ThreatExpert Report: Trojan.Win32.Agent

Submission Summary:

Submission details:

Submission received: 30 September 2012, 11:57:35
Processing time: 9 min 59 sec
Submitted sample:

File MD5: 0xF6ECDBA2ACA6AEBDEBC3ECD5BC5812C7
File SHA-1: 0xCDAB8BBFD39EC8621D0CB0354EA28EE874656ACD
Filesize: 504,160 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\d36020196e29b6173bd372f20e481deb\DirectDownloaderInstaller.exe %Temp%\d36020196e29b6173bd372f20e481deb\OpenCL.dll %Temp%\d36020196e29b6173bd372f20e481deb\optimizer.exe %Temp%\d36020196e29b6173bd372f20e481deb\smf %Temp%\d36020196e29b6173bd372f20e481deb\stub.exe %Temp%\d36020196e29b6173bd372f20e481deb\updater.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
2	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderDDLR.exe %Temp%\d36020196e29b6173bd372f20e481deb\downloaderOFFER0.exe %Temp%\d36020196e29b6173bd372f20e481deb\downloaderOFFER1.exe %Temp%\d36020196e29b6173bd372f20e481deb\downloaderOFFER2.exe %Temp%\d36020196e29b6173bd372f20e481deb\downloaderSTUB.exe	59,640 bytes	MD5: 0xC7F6ED56312C8FBB58AE6ED445C38DF4 SHA-1: 0xE2DBA94EF052DB774478B9F7198C1A2298B334E5
3	%Temp%\d36020196e29b6173bd372f20e481deb\preinstaller.exe	218,624 bytes	MD5: 0x06BAEF00AE0F0E42FC5FEA24FC4EAC42 SHA-1: 0x9161574590F09CFE4C24498827386ED57F2E8C58
4	%Temp%\nsk1D.tmp\NSISdl.dll %Temp%\nsk1E.tmp\NSISdl.dll %Temp%\nsk1F.tmp\NSISdl.dll %Temp%\nsk20.tmp\NSISdl.dll	14,848 bytes	MD5: 0xA5F8399A743AB7F9C88C645C35B1EBB5 SHA-1: 0x168F3C158913B0367BF79FA413357FBE97018191
5	[file and pathname of the sample #1]	504,160 bytes	MD5: 0xF6ECDBA2ACA6AEBDEBC3ECD5BC5812C7 SHA-1: 0xCDAB8BBFD39EC8621D0CB0354EA28EE874656ACD

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\nsk1D.tmp
%Temp%\nsk1E.tmp
%Temp%\nsk1F.tmp
%Temp%\nsk20.tmp
%Temp%\d36020196e29b6173bd372f20e481deb

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
downloaderOFFER0.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderOFFER0.exe	196,608 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	278,528 bytes
ns12.tmp	%Temp%\nsc11.tmp\ns12.tmp	32,768 bytes
downloaderSTUB.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderSTUB.exe	196,608 bytes
downloaderDDLR.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderDDLR.exe	196,608 bytes
ns14.tmp	%Temp%\nsc11.tmp\ns14.tmp	32,768 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
downloaderDDLR.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderddlr.exe	8,392,704 bytes
downloaderOFFER0.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderoffer0.exe	8,392,704 bytes
downloaderOFFER1.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderoffer1.exe	8,392,704 bytes
downloaderOFFER2.exe	%Temp%\d36020196e29b6173bd372f20e481deb\downloaderoffer2.exe	8,392,704 bytes

Other details

To mark the presence in the system, the following Mutex object was created:

gcc-shmem-tdm2-use_fc_key

The following Host Names were requested from a host database:

192.5.5.241
www.directdownloader.com
www.openbitcoin.org
openbitcoin.org

The following HTTP URLs were started reading:

http://www.directdownloader.com/DirectDownloaderInstaller.exe
http://openbitcoin.org/static/dist/OpenCL.dll
http://www.openbitcoin.org/static/dist/obc.exe
http://openbitcoin.org/static/dist/updater.exe
http://www.directdownloader.com/toolbars/optimizer.exe
http://www.directdownloader.com/check.php? os=windows&osv=XP&offer0_type=optimizer&offer1_typ e=bitacc&offer2_type=openbitcoin&offer0_installed= NO&offer0_wanted=NO&offer1_installed=NO&offer1_wan ted=NO&offer2_instaled=&offer2_wanted=NO&ddlr_inst..

