Trojan.Win32.IEDummy_45bf1f3120 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

SelectRebatesDownload.exe:756
SelectRebatesDownload.exe:1264
ShopAtHome_Toolbar_Installer.exe:608
regsvr32.exe:1236
SelectRebates.exe:160
%original file name%.exe:1564

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process SelectRebatesDownload.exe:756 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (460 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (123609 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[2].txt (562 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (25 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[1].txt (0 bytes)

The process SelectRebatesDownload.exe:1264 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[1].txt (272 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G12KHINU.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)

The process ShopAtHome_Toolbar_Installer.exe:608 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (6075 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (146 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2856 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3936 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12255 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (0 bytes)
%Program Files%\SelectRebates\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (0 bytes)

The process SelectRebates.exe:160 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (4 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (2 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (7 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (7301 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (168088 bytes)
%Program Files%\SelectRebates\srtmpsqu2g41f5e0.tmp (6 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (7345 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)

The Trojan deletes the following file(s):

%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqu2g41f5e0.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (0 bytes)

The process %original file name%.exe:1564 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HMQ23451.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HMQ23451.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G12KHINU.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (0 bytes)

Registry activity

The process SelectRebatesDownload.exe:756 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 4A DE 14 97 88 8B 4C 7E 09 61 18 E7 EE 8B D9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process SelectRebatesDownload.exe:1264 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 C7 A0 FF 83 9E 8D E6 59 B5 2C 1B DB ED 84 76"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ShopAtHome_Toolbar_Installer.exe:608 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 B8 BF B9 C2 E7 B5 53 13 07 6B 2C 9A 23 7C 85"

[HKCU\Software\ShopAtHome\Toolbar]
"TBHideFirst" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ShopAtHome_Toolbar_Installer.exe,"

[HKLM\SOFTWARE\ShopAtHome\SelectRebates]
"SelectRebatesLocation" = "%Program Files%\SelectRebates\SelectRebates.exe"

[HKCU\Software\ShopAtHome\Toolbar]
"TBShowOnce" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
"DisplayName" = "ShopAtHome SelectRebates"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
"URLUpdateInfo"

"URLInfoAbout"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SAHAgent"

The process regsvr32.exe:1236 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\ShopAtHome\Toolbar]
"EditWidthcombo1" = "1"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\VersionIndependentProgID]
"(Default)" = "ShopAtHome.IEToolbar"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"

[HKCU\Software\ShopAtHome\Toolbar]
"KeepHistory" = "1"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\"

[HKCU\Software\ShopAtHome\Toolbar]
"RunSearchDragAutomatically" = "1"
"corruptedMsg" = "One of the XML files is corrupted or invalid. Press OK to uninstall."
"lastVersionMsg" = "You have the latest version of the ShopAtHome Toolbar."
"ShowExternalSearches" = "1"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\VersionIndependentProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}" = "00"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\ToolBand.ShopAtHomeIEHelper\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"

[HKCR\ToolBand.ShopAtHomeIEHelper.1\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\ProgID]
"(Default)" = "ShopAtHome.IEToolbar.1"

[HKCU\Software\ShopAtHome\Toolbar]
"PopStop" = "Untitled Toolbar has blocked a Pop-up window"

[HKCR\ToolBand.ShopAtHomeIEHelper]
"(Default)" = "ShopAtHomeIEHelper Class"

[HKCU\Software\ShopAtHome\Toolbar]
"autoUpdateMsg" = "New version of ShopAtHome Toolbar is available. Would you like to download and install new version?"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\0\win32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"

[HKCR\ShopAtHome.IEToolbar\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"

[HKCU\Software\ShopAtHome\Toolbar]
"firstTime" = "1"
"ErrorMsg" = "Error"
"#EditWidthcombo1#" = "Widthcombo11"
"versionError" = "Can not find current version information."
"UpdateAutomatically" = "0"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\ProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"

[HKCU\Software\ShopAtHome\Toolbar]
"DescriptiveText" = "1"
"OpenNew" = "0"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper Class"

[HKCU\Software\ShopAtHome\Toolbar]
"AutoComplete" = "1"
"closeAllWindowsForUpdate" = "All running IE Windows will be closed before updating the ShopAtHome Toolbar. Continue?"
"RunSearchAutomatically" = "1"
"toolbar_version" = "undefined"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}]
"(Default)" = "ShopAtHome.com Toolbar"

[HKCU\Software\ShopAtHome\Toolbar]
"updateMsg" = "This will try to update the ShopAtHome Toolbar from the server. Continue?"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 3A 9D 78 3F 97 80 C3 EE 4A EF CD BE DE 1B 8C"

[HKCU\Software\ShopAtHome\Toolbar]
"toolbar_id" = "{A741D250-A6CF-4bf2-965E-A3E34D839C1D}"

[HKCR\ShopAtHome.IEToolbar.1]
"(Default)" = "ShopAtHome.com Toolbar"

[HKCU\Software\ShopAtHome\Toolbar]
"contextMenuItemName" = "ShopAtHome Toolbar search"

[HKCR\ShopAtHome.IEToolbar.1\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"

[HKCU\Software\ShopAtHome\Toolbar]
"ShowFindButtons" = "0"

[HKCR\ToolBand.ShopAtHomeIEHelper\CurVer]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"

[HKCR\ShopAtHome.IEToolbar]
"(Default)" = "ShopAtHome.com Toolbar"

[HKCR\ToolBand.ShopAtHomeIEHelper.1]
"(Default)" = "ShopAtHomeIEHelper Class"

[HKCR\ShopAtHome.IEToolbar\CurVer]
"(Default)" = "ShopAtHome.IEToolbar.1"

[HKCU\Software\ShopAtHome\Toolbar]
"AlertMsg" = "Alert"
"uninstallMsg" = "This will remove the ShopAtHome Toolbar from your computer! Are you sure?"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0]
"(Default)" = "ShopAtHome Toolbar 1.0 Type Library"

[HKCU\Software\ShopAtHome\Toolbar\tb_items]
"Widthcombo11" = "1"

[HKCU\Software\ShopAtHome\Toolbar]
"connectionError" = "Can't establish a connection."

