSHcode unknown

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

%s:%d

WARNING: failed to save cookies in %s

About to connect() to %s%s port %d (#%d)

Connected to %s (%s) port %d (#%d)

<url> malformed

:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:]:%5[^@]

%5[^:]:%5[^

User-Agent: %s

Connection #%d seems to be dead!

Connection (#%d) was killed to make room (holds %d)

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Re-using existing connection! (#%ld) with host %s

[email protected]

Couldn't find host %s in the _netrc file, using defaults

Port number too large: %lu

%s://%s:%d%s

[%*39[0-9a-fA-F:.]%c

:%5[^@]

%5[^:@]:%5[^@]

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

HTTP/

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Received problem %d in the chunky parser

HTTP server doesn't seem to support byte ranges. Cannot resume.

Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)

Leftovers after chunking. Rewinding %d bytes

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

The requested URL returned error: %d

HTTP =

HTTP/%d.%d =

No URL set!

Violate RFC 2616/10.3.2 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

[^?&/:]://%c

Maximum (%d) redirects followed

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %d

I99[^;

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

23[^;=]=I99[^;

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curlm.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

Resolving host timed out: %s

Could not resolve host: %s; %s

Could not resolve proxy: %s; %s

Could not resolve host: %s

gethostbyname(2) failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

--:--:--

-.
G

-.
M

= %s = %s = %s %s %s %s %s %s %s

?bind failure: %s

Local port: %d

Bind to local port %d failed, trying next

couldn't find my own IP address (%s)

Bind local address to %s

Couldn't bind to '%s'

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

Failed connect to %s:%d; %s

%sAuthorization: Basic %s

%s:%s

Server auth using %s with user '%s'

Proxy auth using %s with user '%s'

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

%s%s=%s

%s %s%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

;type=%c

ftps://

PTF://

Host: %s%s%s:%d

Host: %s%s%s

Accept-Encoding: %s

Referer: %s

Received HTTP code %d from proxy after CONNECT

%d bytes of chunk left

HTTP/1.%d %d

Read %d bytes of chunk, continue

CONNECT %s:%d HTTP/1.0

%s%s%s%s

Host: %s

Establish HTTP proxy tunnel to %s:%d

TFTP

set timeouts for state %d; Total %d, retry %d maxtry %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

tftp_tx: internal error

bind() failed; %s

%s%c%s%c

tftp_send_first: internal error

TFTP finished

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%d

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.18.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

Excessive FTP response line length received, %zd bytes. Stripping

FTP response reading failed

FTP response aborted due to select/poll error: %d

FTP response timeout

Failed FTP upload: 

RETR response: d

Connecting to %s (%s) port %d

Uploading to a URL without a file name!

FTPS not supported!

USER %s

socket(2) failed (%s)

PORT %d,%d,%d,%d,%d,%d

Telling server to connect to %d.%d.%d.%d:%d

getsockname() failed: %s

Failed to resolve host name %s

Connect data stream passively

REST %d

SIZE %s

%s%s%s

STOR %s

APPE %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

PASS %s

ACCT rejected by server: d

QUOT string not accepted: %s

TYPE %c

MDTM %s

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

server did not report OK, got %d

Remembering we are in dir "%s"

CWD %s

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

This doesn't seem like a nice ftp-server response

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]

%%X

Operation too slow. Less than %d bytes/sec transfered the last %d seconds

password

login

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%s:%s

%5[^=]=23[^

%5[^=]="23[^"]"

d:d:d

%c%c==

%c%c%c=

.html

.jpeg

--%s--

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

hXXp://download.bitdefender.com/windows/installer/%s/bitdefender_isecurity_qs.exe

aK-a}

B.AC5y

h.hN 

Z%DgE

.Ow&9

n3w%F

.agy}

&p-w}

,.hX<

L.qkk

GetExtendedTcpTable

Bitdefender QuickScan Client v0.9.9.140

%s?auth_version=1&client_id=%u

CryptCATCatalogInfoFromContext

hXXp://8f8fb293be49781da3e3229cd4469a18.da3e3.net/

-utf16.txt

%sautorun.inf

%d.%d.%d.%d

/*ReplaceOpenPorts*/

0, 9, 9, 140

\\.\A:

d-d-d d:d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

http=

user_pref("network.proxy.type", 1);

user_pref("network.proxy.http", "

user_pref("network.proxy.http_port",

\\.\_:

%USERPROFILE%

%COMMONPROGRAMFILES%

%SYSTEMROOT%

zcÁ

%userprofile%\ntuser.dat

<1BJ%C|

%S~a[

"C.kQ

%suHYl

^%u<y

.jey(

 ..EK

.kIE#

`p.Tf

$/{.On

.PA_W

%Program Files%\PC Speed Up\PCSUQuickScan.exe

RDTFTFTP

4.&,.2*.&*.

.BpBH

qs.dll

KERNEL32.DLL

WLDAP32.dll

USER32.dll

ADVAPI32.dll

SHELL32.dll

ShellExecuteW

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHLWAPI.dll

WS2_32.dll

VERSION.dll

ADVAPI32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

bitdefender_isecurity_[quickscan].exe

hXXp://quickscan.bitdefender.com/qs_lang/qs-%s-utf16.txt

iphlpapi.dll

e%d.%d.%d.%d

%s\Cache\X

%X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X %X

%s\%s

%s (new)

%s (deleted)

wintrust.dll

hidden registry key!

%d seconds

Scanned %d files and modules

communication took %d sec

Authentication key has expired.

listens on ports

connected on port

Warning: Low execution rights. Please run QuickScan/browser as Administrator.

%s %s association

%d uploaded, %d failed

%d file(s)

Using HTTP proxy: %s

Upload: %s - %s %d bytes, hash: %s

Scan failed! %s

Scan failed! Error %d

Scan date: %s

referenced in: %s

Process %s (%d)

Machine ID: %X

is affected by %s

Found %d infected files!

File not found: %s

Failed to upload %d file(s)! Please rescan.

executes %s

kernel32.dll

ntdll.dll

\??\%s

psapi.dll

audiodg.exe

mfpmp.exe

gui.exe

ASP.NET Session State

SQL Analysis Services

SQL over TCP

RPC over HTTPS

HTTPS

FTP control

FTP default data

BackupExec

Webmin

WebDAV

Windows Live

Battle.net

VNC over HTTP

PostgreSQL

mSQL

MySQL

HTTP Proxy

Microsoft SQL

FTP over SSL

rlogin

rexec

SMTP over SSL

HTTP over SSL

SMTP

SSH/SCP

version="%d.%d.%d.%d">

%A, %B %d, %Y %H:%M:%S

<startTime value="%d">%s</startTime>

<scanResult error="%d">%s</scanResult>

<reportFile>%s</reportFile>

<reportFile />

<scanDuration>%d</scanDuration>

<scannedFilesCount>%d</scannedFilesCount>

<scannedModulesCount>%d</scannedModulesCount>

<uploadedCount>%d</uploadedCount>

<failedCount>%d</failedCount>

<warningCount>%d</warningCount>

<installedAVCount>%d</installedAVCount>

<infectionCount>%d</infectionCount>

<filePath>%s</filePath>

<virus>%s</virus>

<scanCount>%d</scanCount>

%s - %s

%s (%d)

HKLM\%s\"PackedCatalogItem"

HKLM\%s\"LibraryPath"

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKLM\%s\%s

UrlSearchHooks

Software\Microsoft\Internet Explorer\%s

%s\%s\"%s"

HKLM\%s\"Exec"

Applications\iexplore.exe\shell\open\command

Software\MozillaPlugins

%s\%s\"Path"

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\%s\Main

Software\Classes\Applications\firefox.exe\shell\open\command

Applications\firefox.exe\shell\open\command

Google\Chrome\User Data\Default\Extensions

<exec>

</exec>

Software\Microsoft\Windows\CurrentVersion\Run

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx

Software\Microsoft\Windows\CurrentVersion\RunServices

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices

Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce

Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Software\Microsoft\Windows NT\CurrentVersion\Windows