Downloaded File Summary:

Download details:

Download retrieved: 30 September 2012 12:07:34
Processing time: 11 min 0 sec
Downloaded sample #1:

File MD5: 0xF4B56EDB6A3A0FB4DFCA673A43CDE123
File SHA-1: 0x449C6657118FAC69F13399F8AAEDE54EBB719C87
Filesize: 4,997,344 bytes

Downloaded sample #2:

File MD5: 0x46224113728EFAE885EDA63FC15970F6
File SHA-1: 0x498036A681B2D2B1E1B41019F677ED9774223CFA
Filesize: 34,624 bytes

Downloaded sample #3:

File MD5: 0x099191BC3D3109FEB7BEC3155AEB5DA8
File SHA-1: 0x81E6285B64D7D6807535D78EAEF62047C9C6A13A
Filesize: 68,096 bytes

Downloaded sample #4:

File MD5: 0x34FD9CD85455F81559AB644161020AB6
File SHA-1: 0x10F5EAE78FCB4904748FE87839A6801AC55A3A45
Filesize: 299,008 bytes

Downloaded sample #5:

File MD5: 0xFC3C83FC81D62029659D03B8837896C1
File SHA-1: 0x5BCB69A1275BCBE48C85FAAF7D22A4DE3E7E2C4E
Filesize: 2,683,184 bytes
Alias: Trojan.Win32.Agent [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Optimizer Pro\Help.lnk	687 bytes	MD5: 0xB4C592A3C8DE73273C2022BDC1FF7104 SHA-1: 0x952085673530C3F92AFFC43EEA393C2D1B90EC6C	(not available)
2	%CommonPrograms%\Optimizer Pro\Optimizer Pro on the Web.lnk	667 bytes	MD5: 0x3506534CF2A5FEE1D5BAA1D20BCE4B30 SHA-1: 0xD3BE260710A2C3C457B178F82BA9DF6B9CF18B66	(not available)
3	%CommonPrograms%\Optimizer Pro\Optimizer Pro.lnk	749 bytes	MD5: 0x30420A48E991D6A015DADCFF3B5666D9 SHA-1: 0x591519D43CD655AB07218013834A3BF37D1B1B1B	(not available)
4	%CommonPrograms%\Optimizer Pro\Uninstall Optimizer Pro.lnk	667 bytes	MD5: 0x3C217CFAC1A4756EF9FD26F8248ED52C SHA-1: 0xDFEAF3F83A9B996780183033C1AC30C4E032D4A6	(not available)
5	%DesktopDir%\Direct Downloader.lnk	1,174 bytes	MD5: 0x34021B2EB28021172A999CAFDB994C9D SHA-1: 0x33DC3AD44D5C227D4F3DA7878FC00241F6D60343	(not available)
6	%DesktopDir%\Optimizer Pro.lnk	737 bytes	MD5: 0xFAE5F47F62DF766BA6C71445939F32E4 SHA-1: 0x1F0A837A9E04CC3A0F0C2A5A5D7C6D769B55808B	(not available)
7	%AppData%\DirectDownloader\DirectDownloader.exe	4,982,304 bytes	MD5: 0x57397D066AA71FC883F3E5911761F190 SHA-1: 0x2011254CCA31B46699F710A14BA94FAA609D2C14	(not available)
8	%AppData%\DirectDownloader\icon.ico	34,494 bytes	MD5: 0x0D3E03DDDAC2D8E99483CD277408C4C8 SHA-1: 0x6C4FC59261456CF3FDEFBE4CC451334301F12C30	(not available)
9	%AppData%\DirectDownloader\settings.ini	97 bytes	MD5: 0xF39A59672940E83F7C4F867FC52DCE64 SHA-1: 0xD59D2473AE6854CAC85029FA3ECBB85004E0AA2A	(not available)