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"ThreadingModel" = "Apartment"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"

The process SelectRebates.exe:160 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 9E FD 87 92 F3 80 79 B7 38 31 48 11 3D B1 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayName" = "ShopAtHome.com Toolbar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"

[HKLM\SOFTWARE]
"test"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"URLUpdateInfo"
"URLInfoAbout"

The process %original file name%.exe:1564 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 D9 2E 29 29 AA 0C 8C 92 14 0C 32 E2 0D 3D 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5	File path
84ffd42c17931a9d1f8361e7680c78de	c:\Program Files\SelectRebates\SRFF3.dll
017e694bf86cd554b0fca3b09957e15f	c:\Program Files\SelectRebates\SRebates.dll
0bf024e4f8fc508acfed092399f0fb4c	c:\Program Files\SelectRebates\SelectRebates.exe
5c2402121f5bf6b7f9e3fe302cb291a0	c:\Program Files\SelectRebates\SelectRebatesApi.exe
409befc835a368ebcf4982992a9734ff	c:\Program Files\SelectRebates\SelectRebatesDownload.exe
388a88031cb58ff9ca2e879086ce7c15	c:\Program Files\SelectRebates\SelectRebatesUninstall.exe
28bfc80b6652ae0b1b5e4de75ff2247d	c:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
SelectRebatesDownload.exe:756
SelectRebatesDownload.exe:1264
ShopAtHome_Toolbar_Installer.exe:608
regsvr32.exe:1236
SelectRebates.exe:160
%original file name%.exe:1564
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (460 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (123609 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[2].txt (562 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (25 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[1].txt (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G12KHINU.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (6075 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (146 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2856 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3936 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12255 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpsqu2g41f5e0.tmp (6 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (7345 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HMQ23451.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 5, 1, 0, 0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5, 1, 0, 0
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 5, 1, 0, 0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 5, 1, 0, 0File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	121281	121344	4.44674	0a4a07815935016e7d950efc567cbe85
.rdata	126976	32074	32256	3.67102	a76f200c1a789e8398a9a1464d8b2a86
.data	159744	22028	12288	3.6419	a0b1c81f9c2be75e367b049fcba8f400
.rsrc	184320	564312	564736	3.23133	0d0695fcd16884dae19679f149fe05f7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 41
913ecbb6ebd8af24405690f8f51eb19d
6d1b1c4ae8cbf6674f3f81361d0669a5
e5a9576236cf0049dd41e45f66b917da
5567ed6e0e2ea138079c52f5da3aed09
9f2823fb6ad46535691fb87e0213e2c8
3ff29db56f1325d7ab948b343ed65a02
05a10e475e9b486ac97a06d0f9a86498
8a322e260a4bf602ab492a7cde1998cd
f5b653858fdcadfe1707c03994a08852
4abfbb18ef212915d861315decd85a24
a8378a288476e60498131929502f1a3b
69a9aa59114a692033d84651be07a760
28db526c676b51fd1e6eb21381eae475
52aa3704bdad336a91f34c3c85b74489
0a5d0f996845bbe065314b0ee9e03175
3ded19ad916767049fa698e6bfb99a9c
08e9411296a4b1e0386a45526568c697
bd1737d5b0801e5fa5445047eabed3ec
2f8c20e9ebc84d65627f97ed85f53e15
523d470a0df20f973f494b025e24ab72
322c4b43b6c865ed80ff2da7012afbcd
846f3ee812ac61f362bd5a3cff98c652
b74ade0219d35cc17eda61b32e3fa64a
8cf2879f38765ecbd64a0736f62c6da6
cab433c93fe7afe4549b8b9119cb0f18

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

SelectRebates.exe_160:

.text

`.rdata

@.data

.rsrc

PSShh

FtPh

SPSSh

t0Ht(Ht.Ht'Ht

Ht

~!SSh

Yu%C;

PVSSh

t.VhluJ

VSSh&

SSh|~J

SSht~J

SShl~J

SShd~J

SShT~J

uÃ‹;U

YYSSh

Yu.Vh4DF

YVSSh

$%&'()* ,-./0123456789:;

VERSION.dll

SETUPAPI.dll

WININET.dll

MFC42.DLL

MSVCRT.dll

_acmdln

GetWindowsDirectoryA

GetProcessHeap

KERNEL32.dll

EnumWindows

EnumChildWindows

MapVirtualKeyA

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEPRO32.DLL

OLEAUT32.dll

MSVCP60.dll

ERROR: Event WaitForUnhookAll (%d)

{E03777A2-C73D-4a58-A4FB-28F813CA2583}

[INIT]: XML maps loaded status = %s

[INIT]: CheckSite timeout set to %dms.

[INIT]: FireFox status = %s

FireFox disabled

FireFox enabled

MyAccountUrl

[V] Module %s version is %s and the Agentprefs version is %s

[P] Skipping InfoPop#%d, Opt Out Detected (%s).

[Mouradeling] Url "%s" matches regex "%s". Mouradeling on.

[Mouradeling] Reset timeout to %d sec.

[PBM] pid(%d) = Unsupported: AOL.

[PBM] pid(%d) = Unsupported: Mozilla.

mozilla.exe

[PBM] pid(%d) = Unsupported: Netscape 6.

netscp.exe

[PBM] pid(%d) = Unsupported: Netscape 4.

netscape.exe

aexplore.exe

aol.exe

waol.exe

[PBM] pid(%d) = Firefox

firefox.exe

[PBM] pid(%d) = Internet Explorer.

iexplore.exe

[PBM] Browser Process for pid(%d) = (%s)

[PBM] Failed to get module file name for browser check. (%d)

[PBM] 0 modules returned by enum modules for %d. (%d)

[PBM] Failed to get enum modules for %d. (%d)

[PBM] Failed to get process handle for browser check. (%d)

%Y-%m-%d %H:%M:%S

%s_%d

[OO] OptOut for %s at %s

[OO] OptOut for %s and %s at %s

[OO] OptOut for %s removed.

[OO] Remove all OptOuts %s (%d).

%Y-%m-%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Failure to write %s to %s. (%d)

%s,%d

[M] Upgrade has run more than %d times already. Skip Upgrade.

Clearing upgrade flags: %s

[XPD] Popup %s impossible: %d pops already today.

[XPD] Popup %s impossible: %d pops already in last %d minutes.

[XPD] Failed to find XPD type %s. Allowing.

Rule %s: Popup(%d), Redirect(%d), DoSlider(%d), AdServe(%d), OldPop(%d), %sInfoPop(%d), HideRedirect(%d)

&global=click.linksynergy.com&afsrc=1

&URL=

&tim=%d

GR_check_site.html

http:

CheckSiteUrl

TTUrl

[A] Load result: http(%d): %s

[A] Error %d downloading image. But image is cached, using cached image. Returning 304.

[F] Copying image from "%s" to "%s"

[F] Load Image File: %s, Cache date: %s

[F] File: %s, Next check date: %s

%a, %d %b %Y %H:%M:%S GMT

[F] It is new BANNER/IMAGE %s, force download.

[A] Load image: %s

[A] Agent tracking %s/%s

agenttracking.asp

[A] Search tracking %s

/agent/searchtracking.asp

searchtracking.asp

[A] %s%s%sTracker result: http(%d): %s

Upgrade: Unable to report (%d,%s): poorly formatted or missing UT url: %s

[A] Upgrade Tracker result: http(%d): %s/%s

Upgrade: Reporting result(%d,%s) to %s/%s

Upgrade Result Report: Reporting result(%d,%s) to %s

[A] %d - Unknown error

[D] %s Url has changed. File is necessary to download. (Cache off) (%s->%s)

[D] Storing CID: %s (%s)

CustomerID funky. Changed from '%s' to '%s'

setCustomerID: '%s' seems to be in error. Filtered.

