Analysis by: Jay Garcia
ALIASES:

RiskTool.Win32.Agent.ihv (Kaspersky); PUA.OptimizerPro, SMG.Heur!gen (Norton)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 3,039,344 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 26 Jul 2019

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following processes:

  • %Windows%\Temp\Optimizer_Pro.exe /VERYSILENT
  • %Program Files%\Optimizer Pro\OptProStart.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

  • %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro
  • %Program Files%\Optimizer Pro

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Potentially Unwanted Application adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Optimizer Pro = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

Other System Modifications

This Potentially Unwanted Application adds the following registry keys:

HKEY_CURRENT_USER\SOFTWARE\Optimizer Pro

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Optimizer Pro
SetupName = "{malware path and file name}.exe"

HKEY_CURRENT_USER\Software\Optimizer Pro
Language = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: Setup Version = "5.5.3 (a)"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: App Path = "%Program Files%\Optimizer Pro"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
InstallLocation = "%Program Files%\Optimizer Pro"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: Icon Group = "Optimizer Pro"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: User = "{username}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: Selected Tasks = "desktopicon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: Deselected Tasks = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Inno Setup: Language = "jp"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
DisplayName = "Optimizer Pro v3.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
UninstallString = "%Program Files%\Optimizer Pro\unins000.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
QuietUninstallString = "%Program Files%\Optimizer Pro\unins000.exe /SILENT"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
DisplayVersion = "3.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
Publisher = "PC Utilities Pro"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
URLInfoAbout = "http://www.{BLOCKED}itiespro.com"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
HelpLink = "http://www.{BLOCKED}itiespro.com"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
URLUpdateInfo = "http://www.{BLOCKED}itiespro.com"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
InstallDate = "{date}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
MajorVersion = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
MinorVersion = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1
EstimatedSize = "27886"

HKEY_CURRENT_USER\Software\Optimizer Pro
InstallDate = "{date}"

HKEY_CURRENT_USER\Software\Optimizer Pro
AppStart = "0"

HKEY_CURRENT_USER\Software\Optimizer Pro
Os = "{value}"

HKEY_CURRENT_USER\Software\Optimizer Pro
MachineGuid = "{GUID}"

HKEY_CURRENT_USER\Software\Optimizer Pro
DelayedStart = "5"

HKEY_CURRENT_USER\Software\Optimizer Pro
Querry = "{random characters}"

HKEY_CURRENT_USER\Software\Optimizer Pro
UninstallURL = "https://{BLOCKED}rt.com/pcutilitiespro/.op-special/purchase?sid=111000809-IL-006"

HKEY_CURRENT_USER\Software\Optimizer Pro
SupportURL = "http://support.{BLOCKED}itiespro.com"

HKEY_CURRENT_USER\Software\Optimizer Pro
HomePageURL = "http://www.{BLOCKED}itiespro.com"

HKEY_CURRENT_USER\Software\Optimizer Pro
BuyNowURL = "{random characters}"

HKEY_CURRENT_USER\Software\Optimizer Pro
UseAds = "1"

HKEY_CURRENT_USER\Software\Optimizer Pro
AdsHost = "dl.{BLOCKED}vers.net"

HKEY_CURRENT_USER\Software\Optimizer Pro
AdsDownloadURL = "http://dl.{BLOCKED}rvers.net/121000809/DriverPro.exe"

HKEY_CURRENT_USER\Software\Optimizer Pro
AdsBuyNowURL = "{random characters}"

HKEY_CURRENT_USER\Software\Optimizer Pro
WelcomeURL = ""

Dropping Routine

This Potentially Unwanted Application drops the following files:

  • %Program Files%\Optimizer Pro\file_id.diz
  • %Program Files%\Optimizer Pro\OptimizerPro.chm
  • %Program Files%\Optimizer Pro\HomePage.url
  • %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro\Optimizer Pro.lnk
  • %Program Files%\Optimizer Pro\unins000.exe
  • %Program Files%\Optimizer Pro\OptProSchedule.exe
  • %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro\Optimizer Pro on the Web.lnk
  • %Program Files%\Optimizer Pro\OptProSmartScan.exe
  • %Program Files%\Optimizer Pro\OptimizerPro.exe
  • %Windows%\Temp\Optimizer_Pro.exe
  • %Program Files%\Optimizer Pro\unins000.msg
  • %Desktop%\Optimizer Pro.lnk
  • %Program Files%\Optimizer Pro\OptProUninstaller.exe
  • %Program Files%\Optimizer Pro\OptProGuard.exe
  • %Program Files%\Optimizer Pro\scan.gif
  • %Program Files%\Optimizer Pro\Japanese.ini
  • %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro\Help.lnk
  • %Program Files%\Optimizer Pro\sqlite3.dll
  • %Program Files%\Optimizer Pro\OptProLauncher.exe
  • %Program Files%\Optimizer Pro\unins000.dat
  • %Program Files%\Optimizer Pro\OptProStart.exe
  • %Program Files%\Optimizer Pro\OptProReminder.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

  SOLUTION

Minimum Scan Engine: 9.850
SSAPI PATTERN File: 2.200.00
SSAPI PATTERN Date: 01 Aug 2019

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Remove PUA.Win32.OptimizerPro.AE by using its own Uninstall option

[ Learn More ]
To uninstall the grayware process

Step 4

Restart in normal mode and scan your computer with your Trend Micro product for files detected as PUA.Win32.OptimizerPro.AE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.