10	%AppData%\DirectDownloader\Uninstall.exe	89,242 bytes	MD5: 0xB309122E4256317FBB1B36A747AD20BD SHA-1: 0xC05B65D689544B9F647FCF9DBAF8721AFF2E5919	(not available)
11	%AppData%\DirectDownloader\updateRunner.exe	14,880 bytes	MD5: 0xD9AB17E87E67EAD82ADC0A74F0FC4DD6 SHA-1: 0xE054CA81E2A01639D64F325FC61138A4EB4D2A7D	(not available)
12	%Programs%\DirectDownloader\DirectDownloader.lnk	1,186 bytes	MD5: 0x568FA30CE89926E459F48C7A683CFF78 SHA-1: 0xC63A921CDC93A0EA7F8D1284107C6FD6C6083531	(not available)
13	%Programs%\DirectDownloader\Launch Website.url	174 bytes	MD5: 0xA5AC721C5EFDD7A75D166E00CBAD358E SHA-1: 0xB33D8D94AD7CB41B8B2222E1A797BA1831A5DD3A	(not available)
14	%Programs%\DirectDownloader\Online Help.url	179 bytes	MD5: 0xEF8A0E24AA36982072B80F73202F8F63 SHA-1: 0x9C240CFDA2EDCB2A2D6770721C767762FE8A84EB	(not available)
15	%Programs%\DirectDownloader\Uninstall Program.lnk	947 bytes	MD5: 0xF6A62E04A5059DBADA6407E34A45CD07 SHA-1: 0x2CAFDE306149B12FE42CA226B14137B49DB7FF6A	(not available)
16	%Programs%\Startup\Direct Downloader.lnk	1,202 bytes	MD5: 0xBCC15F65659990C8302E18DD0579EA50 SHA-1: 0xD232AD5002239EEDAB3219B275F551EEBED8EB90	(not available)
17	%ProgramFiles%\Optimizer Pro\English.ini	17,086 bytes	MD5: 0x414295A5CEEEE799B02F4D94DEA93943 SHA-1: 0x0E3F798F02C75B43984CEE88ADD712FD8C6CD925	(not available)
18	%ProgramFiles%\Optimizer Pro\file_id.diz	861 bytes	MD5: 0x34D6FD255C48B63584D8CC5C862225D7 SHA-1: 0x494970E16DFE601A96F89239F335FB6D48F57370	(not available)
19	%ProgramFiles%\Optimizer Pro\HomePage.url	54 bytes	MD5: 0x8B4796E82170E61D2FB8F1B9230D80BF SHA-1: 0xEE7B922DA00665F5A2EE646BA3A07156C01CC994	(not available)
20	%ProgramFiles%\Optimizer Pro\OptimizerPro.chm	43,152 bytes	MD5: 0xAEAC7C2FA04F2D766D0BC9E65B3CCBCB SHA-1: 0x33B8ACEC7E4E209F965027637B132BF65FAA5055	(not available)
21	%ProgramFiles%\Optimizer Pro\OptimizerPro.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
22	%ProgramFiles%\Optimizer Pro\OptProGuard.exe	232,240 bytes	MD5: 0x94AEBE8F4BEB1157E557EDA1168A4FC8 SHA-1: 0x0279B6FA6AEFC65D28A9EEDF0A9352EFA74F1FE2	packed with UPX [Kaspersky Lab]
23	%ProgramFiles%\Optimizer Pro\OptProLauncher.exe	79,664 bytes	MD5: 0x4639ADA987378DAC8FBA283E8FB05C37 SHA-1: 0xE38DA44318FB264A7FC8DE54EC90E558E611162C	packed with UPX [Kaspersky Lab]
24	%ProgramFiles%\Optimizer Pro\OptProReminder.exe	215,856 bytes	MD5: 0xDB768AD94C887062242507ACB2C32F25 SHA-1: 0x1034CCDCE2E727FCA4F2A968773C2488134A3FAA	packed with UPX [Kaspersky Lab]