[D] Registry CID: %s

[XPan] Regexp_exception: (%d) %s

CHTTPLoaderThread

[A] HTTP Loader thread OK

ShopAtHome.com Toolbar

HTTP loader thread. Exit instance

0.0.0.7

[M] Opening install page %s

[M] Opening feedback %s

[S] Parameters: %s

[S] serviceRequest(%s) Command: %s

&os=%d

uniqueBundleKey=nonbundle

uniqueBundleKey=

updateURL

&updateURL=

validateURL

&validateURL=

{X-X-X-XX-XXXXXX}

PopupPassword

regpass=

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

Unknown command %s

Clearing cookie %s

Setting cookie %s to %s

Clearing ini %s

Unexpected # of parameters for %s: %d

Setting ini %s to %s

[S] UID: %s

[S] IP: %s

[S] Country: %s

[S] Registry query: %s

[S] Setup filename: %s

lsp_setup.exe

[S] Toolbar Update URL: %s

ToolbarURL

;ffTbUrl=

;toolbarURL=

[S] Update Path: %s

[S] Update Domain: %s

;updateURL=

[S] Auto Upgrade: new value: "%s" enabled: "%s"

[S] Update enabled: %s

[S] ValidateURL: %s

;validateURL=

[S] Validate enabled: %s

[S] NumberOfDaysNextUpdate: %s

[S] NumberOfDaysNextValidate: %s

[S] NumberOfDaysNextHearbeart: %s

[S]%s

%d-%d-%d %d:%d:%d

[XmlDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d

[XmlDataGC] 0x%x count = (%d). Delete Count = %d

[~CAlert] (0x%x)

[BD] Destroying Xml Data. 0x%x

2000-01-01 12:00:00

2020-01-01 12:00:00

[BCEXML] Parse Status = %s

[BCEXML] Memory Exception parsing XML: %s

[BCEXML] Error loading XML into parser(%d).

[BCEXML] Parse Result = %s

//Bce/tb/maxurllength

urls

urlsec

*shopathome.com,*shopathome.sah.com

[R] Global Ignore found: %s

[X] Specific Suppress "%s" found.

14,%s(%s)

[X] Per Merchant Suppress "%s(%s)" found.

[X] Global Suppress "%s" found.

[B] Rule %d not found. Default = %s

[B] Rule %d = %s

%s xmlData decRef(%d) = 0x%x

%s xmlData addRef(%d) = 0x%x

[CBceXml::releaseData] decRef(%d) = 0x%x

[B] Storing new Xml Data. 0x%x

[B] Parse Status = %s

[B] Memory Exception parsing XML: %s

[vectorSahGC] decReference (%d)

.PAVCSahGC@@

.PAUXmlObject@XML@@

.PAVBanner@@

.PAVCAlert@@

.PAVCCouponAlert@@

UrlEx

[B] Deleting duplicate ID: %s %s

HotImageUrl

ImageUrl

[AlertResponse] ID=%s [%s EXIST] Type=%s Text=%s ImageUrl=%s

.PAVSahSearchResponse@@

[XD] Skipping Global Suppress type %d: %s

Program[%s] has exe [%s]

Data = %s

ChildNode[%d]: Node Type = %d (NODE_CDATA_SECTION = %d)

Data= %s

[CXMLParser::CreateNode] AppendChildToParent failed: %s

(0x%x): %s

Unsupport type

[D] ERROR (%d)! %s loading failed.

[D] OK. %s. Last update %s

[D] OK. %s has not been modified.

[D] OK. %s was downloaded.

hXXp://

[D] No %s Filename. Ini file either blank or not writable.

[D] XML is invalid or damaged, exception thrown by CodeBuffer in GetFile: %s

[D] OK. Bce Xml. Last update %s

[D] Validate Path(b): %s

[D] Validate Domain(b): %s

agent/bce.sah

[D] Failed to copy %s file from %s to %s. [%d]

[D] Upgrade copied %s file from %s to %s.

[D] Bce specified skin file as: %s

[D] Error updating file %s: %d

SelectRebatesDownload.exe

FFToolbar.txt

agent/agentprefs_.sah

VVV.shopathome.com

[F] Error copying %s to %s. (%d)

[F] Getting update file "%s" from "%s/%s"

[F] Install Tracking: %s

.PAVCException@@

[F] Exception thrown by CodeBuffer in serviceQuery, %s

[F] Decrypted buffer: %s

[F] Buffer Size %d is larger than remaining buffer %d.

smartupdater/smartupdater.dll

cidUrlPages

cidUrlSites

[F] OK. preferences loaded. %s

[F] Exception thrown by CodeBuffer reading Prefs, %s

[F] New cab needed, cab dog (%s) version does not match running dog.

[F] New update cab downloaded: %s

_.exe

[F] New toolbar cab needed, cab toolbar (%s) version does not match running toolbar.

[F] Unable to create XML temp file, %s (Error=%d)

[F] exception thrown by CodeBuffer in GetFile: %s

[F] XML Merge failed: Error opening file %s. (Error=%d)

[F] Opened %s, size=%d

[F] Failed to open. Creating file %s

[F] Opening file %s

Error Parsing Temp XML. Count = %d. Reloading bce.

Error Parsing Temp XML. Count = %d. Resetting count and reloading bce.

%s entry found, but file %s does not seem to exist. Removing entry.

%s update failed: file %s seems to exist. Using %s entry.

[A] %s Upgrade Complete: %s New Version = %s

%s entry missing, but file %s seems to exist. Using %s entry.

[A] %s Upgrade to Uninstall Key Complete: %s New Version = %s

Deleting Old Uninstall file %s (%s)replaced by newer uninstall file %s.

SAHUninstallKey

FFToolbar\chrome\skin

[F] Loading SelectAlerts Failed (%d)

[F] Loading SelectAlerts: %s

Removing Excess %s: %s

[F] %s

[processSkinDirectories] Failed to open file %s. (%d)

[processSkinDirectories] Processed skin file %s.

[processSkinDirectories] Error reading file %s.

.SKIN

[F] Skin Directory[%d] = %s (%d)

[F] Skin[%d](%d) = %s Url = %s

[F] Signalling Toolbars: %s

[F] SelectAlerts saved in: %s

%xmlv

Only was able to write %d/%d bytes of Basis Xml file: %s

Saved BasisXml file: %s

*.DYM

[F] File %s is not found in %s.

[F] Looking for unused files in: %s

DefaultUrl

[F] File Added To Toolbar Cache List: %s

[F] Load. Image%s, , URL: %s, Local: %s

FFToolbar\chrome\skin\

[F] DownloadAndCache: %s

[FFToolbar] Done Processing Command %s

CmdProcessed

[FFToolbar] Command = %s

[FFToolbar] Exception parsing %s

[FFToolbar] Deleted %s.)

[FFToolbar] Error Deleting %s: (%d)

[FFToolbar] Error allocating %d bytes to read %s

[FFToolbar] Error Opening %s: (%d)

SelectRebates.ini

ShowIEToolBarForAll: No IE Exists, adding %s=1

{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}

[A] Show FF Toolbar added toolbar to %d Firefox Profiles.

