ThreatExpert Report: Win32.AdWare.gen2x, Win32.SuspectCrc, Trojan.SuspectCRC..

Submission Summary:

Submission details:

Submission received: 25 October 2012, 14:31:56
Processing time: 11 min 24 sec
Submitted sample:

File MD5: 0xA948B478FF9EDAB7B88D94C8FED772B3
File SHA-1: 0x5FA965B978E3688D3040C55D50EF60620F83F8FC
Filesize: 504,088 bytes
Alias: Win32.AdWare.gen2x [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\DirectDownloaderInstaller.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\OpenCL.dll %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\optimizer.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\smf %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\stub.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\updater.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderDDLR.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderOFFER0.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderOFFER1.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderOFFER2.exe %Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderSTUB.exe	59,640 bytes	MD5: 0xC7F6ED56312C8FBB58AE6ED445C38DF4 SHA-1: 0xE2DBA94EF052DB774478B9F7198C1A2298B334E5	(not available)
3	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\preinstaller.exe	218,624 bytes	MD5: 0x06BAEF00AE0F0E42FC5FEA24FC4EAC42 SHA-1: 0x9161574590F09CFE4C24498827386ED57F2E8C58	Win32.AdWare.gen2x [Ikarus]
4	%Temp%\nsj1C.tmp\NSISdl.dll %Temp%\nsj1D.tmp\NSISdl.dll %Temp%\nsj1E.tmp\NSISdl.dll %Temp%\nsu20.tmp\NSISdl.dll	14,848 bytes	MD5: 0xA5F8399A743AB7F9C88C645C35B1EBB5 SHA-1: 0x168F3C158913B0367BF79FA413357FBE97018191	(not available)
5	[file and pathname of the sample #1]	504,088 bytes	MD5: 0xA948B478FF9EDAB7B88D94C8FED772B3 SHA-1: 0x5FA965B978E3688D3040C55D50EF60620F83F8FC	Win32.AdWare.gen2x [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\nsj1C.tmp
%Temp%\nsj1D.tmp
%Temp%\nsj1E.tmp
%Temp%\nsu20.tmp
%Temp%\4ae867bfd3ff42fc438e1eeb3685e697

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
downloaderOFFER0.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderOFFER0.exe	196,608 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	278,528 bytes
ns12.tmp	%Temp%\nsj11.tmp\ns12.tmp	32,768 bytes
downloaderSTUB.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderSTUB.exe	196,608 bytes
downloaderDDLR.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderDDLR.exe	196,608 bytes
ns14.tmp	%Temp%\nsj11.tmp\ns14.tmp	32,768 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
downloaderDDLR.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderddlr.exe	8,392,704 bytes
downloaderOFFER0.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderoffer0.exe	8,392,704 bytes
downloaderOFFER1.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderoffer1.exe	8,392,704 bytes
downloaderOFFER2.exe	%Temp%\4ae867bfd3ff42fc438e1eeb3685e697\downloaderoffer2.exe	8,392,704 bytes

Other details

To mark the presence in the system, the following Mutex object was created:

gcc-shmem-tdm2-use_fc_key

The following Host Names were requested from a host database:

www.directdownloader.com
www.openbitcoin.org
openbitcoin.org

The following HTTP URLs were started reading:

http://www.openbitcoin.org/static/dist/obc.exe
http://openbitcoin.org/static/dist/OpenCL.dll
http://openbitcoin.org/static/dist/updater.exe
http://www.directdownloader.com/DirectDownloaderInstaller.exe
http://www.directdownloader.com/toolbars/optimizer.exe
http://www.directdownloader.com/check.php? os=windows&osv=XP&offer0_type=optimizer&offer1_typ e=bitacc&offer2_type=openbitcoin&offer0_installed= NO&offer0_wanted=NO&offer1_installed=NO&offer1_wan ted=NO&offer2_instaled=&offer2_wanted=NO&ddlr_inst..