25	%ProgramFiles%\Optimizer Pro\OptProSchedule.exe	194,864 bytes	MD5: 0x614C59E27B320ACD0C463FA4154183B7 SHA-1: 0xE916C1515A78A5C295B8675DCAB542DC08D28959	packed with UPX [Kaspersky Lab]
26	%ProgramFiles%\Optimizer Pro\OptProSmartScan.exe	197,112 bytes	MD5: 0x2091DF889684304F68616CAE08B2FBCC SHA-1: 0xB7543EF0B5D581B3ACB42F880E81DA30E36C5A2F	(not available)
27	%ProgramFiles%\Optimizer Pro\OptProStart.exe	207,664 bytes	MD5: 0x98574CB00E32B3A95BD706F4F0757FDE SHA-1: 0x3B4BE02F28AADB075FDD3EC45BB423610F4D6462	(not available)
28	%ProgramFiles%\Optimizer Pro\OptProUninstaller.exe	43,824 bytes	MD5: 0x660724D27FF01B1BDCB01A3307B433C0 SHA-1: 0x6D2E18196FC258A949A4F7C2AFC1225E5AB61EC7	(not available)
29	%ProgramFiles%\Optimizer Pro\scan.gif	56,626 bytes	MD5: 0x6858A1CE31E5F92785FB525CE9725B8A SHA-1: 0x6F666E761CB39EC0EFA78038038706C6E09641CA	(not available)
30	%ProgramFiles%\Optimizer Pro\sqlite3.dll	520,234 bytes	MD5: 0x0F66E8E2340569FB17E774DAC2010E31 SHA-1: 0x406BB6854E7384FF77C0B847BF2F24F3315874A3	(not available)
31	%ProgramFiles%\Optimizer Pro\unins000.dat	4,210 bytes	MD5: 0xE67C42AE4160E0C40D46A620E88D0CA5 SHA-1: 0x71637063A56F46BE74AABB730C4B75BD2E2139BF	(not available)
32	%ProgramFiles%\Optimizer Pro\unins000.exe	707,361 bytes	MD5: 0x8292CF66F2543C84C6D42112F6B7F2C7 SHA-1: 0xCAD6AA02069480B621FB829DC36D44F2C4BA8E98	(not available)
33	[file and pathname of the sample #1]	4,997,344 bytes	MD5: 0xF4B56EDB6A3A0FB4DFCA673A43CDE123 SHA-1: 0x449C6657118FAC69F13399F8AAEDE54EBB719C87	(not available)
34	[file and pathname of the sample #2]	34,624 bytes	MD5: 0x46224113728EFAE885EDA63FC15970F6 SHA-1: 0x498036A681B2D2B1E1B41019F677ED9774223CFA	(not available)
35	[file and pathname of the sample #3]	68,096 bytes	MD5: 0x099191BC3D3109FEB7BEC3155AEB5DA8 SHA-1: 0x81E6285B64D7D6807535D78EAEF62047C9C6A13A	(not available)
36	[file and pathname of the sample #4]	299,008 bytes	MD5: 0x34FD9CD85455F81559AB644161020AB6 SHA-1: 0x10F5EAE78FCB4904748FE87839A6801AC55A3A45	(not available)
37	[file and pathname of the sample #5]	2,683,184 bytes	MD5: 0xFC3C83FC81D62029659D03B8837896C1 SHA-1: 0x5BCB69A1275BCBE48C85FAAF7D22A4DE3E7E2C4E	Trojan.Win32.Agent [Ikarus]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\Optimizer Pro
%DesktopDir%\Downloads
%CommonPrograms%\Optimizer Pro
%AppData%\Optimizer Pro\Backup
%AppData%\Optimizer Pro\Exception
%AppData%\Optimizer Pro\Log
%AppData%\Optimizer Pro\Undo
%AppData%\DirectDownloader
%Programs%\DirectDownloader
%ProgramFiles%\Optimizer Pro