SelectRebatesSkin.dat

.PAVCAlerts@@

.PAVCBannerAlerts@@

.PAVCSearchAlerts@@

[U] Exception thrown by CodeBuffer, %s

[F] OK. Preferences. Last update %s

[F] Prefs location changed, downloading again: %s %s

[F] Validate Path(a): %s

[F] Validate Domain(a): %s

[F] Exception thrown by CodeBuffer in GetPreferences, %s

[A] Exception thrown by CodeBuffer in ParseXmlFile, %s

[F] Waiting time %d second(s) for next %s...

[F] Repeat counter %d

[F] AttemptDownloadPrefs Success. (Event 0x%x)

[F] Setting up scheduler on %d seconds...

[checkNextUpdate] Retry mode finished: %s

[checkNextUpdate] Retry mode timeout %d second(s). Attempt counter: %d

[checkNextUpdate] Retry mode upto 10 times started at: %s

[checkNextUpdate] Update enabled: %s

[checkNextUpdate] Update Skipped: AutoUpdateFailedCount=%d > %d

[checkNextUpdate] Update needed. _retryMode = %s

[checkNextUpdate] InstallMustValidate enabled: %s

[checkNextUpdate] Validate enabled: %s

[F] Upgrade Path: %s.

[A] SahUpgrade RUN_ONCE key found.

Software\Microsoft\Windows\CurrentVersion\RunOnce

[A] AutoUpgradeStatus is %s, but it can not be cleared so no pop.

[A] Report AutoUpgradeStatus: Auto(%s) Status(%s) Result(%s).

[F] Error upgrading (%d): %s

Failed to extract toolbar cab name from ToolbarURL: %s

[F] Iterate Toolbar Cabinet Failed. Unpacked %d Files. Error(%d %d)

[F] Download Toolbar File (%s)(%s) to %s

Toolbar Upgrade Failed: Unable to find windows temporary folder.

[F] Error launching updater (%d)

[F] Starting updater: %s

[F] Iterate Cabinet Failed. Unpacked %d Files. Error(%d %d)

[F] Path: %s

[F] Server: %s

update911.exe

setup911.tmp

Unable to find windows temporary folder.

0.0.0.0

[F] SelectRebatesUpgrade signal unexpected value = %s(%d) (Error=%d)

[F] SelectRebatesUpgrade Failed: CreateProcess failed (%d)

[F] SelectRebatesUpgrade: Launching %s

[F] SelectRebatesUpgrade. Execute newer SelectRebates (%s). (Upgrading from %s)

[F] SelectRebatesUpgrade Failed. Unable to find new SelectRebates file %s.

[F] SelectRebatesUpgrade. ERROR: %s found on the command line. Infinite Upgrade Loop Diffused?

[F] SelectRebatesUpgrade. New SelectRebates (%s) running.

[F] SelectRebatesUpgrade. SelectRebates running, but version (%s) does not match expected(%s).

[F] SelectRebatesUpgrade COMPLETE! Deleted upgrade file %s

[F] SelectRebatesUpgrade. Failed to delete upgrade file %s. (%d).

[F] SelectRebatesUpgrade. Error: New and Old SelectRebates have the same filename: %s

[F] SelectRebatesUpgrade Failed. Unable to parse module name %s.

[F] Removing %s and %s temp directories.

[F] Delete Upgrade File: %s %s

[F] Delete EulaUpgrade File: %s %s

Failed (%d)

[F] Checking for upgrade files to remove. UpgradeStatus=%s

[F] SelectRebatesUpgrade Copy Failed (%d)... Try again later.

[F] SelectRebatesUpgrade Complete. New file %s copied. Status=%s

[F] SelectRebatesUpgrade. Replacing %s (%s)

[F] SelectRebatesUpgrade. Copying New %s (%s)

ShowWindow = (%d): %s

CCheckServerDialog::MyCreateFont = 0x%x

CCheckServerDialog::OnPaint::serverUp(%d):%s

%s is temporarily unavailable for cash back rebates.

%s is again available for cash back rebates.

[P] Skipping Popup: MID = %d, PopupID = %d

[P] Skipping Older Popup: MID = %d, PopupID = %d

[P] Rule set: DoRedirect = %s, DoPopup = %s, DoSlider = %s, RedirectSuppress = %s (%s)Pop(%d) (Rule: %s)

[R] Rule %d for MID=%d is not defined

[R] Upgrade Rule %d for MID=%d is not defined

[P] Upgrade DoPopup = %s %sPop(%d) (Rule: %s)

[R] Dog NeedsUpgrade. Rule %d for MID=%d.

[P] Rule ID: %d

[P] NeedsUpgrade: %s

[P] Current Browser Has A visible Toolbar: %s

[P] DisableRedirects user: %s

[P] Stealth user: (%s) = %s

[P] Failed fo find popup (%d).

[P] Error loading InfoPop %d for mid(%d). Popup %d not found.

[P] Building Popup for %d: %d

[P] Image is not set for popunderID=%s

[P] Image is not found for popunderID=%s

[P] Building Popunder for %d: %d

checkpassword

[P] Unable to write PopupHtmlFile: %s

[P] Do Secondary reg pop option is: %d

[P] Do initial reg pop option is: %d

Error-%s

[P] Do Donovan's Popup(%d) here for mid(%d): %s

XPDX(%d)

BLD(%d)

[P] Error building InfoPop %d for mid(%d). Popup %d replace failed.

XPD(%d)

NF(%d)

[P] Error building InfoPop %d for mid(%d). Popup %d not found.

[P] Building InfoPop for %d: %d

Mozilla

[PT] Warning: No version operator found processing popup.

Unable to create IE control container in PopWindow, Last Error = %d

Shell.Explorer.2

v=1,pid=%d,data=%s,%s

Unable to parse destination url: %s

Unable to open link in PopWindow navigate: %s

Unable to parse url: %s

PopWindow navigate: %s

[CWindowImplBaseT::StartWindowProc] pThis(0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x) StartWindowProc(0x%x)

[CWindowImplBaseT::WindowProc] pThis(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!

[CWindowImplBaseT::WindowProc] pThis(0x%x) m_hWnd(0x%x) wndProc(0x%x)

[Luke's Debug] Toolbar HWND = 0xx

[Luke's Debug] Parent HWND = 0xx

Create POP Url!.

[~BrowserDataWrangler] rc=%d

[B] AdServe. Shell windows init %s. (result = %d)

[B] FireFox Document Complete CopyData: %d(%d)

[B] FireFox Document Complete

Exception in SaveFireFoxCopyDataContent

[M] WM_COPYDATA message. Type: %d

Unknown ItemID in Firefox data: %d

Error in Firefox COPYDATA. Data Overflow.

[B] FireFox COPYDATA %d(navPtr=%d, ver=%d)

Exception in ProcessFireFoxContent

[B] FireFox. Toolbar call

[B] searchIE failed to find a browser object: "%s" (0x%x).