HKLM\%s\"AppInit_DLLs"

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKLM\%s\"Userinit"

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\%s\"DllName"

HKLM\%s\"UIHost"

HKLM\%s\"Taskman"

SCRNSAVE.EXE

HKCU\"SCRNSAVE.EXE"

HKU\%s\"SCRNSAVE.EXE"

HKLM\%s\"AlternateShell"

SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs\"%s"

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\%s\"%s"

Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

%s\shell\open\command

HKCR\%s

HKCR\%s\"(default)"

HKLM\%s\"Shell"

HKLM\%s

%s\Parameters

HKLM\%s\"ServiceDll"

HKLM\%s\"ImagePath"

MD5: %s %s

{md5:"%s", path:"%s", tooltip:"%s"}

--> %s

%s --> %s

{path:"%s", tooltip:"%s", virus_name:"%s"}

{path:"%s", tooltip:"%s", virus_name:"%s"},

%-11s %-39s ] %s

{pid:%d, name:"%s", path:"%s", tooltip:"%s", signed:"%s"}

--> %s

{pid:%d, name:"%s", ip:"%s", port:"%d (%s)"}

%s %s:

{pid:%d, name:"%s", ports:"

%-11s %-39s %s

{name:"%s", path:"%s", tooltip:"%s", signed:"%s"}

\Bitdefender_QS_log.html

Report d-d-d d.d.d.html

%a %b %d %Y %X

(%userdomain%\%username%)

uploaded:"%s",

%d KB/s

scan_count:"%s", scan_time:"%s"

Report d-d-d d.d.d.%ws

css\style.css

css\ui.jqgrid.css

js\grid.locale-en.js

js\jquery.jqGrid.min.js

js\jquery.min.js

Bitdefender_QS_log.html

%s\%s:Zone.Identifier

Software%s\Classes\CLSID\%s\InprocServer32

HKLM\%s\"(default)"