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
updaterunner.exe	%AppData%\directdownloader\updaterunner.exe	36,864 bytes
[filename of the sample #5]	[file and pathname of the sample #5]	2,703,360 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	262,144 bytes
optprolauncher.exe	%ProgramFiles%\optimizer pro\optprolauncher.exe	192,512 bytes
RegistryOptimizer.exe	%Windir%\Temp\RegistryOptimizer.exe	81,920 bytes
RegistryOptimizer.tmp	%Temp%\is-04F4N.tmp\RegistryOptimizer.tmp	761,856 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #2]	[file and pathname of the sample #2]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x3E0000 - 0x3F4000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDownloader
HKEY_CURRENT_USER\Software\DirectDownloader
HKEY_CURRENT_USER\Software\Optimizer Pro

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell\open\command]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe run "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe\shell]

(Default) = "open"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\DirectDownloader.exe]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent]

ddlr.torrent_backup = ""
(Default) = "ddlr.torrent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open\command]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe run "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell\open]

(Default) = "Download with Direct Downloader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\shell]

(Default) = "open"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent\DefaultIcon]

(Default) = "%AppData%\DirectDownloader\icon.ico"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ddlr.torrent]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\command]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe run "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\DefaultIcon]

(Default) = "%AppData%\DirectDownloader\directdownloader.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet]

(Default) = "URL:Magnet URI protocol"
URL Protocol = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1]

Inno Setup: Setup Version = "5.3.5 (a)"
Inno Setup: App Path = "%ProgramFiles%\Optimizer Pro"
InstallLocation = "%ProgramFiles%\Optimizer Pro\"
Inno Setup: Icon Group = "Optimizer Pro"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon"
Inno Setup: Deselected Tasks = ""
DisplayName = "Optimizer Pro v3.0"
UninstallString = ""%ProgramFiles%\Optimizer Pro\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Optimizer Pro\unins000.exe" /SILENT"
DisplayVersion = "3.0"
Publisher = "PC Utilities Pro"
URLInfoAbout = "http://www.pcutilitiespro.com"
HelpLink = "http://www.pcutilitiespro.com"
URLUpdateInfo = "http://www.pcutilitiespro.com"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120930"
MajorVersion = 0x00000003
MinorVersion = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

NotifyDownloadComplete = "yes"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Optimizer Pro = "%ProgramFiles%\Optimizer Pro\OptProLauncher.exe"

so that OptProLauncher.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDownloader]

DisplayName = "DirectDownloader"
UninstallString = "%AppData%\DirectDownloader\uninstall.exe"
DisplayIcon = "%AppData%\DirectDownloader\icon.ico"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\DirectDownloader]

InstallDir = "%AppData%\DirectDownloader"

[HKEY_CURRENT_USER\Software\Optimizer Pro]

Language = 0x00000001
DelayedStart = 0x00000000
AdsDownloadURL = "http://filecdn.avanquest.com/rw/xsell/pcutilitiespro/pcup7/DriverPro.exe"
AdsBuyNowURL = "http://pcup7.pcutilitiespro.revenuewire.net/driverpro/xsell"
UseAds = 0x00000001
UninstallURL = "http://pcup710min.pcutilitiespro.revenuewire.net/optimizerpro/special"
SupportURL = "http://www.pcutilitiespro.com/support.aspx"
BuyNowURL = "http://pcup710min.pcutilitiespro.revenuewire.net/optimizerpro/register"
HomePageURL = "http://www.pcutilitiespro.com/"
DisplayName = "Optimizer Pro"
Version = "3.0"
InstallDate = 00 00 00 00 C0 1B E4 40
User = ""
UserKey = ""
LogDir = "%AppData%\Optimizer Pro\Log"
UndoDir = "%AppData%\Optimizer Pro\Undo"
ItemsToScan = "1111111111"
UseExceptionList = 0x00000001
ShowRebootMessage = 0x00000001
SpeedGuard = 0x00000000
s_SmartScan = 0x00000000
s_Enable = 0x00000000
s_Time = 3F 39 94 35 D0 1B E4 40
s_SmartMode = 0x00000000
Reminder = 0x00000001

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

CritOpMutex
OptimizerPro
OptProStart
OptProGuard

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.directdownloader.com	80	(null)	(null)

The following GET request was made:

banner.php

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.