[B] Creating new Attribute called: "%s".

Advise#%d-%s

[X] Deleting Attribute called: "%s"

[B] exception 2 thrown by searchIE. exceptionTrack = %d

[B] exception 1 thrown by searchIE. exceptionTrack = %d

[B] Browser FOUND. Top window: 0x%x, class: %s

[B] Checking HWND 0xx against 0xx in searchIE

[B] Window 0x%x was found by old code

[B] exception thrown by searchIE. exceptionTrack = %d

[B] Hidden browser FOUND. Top window: 0x%x, class: %s

[B] Window 0x%x was found by new code

[B] Found %i number of shell windows

[B] %s

Cannot get count. Try to get ShellWindows again.

MException trying to navigate same IE tab to: %s

[BrowseToUrl] Browse to IE tab (0x%x): %s

[IEEvents] DISPID_PROPERTYCHANGE - %s

[E] DISPID_PROPERTYCHANGE: LookupFailed 0x%x

[B] ExtraHeaders: [%s] URL: %s

[B] Headers: [%s] URL: %s

[E] DISPID_BEFORENAVIGATE2: %s

[E] DISPID_BEFORENAVIGATE2: LookupFailed 0x%x

[E] DISPID_DOCUMENTCOMPLETE: %s

[E] DISPID_DOCUMENTCOMPLETE: LookupFailed 0x%x

[IEEvents] (0x%x) %d

[IEEvents] (0x%x) %d %d, %d

[B] CBrowserEvents::toolbar. MAIN Frame URL: %s

[X] remove is removing attribute: "%s"

[X] removeAll is removing attribute: "%s"

[Mouradeling] Canceling redirect for 0x%x to: %s

Removing Mouradeling %d from _mouradelingList

BrowserEventsTimerProc(0x%x,%d,%d,%d)

[Mouradeling] SetTimer(0,0,%d,BrowserEventsTimerProc)

[B] Unhanded Exception in executeMouradelingAction.

[Mouradeling] Browse to IE tab (0x%x): %s

[Mouradeling] Cancelled: No source url.

[BrowserEventsTimerProc] Mouradeling %s(flag=%d). DC(#%d)-> pid(%d) mid(%d): %s)

[Mouradeling] Url matches regex "%s". Mouradeling filter on. Skipping DC. (%s)

MozillaUIWindowClass

MozillaWindowClass

mozilla firefox

windows internet explorer

[P] Error launching api pop: %d

[S] Start Search PopUnder #%s

[S] Unable to update SearchPopunderNumber. Skipping search: LastError=%d

S2> UniversalRequest response: %d

S2> Params: %s

[S] Search url: %s

[S] Search string: %s

[S] Search off, ignoring search term: %s

[S] Secondary Registration Delay %d seconds.

[S] Start session for: %s. %d second timeout then checking for next update

[S] Search: Search123 : %s

[S] Search Disabled: %s

[S] Search pop-under is restricted by Rule: %d

[S] Search pop-under is disabled. Enabled only for countries:

S2> Unable to update Search2Number. Skipping search2: LastError=%d

[S] Duplicate Search found: %s

[S] ProcessSearchEngine: %s

[S] FindWhat: %s

193.168.0.12

&mt=%s&ip_addr=%s

[S] Search123: %s

src="hXXp://

[M] LibraryHooked (%d)

[M] Hooking Skipped: Running process (%d) matches pid.

[M] Hooking Skipped: Process %d is already hooked (Lib Hook = 0x%x).

[M] LoadLibrary Install Process Hook: hwnd:0x%x tid:0x%x pid:%d

[M] LoadLibrary Install Process Hook Skipped: IE8 IS NOT detected (found explorer.exe instead)! hwnd:0x%x tid:0x%x pid:%d

[LibHook] Remote LoadLibrary %s: hModule=0x%x

[LibHook] CreateRemoteThread failed. 0xx

[LibHook] Found pre-existing DLL in Process ID 0xx, backing out

[LibHook] VirtualAllocEx failed. h=0x%x error=%d

[LibHook] Could not open Process = 0xx

[M] Injecting Hook into process id 0x%x

[M] Hooking Skipped: Process %d hooked itself!

[M] Toolbar Hook Detected: pidA=%d pidB=%d

[M] Unable to remove hook on pid %d, no hLibModule found.

[M] FreeLibrary result = %d

[M] Failed to CreateRemoteThread to unload hook in (%d)

[M] FreeLibrary Remotely run FreeLibrary in process handle (0x%x)

[M] OpenProcess failed. (%d)

[M] FreeLibrary Install Process Hook: pid:%d

[M] Browser Found (%s, %s) Post BEMessage_CheckWindow... enum HWND: 0x%x

[CCheckBrowser] PID = ] HWND = 0x%5x Class = s

[CBP] Image Found: %s

background-image: url(

[TBar] Regexp_exception: (%d) %s

[TBar] RegEx. UrlEx: %s, id: %s

[TBar] Regexp_exception search: (%d) %s

[M] UrlEx AlertRequests are off.

[M] SearchEx and UrlEx AlertRequests are off. Skipping RegEx.

[TBar] CCheckBrowser::RegExToolBar. No url terms.

[TBar] CCheckBrowser::RegExToolBar. Query %s, phrase: %s

[TBar] CCheckBrowser::RegExToolBar Sending ESearch search phrase to AlertServe: %s

[TBar] Sent Search Phrase to IE Toolbar History: %s

%d|%d|%s

[R] Skip: Blank Url

[R] Skip: MID=%d. Redirect OFF (No Need) URL (%s)

[R] Skip: MID=%d doRedirect is false. AutoRedirect is turned OFF

[R] Skip: MID=%d Trigger=%s has redirect set to no. AutoRedirect is turned OFF

[R] Skip: MID=%d is not SAH client, AutoRedirect is turned OFF

[R] AutoRedirect: %s

[R] MID=%d SAH client, AutoRedirect ON

[R] Skip: MID=%d SAH client, AutoRedirect OFF

[R] Skip: SPECIFIC domain. Redirect OFF. (MID=%d)

[R] Skip: SEEING EYE HELPER REDIRECT OFF: Redirect OFF. (MID=%d)

[R] Skip: Delay Redirects Until %s: Redirect OFF. (MID=%d)

[R] Current Hook version is: %s

[R] No popup specified for MID=%d.

[R] Skip. Check Site! popup (%d)%d

[R] Redirects are disabled until: %s

[R] OptInRedirect option is: %s

[R] Hook(%d): %s

[R] Hook: * %s

[R] Suppress is turned ON for MID:%d for %d seconds

[R] Suppress turned ON for url "%s" for %d seconds

[R] MID=%d. Site Down: Redirect back ON

[R] MID=%d. Redirect is turned ON

[R] GLOBAL domain. Redirect is turned OFF for MID=%d (%s)

[R] MID=%d. Redirect OFF, Suppress%s Timeout for another %d seconds.