%x.tmp

\StringFileInfo\xx\%s

rundll32.exe

Mozilla\Firefox

\profiles.ini

\prefs.js

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion

.DEFAULT

c:\windows\system32\

%System%\rundll32.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   PCSpeedUp.exe:1792
   taskkill.exe:1044
   taskkill.exe:1772
   taskkill.exe:1628
   taskkill.exe:456
   taskkill.exe:228
   taskkill.exe:1888
   taskkill.exe:1032
   taskkill.exe:1656
   taskkill.exe:424
   MSI87.tmp:444
   install.exe:664
   PCSUService.exe:340
   PCSUService.exe:532
   PCSpeedUp.tmp:1508
   Silverlight.exe:1476
   coregen.exe:832
   coregen.exe:204
   coregen.exe:1060
   coregen.exe:1156
   coregen.exe:1064
   coregen.exe:1276
   coregen.exe:588
   coregen.exe:1352
   coregen.exe:1464
   coregen.exe:240
   PCSULauncher.exe:1664
   MsiExec.exe:1788
   sllauncher.exe:336
   regsvr32.exe:1744
   regsvr32.exe:536
   PCSUSD.exe:752
   PCSUSD.exe:640
   %original file name%.exe:468
   mscorsvw.exe:1912
   PCSUNotifier.exe:1164
   PCSUNotifier.exe:1772
   PCSUNotifier.exe:1060
   PCSUNotifier.exe:864
   PCSUNotifier.exe:736
   PCSUNotifier.exe:1756
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\is-0VNA0.tmp\PCSpeedUp.tmp (7386 bytes)
   C:\c575b8170f28869a833ee80321b1\Silverlight.msp (149529 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Silverlight0.log (6424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SilverlightMSI.log (94845 bytes)
   %Program Files%\PC Speed Up\PCSUService-Timer.log (58 bytes)
   %Program Files%\PC Speed Up\PCSUService.log (708958 bytes)
   %Program Files%\PC Speed Up\PCSpeedUp.s3db (1040924 bytes)
   %Program Files%\PC Speed Up\PCSpeedUp.s3db-journal (2213480 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MT0V4.tmp (20 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-V0L2Q.tmp (4 bytes)
   %Program Files%\PC Speed Up\unins000.msg (864 bytes)
   %Program Files%\PC Speed Up\is-TASLC.tmp (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PCSUNotifier.exe (2105 bytes)
   %Program Files%\PC Speed Up\is-8N8LB.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\PopupNotification.dll (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-NE98B.tmp (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-L177B.tmp (7 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (715 bytes)
   %Program Files%\PC Speed Up\is-VM1SV.tmp (1425 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (735 bytes)
   %Documents and Settings%\%current user%\Desktop\PC Speed Up.lnk (723 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\itdownload.dll (1281 bytes)
   %Program Files%\PC Speed Up\is-LIRCS.tmp (601 bytes)
   %Program Files%\PC Speed Up\is-E9A56.tmp (800 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Silverlight.exe (1526144 bytes)
   %Program Files%\PC Speed Up\is-EQ1MK.tmp (265 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-8F289.tmp (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\Sqlite3.dll (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_link.txt (13 bytes)
   %Program Files%\PC Speed Up\is-2JPPF.tmp (2105 bytes)
   %Program Files%\PC Speed Up\unins000.dat (50325 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BU0HK.tmp (5 bytes)
   %Program Files%\PC Speed Up\is-JOC2L.tmp (4185 bytes)
   %Program Files%\PC Speed Up\is-LIUB1.tmp (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\delete_me_reportInstall.txt (8 bytes)
   %Program Files%\PC Speed Up\is-QQIDO.tmp (31891 bytes)
   %Program Files%\PC Speed Up\is-SFCGG.tmp (2321 bytes)
   %Program Files%\PC Speed Up\is-V6O7K.tmp (2321 bytes)
   %Program Files%\PC Speed Up\App.config (4199 bytes)
   %Program Files%\PC Speed Up\is-D44GU.tmp (3361 bytes)
   %Program Files%\PC Speed Up\PCSUService.conf (603 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-2LMEU.tmp (53142 bytes)
   %Program Files%\PC Speed Up\is-P9DQG.tmp (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\WebBrowser.dll (2321 bytes)
   %Program Files%\PC Speed Up\is-GE08A.tmp (601 bytes)
   %Program Files%\PC Speed Up\uninstaller.dat (673 bytes)
   %Program Files%\PC Speed Up\is-7RHIK.tmp (6841 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Setup Log 2014-10-30 #001.txt (477286 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-5HERK.tmp (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-F53P8.tmp\_isetup\_shfoldr.dll (23 bytes)
   %Program Files%\PC Speed Up\is-G763Q.tmp (40 bytes)
   C:\c575b8170f28869a833ee80321b1\install.exe (2961 bytes)
   C:\c575b8170f28869a833ee80321b1\$shtdwn$.req (788 bytes)
   C:\c575b8170f28869a833ee80321b1\silverlight.msi (973 bytes)
   C:\c575b8170f28869a833ee80321b1\silverlight.7z (92550 bytes)
   C:\c575b8170f28869a833ee80321b1\install.res.dll (5848 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\mscorlib.ni.dll (656923 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.ni.dll (77425 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.Xml.ni.dll (100641 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.ni.dll (425332 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.Web.ni.dll (16757 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.Net.ni.dll (75293 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.Core.ni.dll (244582 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.ServiceModel.ni.dll (141274 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.Windows.Browser.ni.dll (45897 bytes)
   %Program Files%\Microsoft Silverlight\4.0.60310.0\System.Runtime.Serialization.ni.dll (112277 bytes)
   %Documents and Settings%\%current user%\My Documents\PCSpeedUp\App.log (561 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qs_limit[1].htm (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %WinDir%\Tasks\PC SpeedUp Service Deactivator.job (312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsc7F.tmp (2100 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pcspeedup[1].exe (354400 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsc80.tmp\inetc.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\PCSpeedUp\PCSpeedUp.exe (354400 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "PCSpeedUp" = "%Program Files%\PC Speed Up\PCSUNotifier.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.