Downloaded File Summary:

Download details:

Download retrieved: 25 October 2012 14:43:21
Processing time: 12 min 35 sec
Downloaded sample #1:

File MD5: 0xEAAF3B738EAD4FC2B1DAC5C1DC75B22C
File SHA-1: 0x8DCF81FACC5EF1C48947253F3F07AF52C4C7EBA0
Filesize: 158,720 bytes
Alias: Win32.SuspectCrc [Ikarus]

Downloaded sample #2:

File MD5: 0x46224113728EFAE885EDA63FC15970F6
File SHA-1: 0x498036A681B2D2B1E1B41019F677ED9774223CFA
Filesize: 34,624 bytes
Alias: Trojan.SuspectCRC [Ikarus]

Downloaded sample #3:

File MD5: 0xD69F7EA58CB57E3FE7EA5996D03FF0C0
File SHA-1: 0x6FB286ED1A8170621143A1517455D771A31EC3C0
Filesize: 301,568 bytes
Alias: Trojan.SuspectCRC [Ikarus]

Downloaded sample #4:

File MD5: 0xF4B56EDB6A3A0FB4DFCA673A43CDE123
File SHA-1: 0x449C6657118FAC69F13399F8AAEDE54EBB719C87
Filesize: 4,997,344 bytes
Alias: Application.DirectDownloader [Ikarus]

Downloaded sample #5:

File MD5: 0xFC3C83FC81D62029659D03B8837896C1
File SHA-1: 0x5BCB69A1275BCBE48C85FAAF7D22A4DE3E7E2C4E
Filesize: 2,683,184 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Optimizer Pro\Help.lnk	687 bytes	MD5: 0xB79C5F1FE2A56F7337E235E14695C5D8 SHA-1: 0xEF27E015EE3A4A7F436256479C948827AE48B770	(not available)
2	%CommonPrograms%\Optimizer Pro\Optimizer Pro on the Web.lnk	667 bytes	MD5: 0x8BBEB689D76F44D0C30CBB535839E3F1 SHA-1: 0xFC70C7ABD28741C820B7FDB31958BEF8FF00DADF	(not available)
3	%CommonPrograms%\Optimizer Pro\Optimizer Pro.lnk	749 bytes	MD5: 0x047810A49A70381E373D012E2DAC419F SHA-1: 0x3D6690CAF8EB2FFFC3F76253AE4DF15BC9A52037	(not available)
4	%CommonPrograms%\Optimizer Pro\Uninstall Optimizer Pro.lnk	667 bytes	MD5: 0x7D946ACA95B2816FDCB1DF7AA41B2298 SHA-1: 0x78B4DBC30C8BB93A14EF5E0FDC01E7D73473E264	(not available)
5	%DesktopDir%\Direct Downloader.lnk	1,174 bytes	MD5: 0x33F876E98CAECB9D12AC0D75D9887ED9 SHA-1: 0x1FDBF2D2C574954E4A115718323C9C8CFC9F9E1A	(not available)
6	%DesktopDir%\Optimizer Pro.lnk	737 bytes	MD5: 0x790C983206E434E2C6E0247D64537342 SHA-1: 0x7E1EA6270083A39DFF4D17EC2EBAA0E2C4A96AC6	(not available)
7	%AppData%\DirectDownloader\DirectDownloader.exe	4,982,304 bytes	MD5: 0x57397D066AA71FC883F3E5911761F190 SHA-1: 0x2011254CCA31B46699F710A14BA94FAA609D2C14	Application.DirectDownloader [Ikarus]
8	%AppData%\DirectDownloader\icon.ico	34,494 bytes	MD5: 0x0D3E03DDDAC2D8E99483CD277408C4C8 SHA-1: 0x6C4FC59261456CF3FDEFBE4CC451334301F12C30	(not available)
9	%AppData%\DirectDownloader\settings.ini	97 bytes	MD5: 0xF39A59672940E83F7C4F867FC52DCE64 SHA-1: 0xD59D2473AE6854CAC85029FA3ECBB85004E0AA2A	(not available)
10	%AppData%\DirectDownloader\Uninstall.exe	89,242 bytes	MD5: 0xB309122E4256317FBB1B36A747AD20BD SHA-1: 0xC05B65D689544B9F647FCF9DBAF8721AFF2E5919	(not available)
11	%AppData%\DirectDownloader\updateRunner.exe	14,880 bytes	MD5: 0xD9AB17E87E67EAD82ADC0A74F0FC4DD6 SHA-1: 0xE054CA81E2A01639D64F325FC61138A4EB4D2A7D	(not available)
12	%Programs%\DirectDownloader\DirectDownloader.lnk	1,186 bytes	MD5: 0xDC2CABBA48620E44A7076C41361A54D2 SHA-1: 0x46B753B7B206DC5B3C5CCA73761FFA247CDDEDF5	(not available)
13	%Programs%\DirectDownloader\Launch Website.url	174 bytes	MD5: 0xA5AC721C5EFDD7A75D166E00CBAD358E SHA-1: 0xB33D8D94AD7CB41B8B2222E1A797BA1831A5DD3A	(not available)
14	%Programs%\DirectDownloader\Online Help.url	179 bytes	MD5: 0xEF8A0E24AA36982072B80F73202F8F63 SHA-1: 0x9C240CFDA2EDCB2A2D6770721C767762FE8A84EB	(not available)
15	%Programs%\DirectDownloader\Uninstall Program.lnk	947 bytes	MD5: 0xF6A62E04A5059DBADA6407E34A45CD07 SHA-1: 0x2CAFDE306149B12FE42CA226B14137B49DB7FF6A	(not available)
16	%Programs%\Startup\Direct Downloader.lnk	1,202 bytes	MD5: 0x997C3C5D7E3357F4941ECBCE5EB0D1DA SHA-1: 0x1D0B7165748AD2463B22E7E957C3FE7CADF162B6	(not available)
17	%ProgramFiles%\Optimizer Pro\English.ini	17,086 bytes	MD5: 0x414295A5CEEEE799B02F4D94DEA93943 SHA-1: 0x0E3F798F02C75B43984CEE88ADD712FD8C6CD925	(not available)
18	%ProgramFiles%\Optimizer Pro\file_id.diz	861 bytes	MD5: 0x34D6FD255C48B63584D8CC5C862225D7 SHA-1: 0x494970E16DFE601A96F89239F335FB6D48F57370	(not available)