[R] Ignore URL E: %s

webfastconnect

[R] AdServe URL. Globally suppressed for %d more seconds.

[R] Ignore Frameset URL: %s

[R] Ignore URL D: %s

[R] Ignore URL C: %s

topmoxie.com

[R] Ignore URL B: %s

sysupdates.com

[R] Ignore URL A: %s

ebates.com

[R] MID=%d. Redirect OFF (MarkAsNotRedirect)

[R] New GLOBAL Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)

[R] Resetting GLOBAL Suppress Time to %d seconds. PID(%d) Type = %s (%x)

[R] New Per Merchant Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)

[R] Resetting Per Merchant Suppress Time to %d seconds. PID(%d) Type = %s (%x)

[R]Removing GLOBAL domain for PID %d. Type = %x (%s)

[R]Removing expired suppress for PID %d. Type = %x (%s)

[R]Removing suppress for PID %d. %s (%d) 1

[R] Suppress Found PID(%d) / MID(%d). Type = %s (%x) (%d sec remain)

[R] Removing Suppress PID(%d) / MID(%d). Type = %s (%x)

[R]Removing GLOBAL domain for PID %d. 1

Checking FramesetoutList: pid(%d) mid(%d)

Redirect detected, : pid(%d) mid(%d): %s

[R] Unexpected framesetout. Not triggering extra Redirect AlertRequest for %d

[R] InfoPop(%d) found... we are probably in the redirect thread, and I'm not sure what to do at this point... defininitely can't build the pop here. Going to push it to the popup thread to build and download.

[confirmRedirectOccurred] Also recording framesetout on unexpected pid= %d mid(%d)

[confirmRedirectOccurred] ared(NULL) pid(%d), mid(%d)

[confirmRedirectOccurred][DC Mouradeling - Off] (Flag=%d)

[confirmRedirectOccurred][Mouradeling - Off] %s (%s)

No Url

[confirmRedirectOccurred][Mouradeling - On] Wait for ON_DOCUMENT_COMPLETE and goto %s

[confirmRedirectOccurred] ared(#%d)->pid(%d) mid(%d) Popup(%d, %d, %d, %d)

[M] FrameSetOut from toolbar: %s

[M] persistID[%d] size = %d

decodeQueryStringCoderZip2 failed. bad buffer size= %d.

Incorrect key length

\wininit.ini

PendingFileRenameOperations

[CQueuePending] UnPendMove List of files: %s

[CQueuePending] Processing %d ClearPend File%s.

UnPendMove(%s) %s

Detected Pending Move of %s

Found %d default detection items.

Detected the following items: %s

Item #%s %s found (%s)

pad.exe

can.exe

tmgr.exe

ield.exe

svc.exe

KERNEL32.DLL

%d.%d.%d.%d

\StringFileInfo\XX\FileVersion

[DT] Transaction 0x%x sis clearing wrapper 0x%x

~CDownloadTransactionWrapper 0x%x

Error sending WM_COPYDATA message to 0x%x. Error downloading.

[U] Timeout Waiting for Download Done - %d (%d)

[U] Window found: %x. Send WM_COPYDATA from 0x%x.

[U] Storing this transaction (0x%x) in wrapper 0x%x

[U] Buffer length = %d

[sendDataBuffer] >>>>> Lock section: %s %s

[sendDataBuffer] >>>>> Getting Ready to lock section: %s %s

[U] sendDataBuffer. %s%s

Download Exe Window Found 0x%x! Version = %d

Browser Downloader Window Found 0x%x! Version = %d

[U] HTTP result: %d

[U] Method: %s Content type: %s

http=

[U] Server: %s path: %s content: %s

InternetSetCookie failed to add %d.

InternetSetCookie failed to remove %d.

InternetSetCookie(%s): %s (%s)

GetCookieValue FINISH: %s

InternetGetCookie failed %d.

GetCookieValue (%s)

[U] Cookie Blocked! Using previous %s cookie value of "%s"

[U] Clear cookie: %s (%d)

[U] Cookie Blocked! Using default cookie value of "%s"

[U] Get cookie failed. (%s)

[H] WM_COPYDATA finish. Download Failed, transaction not found (window :%x) (result :%d) (path: %s)

[H] WM_COPYDATA finish. Download Done (window :%x) (result :%d)

Download Path %s does not match requested path %s

[HIE] GetWindowText(0x%x)

[FindHookWindow] SearchForDownloadWindow(%d) = 0x%x

[FindHookWindow] SearchForDownloadWindow(%d)

?456789:;

!"#$%&'()* ,-./0123

PsApi.dll

[IE8?] GetModuleFileName failed to get browser name (%d)

%s at: %d

[HIE] read map: 0x%x

[U] Time-out before close hidden %d sec.

[HIE] Cannot find IE, opening temp IE window, count = %d.

[HIE] Searching for IE window, count = %d

[HIE] Temp IE window, count = %d.

[closeDownloader] Closing hidden Downloader window based on pid(%d) 0x%x

[closeDownloader] Closing hidden Downloader window based on HWND 0x%x

[closeDownloader] pid(%d) hwnd(0x%x)

[waitForStart]Found hwnd 0x%x.

[waitForStart]Searching for %s window.

[waitForStart] Found hwnd in map: 0x%x.

[cleanHIE] IE window cleanup delayed, count = %d

Closing downloader Exe window 0x%x!

[closeIE] Quit IE failed, trying WM_CLOSE... 0x%x

[closeIE] Quitted IE... 0x%x

[closeIE] Quitting IE... 0x%x

[openIE] Exception opening IWebBrowser2.

[openIE] IWebBrowser2 failed to provide a good HWND.

mozillauiwindowclass

SearchForTopHiddenIEWindow(%d)

URLUpdateInfo

URLInfoAbout

UninstallUpdateUrl

UninstallAboutUrl

UninstallHelpUrl

Software\Microsoft\Windows\CurrentVersion\Uninstall

[A] Removing uninstall key %s

Setting Uninstall Data (%s || %s)

Warning: NOT Releasing Mutex (we don't own it.) (0x%x) (%d)

Released Mutex (0x%x) = %d, %d

Timeout waiting for Mutex. (%dms)

Error waiting for mutex WAIT_FAILED (%d)

Unknown Mutex code (%d), error.

shell32.dll

shfolder.dll

[XmlSkinDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d

[XmlSkinDataGC] 0x%x count = (%d). Delete Count = %d

COM Error = %d

[SAHSKIN] Parse Status = %s

%s XmlSkinData decRef(%d) = 0x%x

%s XmlSkinData addRef(%d) = 0x%x

[CSahSkin::releaseData] decRef(%d) = 0x%x

[CSahSkin::ParseXmlFile] %s

[CSelectAlertSettings] OptOut Found: %s

SelectAlerts.dat

ShopAtHomeToolbar.dll

firefoxtoolbardir

install.rdf

basis.xml.temp

basis.xml

toolbar@shopathome.com

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

ToolBand.ShopAtHomeIEHelper

{E8DAAA30-6CAA-4b58-9603-8E54238219E2}

ShopAtHome.IEToolbar

{462E4AEC-DB3B-4e69-AF61-4F300D76255C}

[F] Toolbar Uninstalled = %s

[F] Toolbar Installed = %s

internet explorer\iexplore.exe

Failed to copy toolbar files: %s

Toolbar to install (%s) is older than the existing toolbar (%s): %s

Error creating %s directory for toolbar (%d)

Registering Firefox Toolbar: %s

Removed Empty Directory: %s

Checking for Firefox Toolbar: %s

No Firefox Toolbar found at %s

Failed to unregister Firefox Toolbar: %s

Removing file: %s

Unregistered Firefox Toolbar: %s

Removing directory: %s

Mozilla\Firefox\

Profile%d

Mozilla\Firefox\Profiles.ini

Firefox is %sinstalled.

Mozilla\Firefox\Profiles

Firefox %s complete. #Success = %d #Fail = %d

%s FF Toolbar: profiles in %s

Failed to find Application Data directory. (%d)

[uninstallToolbarRegistrySettings] Deleting Toolbar reg keys for %s.

Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

[T] Toolbar Upgrade Complete. Deleting old toolbar file: %s

[Basis] Failed to install new basis %s from to %s (%d)

[Basis] New basis %s copied to %s

[Basis] Basis restore failed: %s %d

[Basis] Basis restored. Deleting temp Basis: %s

[Basis] Restoring old Basis: %s

[Basis] Basis updated. Deleting old Basis: %s

[UpgradeToolbar] Failed to copy new toolbar %s over old toolbar %s. (%d)

[UpgradeToolbar] Successfully copied new toolbar %s over old toolbar %s.

[T] Failed to register toolbar: %s

[T] Failed to set toolbar registry keys: %s

[UpgradeToolbar] Toolbar upgrade Pending: %s : %s

Toolbar RegistrationA failed (%d);

[installToolbar] RegisterToolbar regsvr32 failed (%d) with error %d.

[installToolbar] Calling regsvr32 to install toolbar: runProcess(%s)

[installToolbar] all %d Registry Keys Set.

[installToolbar] Mini Toolbar Key Upgrade failed to Upgrade (%d %d) keys from %s to %s.

[installToolbar] Mini Toolbar Key Upgrade Upgraded %d keys from %s to %s.

TbReg no rights(%d). Set %d of (%d %d %d) keys.

[installToolbar] Insufficient rights (%d) to do toolbar registration. Currently have set %d of (%d %d) keys.

[installToolbar] Toolbar %s is registered, checking for rights to register %s

[installToolbar] Existing Toolbar Keys detected. Upgrading %s to %s. (%d,%d %d)(Rights=%d)

[installToolbar] RegisterToolbar(%s, %s)

Toolbar RegistrationB failed (%d);

[installToolbar] regsvr32 failed (%d) with error %d.

TbReg only set %d of (%d %d %d) keys.

[installToolbar] Toolbar keys for %s found.

[installToolbar] Toolbar registration only set %d of (%d %d) keys.

Windows Vista

Windows 2003

Windows XP (Whistler)

Windows 2000

Windows ME

Windows 98

Windows NT 4.0

Windows 95

Windows NT 3.51

Deleting %s %s.

WebFastConnect

0123456789

Terminate Process %d

CreateProcess pid = %d

CreateProcess Failed (%d)

IELaunchURL Failed (hr=%d;Error=%d)

IELaunchURL pid = %d

\FirefoxHTML\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command

internet explorer\iexplore.exe" "%%1"

.html

[browseWithIWebBrowser2] Exception opening browser

[browseWithIWebBrowser2] Failed to open browser with HWND: res=%d

[browseWithIWebBrowser2] Closing HWND: 0x%x

[browseWithIWebBrowser2] Force browser to front: 0x%x

[browseWithIWebBrowser2] Opened browser with HWND: 0x%x pid(%d) ::IsWindow=%d

Content-Type: application/x-www-form-urlencoded

[browseWithIWebBrowser2] %s (hidden=%d,msWait=%d,forceToTop=%d)

[RunIe] (0x%x) Skipped: There can be only one.

[RunIe] (0x%x)

Process pid = %d

CreateProcess failed (%d)

CreateProcess(%s,%s)

CreateProcessAsUser failed (%d)

OpenProcessToken returned processToken(0x%x). CreateProcessAsUser(%s,%s)

OpenProcessToken failed (%d)

WaitForSingleObject() = %d

ShellExecute failed with error %d.

ShellExecute succeeded.

ShellExecute(0,open,%s,%s,0,Hide)

[CopyDirectory_CopyFile] %s: %s -> %s

[CopyDirectory_NewDirectory] Created Directory: %s

[CopyDirectory_NewDirectory] Error Creating Directory: %s (%d)

[ITB] Installing toolbar files from %s to %s.

[SVistaDll] Failed to load IEIsProtectedModeURL.

[SVistaDll] Congratulation! IEIsProtectedModeURL address is 0x%x

[SVistaDll] Congratulation! IEIsProtectedModeProcess address is 0x%x

[SVistaDll] Failed to load IELaunchURL.

[SVistaDll] Congratulation! IELaunchURL address is 0x%x

IEIsProtectedModeURL

IELaunchURL

ieframe.dll

[SVistaDll] Congratulation! ChangeWindowMessageFilter address is 0x%x

user32.dll

[SVistaDll] Congratulation! ConvertStringSidToSid address is 0x%x

[SVistaDll] Congratulation! ConvertStringSecurityDescriptorToSecurityDescriptor address is 0x%x

Advapi32.dll

[SVistaDll] %s %s%d %s

[SVistaDll] IEIsProtectedModeURL uninitialized

%s %s

BN %d %s

DC %d %s

Firefox

Firefox DC %s

%d_%s

Error Creating Directory: %s (%d)

Created Directory: %s

support for \P, \p, and \X has not been compiled

PCRE does not support \L, \l, \N, \U, or \u

this version of PCRE is not compiled with PCRE_UTF8 support

POSIX collating elements are not supported

erroffset passed as NULL

POSIX named classes are supported only within a class

operand of unlimited repeat could match the empty string

[TB] %s

[TB] Seconds last asked %d sec. min_interval: %d sec. (last received: %d sec)

[TB] Last received for favorites: d-d-d d:d:d

[TB] Activate favorite trigger. open_interval: %d seconds (157)

[TB] Last asked for favorites: d-d-d d:d:d

[TB] Activate request. favorite_alert_delay: %d ms

[TB] Add request type="Favorites", Last(Received)Favorites="%s"

[TB] Item %s. Type: %s, String: %s, MID: %d

[TB] Item %s. Type: %s, String: %s, LastFavorites: %s

[TB] Item %s. Id: %s, Type: %s, String: %s

[TB] Delay alert request. Timeout: %dms

[TB] Requests size %d. Limit: %d

[TB] AddSearchRequest. Result %s. Id: %s, Type: %s, String: %s

[TB] Requests count %d exceeds the limit %d

[TB] Removing SahSearchRequest. Id: %s, Type: %s, String: %s

[TB] Dedup seconds expire, %s

[TB] ToolBar response: %s.