19	%ProgramFiles%\Optimizer Pro\HomePage.url	54 bytes	MD5: 0x8B4796E82170E61D2FB8F1B9230D80BF SHA-1: 0xEE7B922DA00665F5A2EE646BA3A07156C01CC994	(not available)
20	%ProgramFiles%\Optimizer Pro\OptimizerPro.chm	43,152 bytes	MD5: 0xAEAC7C2FA04F2D766D0BC9E65B3CCBCB SHA-1: 0x33B8ACEC7E4E209F965027637B132BF65FAA5055	(not available)
21	%ProgramFiles%\Optimizer Pro\OptimizerPro.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
22	%ProgramFiles%\Optimizer Pro\OptProGuard.exe	232,240 bytes	MD5: 0x94AEBE8F4BEB1157E557EDA1168A4FC8 SHA-1: 0x0279B6FA6AEFC65D28A9EEDF0A9352EFA74F1FE2	packed with UPX [Kaspersky Lab]
23	%ProgramFiles%\Optimizer Pro\OptProLauncher.exe	79,664 bytes	MD5: 0x4639ADA987378DAC8FBA283E8FB05C37 SHA-1: 0xE38DA44318FB264A7FC8DE54EC90E558E611162C	packed with UPX [Kaspersky Lab]
24	%ProgramFiles%\Optimizer Pro\OptProReminder.exe	215,856 bytes	MD5: 0xDB768AD94C887062242507ACB2C32F25 SHA-1: 0x1034CCDCE2E727FCA4F2A968773C2488134A3FAA	packed with UPX [Kaspersky Lab]
25	%ProgramFiles%\Optimizer Pro\OptProSchedule.exe	194,864 bytes	MD5: 0x614C59E27B320ACD0C463FA4154183B7 SHA-1: 0xE916C1515A78A5C295B8675DCAB542DC08D28959	packed with UPX [Kaspersky Lab]
26	%ProgramFiles%\Optimizer Pro\OptProSmartScan.exe	197,112 bytes	MD5: 0x2091DF889684304F68616CAE08B2FBCC SHA-1: 0xB7543EF0B5D581B3ACB42F880E81DA30E36C5A2F	(not available)
27	%ProgramFiles%\Optimizer Pro\OptProStart.exe	207,664 bytes	MD5: 0x98574CB00E32B3A95BD706F4F0757FDE SHA-1: 0x3B4BE02F28AADB075FDD3EC45BB423610F4D6462	(not available)
28	%ProgramFiles%\Optimizer Pro\OptProUninstaller.exe	43,824 bytes	MD5: 0x660724D27FF01B1BDCB01A3307B433C0 SHA-1: 0x6D2E18196FC258A949A4F7C2AFC1225E5AB61EC7	(not available)
29	%ProgramFiles%\Optimizer Pro\scan.gif	56,626 bytes	MD5: 0x6858A1CE31E5F92785FB525CE9725B8A SHA-1: 0x6F666E761CB39EC0EFA78038038706C6E09641CA	(not available)
30	%ProgramFiles%\Optimizer Pro\sqlite3.dll	520,234 bytes	MD5: 0x0F66E8E2340569FB17E774DAC2010E31 SHA-1: 0x406BB6854E7384FF77C0B847BF2F24F3315874A3	(not available)
31	%ProgramFiles%\Optimizer Pro\unins000.dat	4,210 bytes	MD5: 0x8D8C2AA46B8C8BBA01E1566CA0B839AA SHA-1: 0xFB4553B0CC56ADED6867A2EAC6B9883E701C7E85	(not available)
32	%ProgramFiles%\Optimizer Pro\unins000.exe	707,361 bytes	MD5: 0x8292CF66F2543C84C6D42112F6B7F2C7 SHA-1: 0xCAD6AA02069480B621FB829DC36D44F2C4BA8E98	(not available)
33	[file and pathname of the sample #1]	158,720 bytes	MD5: 0xEAAF3B738EAD4FC2B1DAC5C1DC75B22C SHA-1: 0x8DCF81FACC5EF1C48947253F3F07AF52C4C7EBA0	Win32.SuspectCrc [Ikarus]
34	[file and pathname of the sample #2]	34,624 bytes	MD5: 0x46224113728EFAE885EDA63FC15970F6 SHA-1: 0x498036A681B2D2B1E1B41019F677ED9774223CFA	Trojan.SuspectCRC [Ikarus]
35	[file and pathname of the sample #3]	301,568 bytes	MD5: 0xD69F7EA58CB57E3FE7EA5996D03FF0C0 SHA-1: 0x6FB286ED1A8170621143A1517455D771A31EC3C0	Trojan.SuspectCRC [Ikarus]
36	[file and pathname of the sample #4]	4,997,344 bytes	MD5: 0xF4B56EDB6A3A0FB4DFCA673A43CDE123 SHA-1: 0x449C6657118FAC69F13399F8AAEDE54EBB719C87	Application.DirectDownloader [Ikarus]
37	[file and pathname of the sample #5]	2,683,184 bytes	MD5: 0xFC3C83FC81D62029659D03B8837896C1 SHA-1: 0x5BCB69A1275BCBE48C85FAAF7D22A4DE3E7E2C4E	(not available)

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\Optimizer Pro
%DesktopDir%\Downloads
%CommonPrograms%\Optimizer Pro
%AppData%\Optimizer Pro\Backup
%AppData%\Optimizer Pro\Exception
%AppData%\Optimizer Pro\Log
%AppData%\Optimizer Pro\Undo
%AppData%\DirectDownloader
%Programs%\DirectDownloader
%ProgramFiles%\Optimizer Pro

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
updaterunner.exe	%AppData%\directdownloader\updaterunner.exe	36,864 bytes
[filename of the sample #5]	[file and pathname of the sample #5]	2,703,360 bytes
[filename of the sample #4]	[file and pathname of the sample #4]	262,144 bytes
RegistryOptimizer.exe	%Windir%\Temp\RegistryOptimizer.exe	81,920 bytes
RegistryOptimizer.tmp	%Temp%\is-A4453.tmp\RegistryOptimizer.tmp	761,856 bytes
OptProLauncher.exe	%ProgramFiles%\Optimizer Pro\OptProLauncher.exe	192,512 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #2]	[file and pathname of the sample #2]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x3E0000 - 0x3F4000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDownloader
HKEY_CURRENT_USER\Software\DirectDownloader
HKEY_CURRENT_USER\Software\Optimizer Pro

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell\open\command]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe run "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell]

(Default) = "open"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent]

ddlr.torrent_backup = ""
(Default) = "ddlr.torrent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open\command]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe run "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open]

(Default) = "Download with Direct Downloader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell]

(Default) = "open"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\DefaultIcon]

(Default) = "%AppData%\DirectDownloader\icon.ico"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\command]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe run "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\DefaultIcon]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet]

(Default) = "URL:Magnet URI protocol"
URL Protocol = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]

Inno Setup: Setup Version = "5.3.5 (a)"
Inno Setup: App Path = "%ProgramFiles%\Optimizer Pro"
InstallLocation = "%ProgramFiles%\Optimizer Pro\"
Inno Setup: Icon Group = "Optimizer Pro"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon"
Inno Setup: Deselected Tasks = ""
DisplayName = "Optimizer Pro v3.0"
UninstallString = ""%ProgramFiles%\Optimizer Pro\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Optimizer Pro\unins000.exe" /SILENT"
DisplayVersion = "3.0"
Publisher = "PC Utilities Pro"
URLInfoAbout = "http://www.pcutilitiespro.com"
HelpLink = "http://www.pcutilitiespro.com"
URLUpdateInfo = "http://www.pcutilitiespro.com"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20121025"
MajorVersion = 0x00000003
MinorVersion = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

NotifyDownloadComplete = "yes"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Optimizer Pro = "%ProgramFiles%\Optimizer Pro\OptProLauncher.exe"

so that OptProLauncher.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDownloader]

DisplayName = "DirectDownloader"
UninstallString = "%AppData%\DirectDownloader\uninstall.exe"
DisplayIcon = "%AppData%\DirectDownloader\icon.ico"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\DirectDownloader]

InstallDir = "%AppData%\DirectDownloader"

[HKEY_CURRENT_USER\Software\Optimizer Pro]

Language = 0x00000001
DelayedStart = 0x00000000
AdsDownloadURL = "http://filecdn.avanquest.com/rw/xsell/pcutilitiespro/pcup7/DriverPro.exe"
AdsBuyNowURL = "http://pcup7.pcutilitiespro.revenuewire.net/driverpro/xsell"
UseAds = 0x00000001
UninstallURL = "http://pcup710min.pcutilitiespro.revenuewire.net/optimizerpro/special"
SupportURL = "http://www.pcutilitiespro.com/support.aspx"
BuyNowURL = "http://pcup710min.pcutilitiespro.revenuewire.net/optimizerpro/register"
HomePageURL = "http://www.pcutilitiespro.com/"
DisplayName = "Optimizer Pro"
Version = "3.0"
InstallDate = 00 00 00 00 E0 1E E4 40
User = ""
UserKey = ""
LogDir = "%AppData%\Optimizer Pro\Log"
UndoDir = "%AppData%\Optimizer Pro\Undo"
ItemsToScan = "1111111111"
UseExceptionList = 0x00000001
ShowRebootMessage = 0x00000001
SpeedGuard = 0x00000000
s_SmartScan = 0x00000000
s_Enable = 0x00000000
s_Time = 30 7D 25 AC F3 1E E4 40
s_SmartMode = 0x00000000
Reminder = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

CritOpMutex
OptProGuard
OptProStart
OptimizerPro

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.directdownloader.com	80	(null)	(null)

The following GET request was made:

banner.php

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.