ToolbarUninstallReport

{0B5DAF6D-4671-49dd-B7E3-69A4293F80B6}

%d|%d|

[D] Timer expired. HWND: %s

[M] detectionResult = %s

[M] Upgrade Status Delay: %dms

[M] Registration Delay %d seconds.

[A] Added FF Toolbar extension to %d Firefox Profiles.

[M] CException in theApp.fileManager.checkNextUpdate()

[M] Start timer %s min

UnInstallExecute

[M] Close Hidden in %dms

[P] Error launching uninstaller: %d

[P] Error starting hook update (%d)

[M] Starting full update: %s

You have successfully logged into ShopAtHome.com. Enjoy your Cash Back shopping!

Incorrect password for this email address. Please try again.

Already have a messagebox open with same email/password.

Thank you for registering with ShopAtHome.com.

MessageBox: "%s"

forgotpassword

[M] Duplicate registration event: %s

PopUnderURL

[M] Shell Execute returned %d.

[M] Opening page %s

[M] Error Creating CheckServer Thread. (%d)

[R] Cancelling Popup for %d.

[R] Hook CheckSite(%d)%d - Site is NOT available.

[R] Queueing Popup for %d.

[R] Hook CheckSite(%d)%d - Site is available.

[M] WM_USER 112 message. Command: %d

[M] WM_COPYDATA message. Command: %d.

[M] Obsolete Metaupdate 555 signal from pre 4.2.5.0 hook.

Handling class:%s HWND:[0x%.8x] Main window %s: HWND:[0x%.8x]

--------- List of handling windows

Main window %s: HWND:[0x%.8x] Handler pointer:[0x%.8x] Edit HWND:[0x%.8x]

--------- List of IEFrame windows

[M] Check for alerts on redirect: URL:%s

[M] Optout List Selected: %s

[ToolbarAlert] #%d

[M] FirefoxToolbar Fso Signal

[Luke's Debug] Adding new IE8 tab [0xx] found by browser signal toolbartab

[Luke's Debug] Adding new tab [0xx] found by browser signal toolbartab

[M] New Browser Signal: WM_USER 500 message. wParam: 0x%x (type=%d)

[M] %s

Removed HTTP loader thread

WARNING: HTTP loader thread is terminated

WARNING: Failed to post WM_QUIT to redirectThread (%d)

[M] WebFastConnect Uninstall request

WebXb

?cmd=status

[M] Unininstall request reported...

[M] Uninstall request report failed.

[M] Uninstall request report failed... retry in 2 minutes.

ASUninstallReport

UninstallReport

[M] Registration request reported...

[M] Registration request report failed... retry in 2 minutes.

Install Registration(%d) - %s - %s

[M] WM_SETTEXT message. Type: %d

[LoadCharFileIntoCString] CreateFile Failed %d

[LoadCharFileIntoCString] %s

[CSahEvent] data (0x%x) refCount=%d

[CSahEvent::=] data (0x%x) refCount=%d

[~CSahEvent] data (0x%x) refCount=%d

[CSahEventManager] Error creating event %s.

UniqueBundleKey

Failed to register %s class! (%d)

Downloader %s does not exist?? COpenHiddenIEIfNone will use IE.

Activating COpenHiddenIEIfNone with %s.

[A] Windows 95/98/ME

[A] Windows NT based system

aswfctemp.ini

[A] New bceXMLTmp filename: %s

vincfile.dat

[A] New bceXML filename: %s

SelectRebatesB.dat

vbcefile.dat

SelectRebatesU.dat

SelectRebatesH.dat

SelectRebatesA.dat

[A] SelectRebatesSelfUpgrade completed! Exiting this instance. (%s)

SRebates.dll

[No Hook Found] Dead Dog! KillSelf(%s)

SelectRebates.exe

Uninstaller found at %s. Chameleon Dog!

Uninstaller found at %s. Program Files Dog!

SelectRebatesUninstall.exe

USE_IWEBBROWSER2

_WINDOWS

[A] Using exe substitution ini file: %s

[A] Using SelectRebates ini file: %s

[A] Started SelectRebates: %s (built %s %s).

14:29:29

SRebates.log

Software\Microsoft\Windows\CurrentVersion\Run

[M] CheckD=%s

SRFF3.dll

127.0.0.1

Setting CheckMeta: %s

[A]Hook copy failed, using new file for now: %s

[A]Old Hook deletion (c): %s

[A] Switch to new dll: %s

[A]Hook install time: %s. Last Reboot time: %s

[A]Deleting new DLL: %s

[A]New DLL Name = %s

[A]Old DLL Name = %s

[A]Loading library: %s

[installThreadHook] LoadLibrary(%s) has failed (%d): %s.

[installThreadHook] Thread Hook (%s) has been installed.

[A] AdServe disabled by pref: AdServing=%s.

[A] AdServe disabled. On only for countries %s

[A] AdServe disabled by rule: %s

[A]Shell Execute returned %d.

[A] ShellExecuting page %s

[A] Browser %s FOUND (0x%x)

chrome_widgetwin_0

[CWindowImplBaseT::SubclassWindow] (0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x)

[CWindowImplBaseT::UnsubclassWindow] this(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!

[CWindowImplBaseT::UnsubclassWindow] (0x%x) m_hWnd(0x%x) our(0x%x) active(0x%x) original(0x%x)

[F] Temporary File Name = %s

%Program Files%\

nts,washingtonpost.com/wp-adv,washingtonpost.com/biz,washingtonpost.com/wp-apps,washingtonpost.com/wp-stat,washingtonpost.com/wpost2,washingtonpost.com/weather,washingtonpost.com/2014,washingtonpost.com/rf,washingtonpost.com/jobs,washingtonpost.com/a,washingtonpost.com/answer-sheet,washingtonpost.com/commons,washingtonpost.com/ask-amy" m="122999" t="0" />

ontactinfo.php,zoosk.com/redeemcoins.php,zoosk.com/verify-photo,zoosk.com/date-feedback,zoosk.com/forgot.php,zoosk.com/activate-account,zoosk.com/en,zoosk.com/logout.php,zoosk.com/subscribe,zoosk.com/subscribe.php,zoosk.com/forgot,zoosk.com/settings.php,zoosk.com/discount.php,zoosk.com/contactinfo,zoosk.com/support.php,zoosk.com/minimuminfo.php" m="48476" t="0" />

%Program Files%\SelectRebates\Toolbar\

%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll

%Program Files%\SelectRebates\SelectAlerts.dat

%Program Files%\SelectRebates\Toolbar\ImageCache

%Program Files%\SelectRebates\FFToolbar\

%Program Files%\SelectRebates\FFToolbar\install.rdf

version="4.4.0.3"

name="SelectRebates.exe"

ShopAtHome.com

Password

Server : port

5, 2, 0, 0

iexplore.exe_1756:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.fg>

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps