Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 45bf1f3120172c704ff0b27281b7f73d
SHA1: 7c888c06964fd84916978d4d8bb8ab257f4bd734
SHA256: a3d9177bb5353249f14072181e17db6a8115124c7dfcba40a6dbcd4349000a1a
SSDeep: 6144:zi3asTIPExWUZnT357pyC2Vq8877ZG2CPRgAXql39tMx24XfXhSVZ1L UoRDaeyr: 3tSExlv2NpgA6l38xlpSN9uE OJ
Size: 735336 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2010-02-22 19:39:25
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
SelectRebatesDownload.exe:756
SelectRebatesDownload.exe:1264
ShopAtHome_Toolbar_Installer.exe:608
regsvr32.exe:1236
SelectRebates.exe:160
%original file name%.exe:1564
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process SelectRebatesDownload.exe:756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (460 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (123609 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[2].txt (562 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (25 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[1].txt (0 bytes)
The process SelectRebatesDownload.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[1].txt (272 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G12KHINU.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
The process ShopAtHome_Toolbar_Installer.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (6075 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (146 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2856 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3936 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12255 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (0 bytes)
%Program Files%\SelectRebates\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (0 bytes)
The process SelectRebates.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (4 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (2 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (7 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (7301 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (168088 bytes)
%Program Files%\SelectRebates\srtmpsqu2g41f5e0.tmp (6 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (7345 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
The Trojan deletes the following file(s):
%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqu2g41f5e0.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (0 bytes)
The process %original file name%.exe:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HMQ23451.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HMQ23451.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G12KHINU.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (0 bytes)
Registry activity
The process SelectRebatesDownload.exe:756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 4A DE 14 97 88 8B 4C 7E 09 61 18 E7 EE 8B D9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process SelectRebatesDownload.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 C7 A0 FF 83 9E 8D E6 59 B5 2C 1B DB ED 84 76"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ShopAtHome_Toolbar_Installer.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 B8 BF B9 C2 E7 B5 53 13 07 6B 2C 9A 23 7C 85"
[HKCU\Software\ShopAtHome\Toolbar]
"TBHideFirst" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ShopAtHome_Toolbar_Installer.exe,"
[HKLM\SOFTWARE\ShopAtHome\SelectRebates]
"SelectRebatesLocation" = "%Program Files%\SelectRebates\SelectRebates.exe"
[HKCU\Software\ShopAtHome\Toolbar]
"TBShowOnce" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
"DisplayName" = "ShopAtHome SelectRebates"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
"URLUpdateInfo"
"URLInfoAbout"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SAHAgent"
The process regsvr32.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\ShopAtHome\Toolbar]
"EditWidthcombo1" = "1"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\VersionIndependentProgID]
"(Default)" = "ShopAtHome.IEToolbar"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCU\Software\ShopAtHome\Toolbar]
"KeepHistory" = "1"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\"
[HKCU\Software\ShopAtHome\Toolbar]
"RunSearchDragAutomatically" = "1"
"corruptedMsg" = "One of the XML files is corrupted or invalid. Press OK to uninstall."
"lastVersionMsg" = "You have the latest version of the ShopAtHome Toolbar."
"ShowExternalSearches" = "1"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\VersionIndependentProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}" = "00"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\ToolBand.ShopAtHomeIEHelper\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"
[HKCR\ToolBand.ShopAtHomeIEHelper.1\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\ProgID]
"(Default)" = "ShopAtHome.IEToolbar.1"
[HKCU\Software\ShopAtHome\Toolbar]
"PopStop" = "Untitled Toolbar has blocked a Pop-up window"
[HKCR\ToolBand.ShopAtHomeIEHelper]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCU\Software\ShopAtHome\Toolbar]
"autoUpdateMsg" = "New version of ShopAtHome Toolbar is available. Would you like to download and install new version?"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\0\win32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCR\ShopAtHome.IEToolbar\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"
[HKCU\Software\ShopAtHome\Toolbar]
"firstTime" = "1"
"ErrorMsg" = "Error"
"#EditWidthcombo1#" = "Widthcombo11"
"versionError" = "Can not find current version information."
"UpdateAutomatically" = "0"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\ProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"
[HKCU\Software\ShopAtHome\Toolbar]
"DescriptiveText" = "1"
"OpenNew" = "0"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCU\Software\ShopAtHome\Toolbar]
"AutoComplete" = "1"
"closeAllWindowsForUpdate" = "All running IE Windows will be closed before updating the ShopAtHome Toolbar. Continue?"
"RunSearchAutomatically" = "1"
"toolbar_version" = "undefined"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCU\Software\ShopAtHome\Toolbar]
"updateMsg" = "This will try to update the ShopAtHome Toolbar from the server. Continue?"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 3A 9D 78 3F 97 80 C3 EE 4A EF CD BE DE 1B 8C"
[HKCU\Software\ShopAtHome\Toolbar]
"toolbar_id" = "{A741D250-A6CF-4bf2-965E-A3E34D839C1D}"
[HKCR\ShopAtHome.IEToolbar.1]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCU\Software\ShopAtHome\Toolbar]
"contextMenuItemName" = "ShopAtHome Toolbar search"
[HKCR\ShopAtHome.IEToolbar.1\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"
[HKCU\Software\ShopAtHome\Toolbar]
"ShowFindButtons" = "0"
[HKCR\ToolBand.ShopAtHomeIEHelper\CurVer]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"
[HKCR\ShopAtHome.IEToolbar]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCR\ToolBand.ShopAtHomeIEHelper.1]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCR\ShopAtHome.IEToolbar\CurVer]
"(Default)" = "ShopAtHome.IEToolbar.1"
[HKCU\Software\ShopAtHome\Toolbar]
"AlertMsg" = "Alert"
"uninstallMsg" = "This will remove the ShopAtHome Toolbar from your computer! Are you sure?"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0]
"(Default)" = "ShopAtHome Toolbar 1.0 Type Library"
[HKCU\Software\ShopAtHome\Toolbar\tb_items]
"Widthcombo11" = "1"
[HKCU\Software\ShopAtHome\Toolbar]
"connectionError" = "Can't establish a connection."
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"ThreadingModel" = "Apartment"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"
The process SelectRebates.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 9E FD 87 92 F3 80 79 B7 38 31 48 11 3D B1 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayName" = "ShopAtHome.com Toolbar"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
[HKLM\SOFTWARE]
"test"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"URLUpdateInfo"
"URLInfoAbout"
The process %original file name%.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 D9 2E 29 29 AA 0C 8C 92 14 0C 32 E2 0D 3D 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
MD5 | File path |
---|---|
84ffd42c17931a9d1f8361e7680c78de | c:\Program Files\SelectRebates\SRFF3.dll |
017e694bf86cd554b0fca3b09957e15f | c:\Program Files\SelectRebates\SRebates.dll |
0bf024e4f8fc508acfed092399f0fb4c | c:\Program Files\SelectRebates\SelectRebates.exe |
5c2402121f5bf6b7f9e3fe302cb291a0 | c:\Program Files\SelectRebates\SelectRebatesApi.exe |
409befc835a368ebcf4982992a9734ff | c:\Program Files\SelectRebates\SelectRebatesDownload.exe |
388a88031cb58ff9ca2e879086ce7c15 | c:\Program Files\SelectRebates\SelectRebatesUninstall.exe |
28bfc80b6652ae0b1b5e4de75ff2247d | c:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
SelectRebatesDownload.exe:756
SelectRebatesDownload.exe:1264
ShopAtHome_Toolbar_Installer.exe:608
regsvr32.exe:1236
SelectRebates.exe:160
%original file name%.exe:1564 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\SelectRebates\srtmpsqum2pjlc3t.tmp (460 bytes)
%Program Files%\SelectRebates\srtmpgfirnp4ucsh.tmp (123609 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[2].txt (562 bytes)
%Program Files%\SelectRebates\srtmpprfq2h0cf3s.tmp (25 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\SelectRebates\srtmpprfredpb4st.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpprft75baec0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shopathome[1].txt (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G12KHINU.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (6075 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8GFQIC91.tmp (146 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2856 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3936 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12255 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpsqu2g41f5e0.tmp (6 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (7345 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HMQ23451.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 5, 1, 0, 0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5, 1, 0, 0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 5, 1, 0, 0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 5, 1, 0, 0File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 121281 | 121344 | 4.44674 | 0a4a07815935016e7d950efc567cbe85 |
.rdata | 126976 | 32074 | 32256 | 3.67102 | a76f200c1a789e8398a9a1464d8b2a86 |
.data | 159744 | 22028 | 12288 | 3.6419 | a0b1c81f9c2be75e367b049fcba8f400 |
.rsrc | 184320 | 564312 | 564736 | 3.23133 | 0d0695fcd16884dae19679f149fe05f7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 41
913ecbb6ebd8af24405690f8f51eb19d
6d1b1c4ae8cbf6674f3f81361d0669a5
e5a9576236cf0049dd41e45f66b917da
5567ed6e0e2ea138079c52f5da3aed09
9f2823fb6ad46535691fb87e0213e2c8
3ff29db56f1325d7ab948b343ed65a02
05a10e475e9b486ac97a06d0f9a86498
8a322e260a4bf602ab492a7cde1998cd
f5b653858fdcadfe1707c03994a08852
4abfbb18ef212915d861315decd85a24
a8378a288476e60498131929502f1a3b
69a9aa59114a692033d84651be07a760
28db526c676b51fd1e6eb21381eae475
52aa3704bdad336a91f34c3c85b74489
0a5d0f996845bbe065314b0ee9e03175
3ded19ad916767049fa698e6bfb99a9c
08e9411296a4b1e0386a45526568c697
bd1737d5b0801e5fa5445047eabed3ec
2f8c20e9ebc84d65627f97ed85f53e15
523d470a0df20f973f494b025e24ab72
322c4b43b6c865ed80ff2da7012afbcd
846f3ee812ac61f362bd5a3cff98c652
b74ade0219d35cc17eda61b32e3fa64a
8cf2879f38765ecbd64a0736f62c6da6
cab433c93fe7afe4549b8b9119cb0f18
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
SelectRebates.exe_160:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSShh
PSShh
FtPh
FtPh
SPSSh
SPSSh
t0Ht(Ht.Ht'Ht
t0Ht(Ht.Ht'Ht
Ht
Ht
~!SSh
~!SSh
Yu%C;
Yu%C;
PVSSh
PVSSh
t.VhluJ
t.VhluJ
VSSh&
VSSh&
SSh|~J
SSh|~J
SSht~J
SSht~J
SShl~J
SShl~J
SShd~J
SShd~J
SShT~J
SShT~J
uË;U
uË;U
YYSSh
YYSSh
Yu.Vh4DF
Yu.Vh4DF
YVSSh
YVSSh
$%&'()* ,-./0123456789:;
$%&'()* ,-./0123456789:;
VERSION.dll
VERSION.dll
SETUPAPI.dll
SETUPAPI.dll
WININET.dll
WININET.dll
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
EnumChildWindows
EnumChildWindows
MapVirtualKeyA
MapVirtualKeyA
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEPRO32.DLL
OLEPRO32.DLL
OLEAUT32.dll
OLEAUT32.dll
MSVCP60.dll
MSVCP60.dll
ERROR: Event WaitForUnhookAll (%d)
ERROR: Event WaitForUnhookAll (%d)
{E03777A2-C73D-4a58-A4FB-28F813CA2583}
{E03777A2-C73D-4a58-A4FB-28F813CA2583}
[INIT]: XML maps loaded status = %s
[INIT]: XML maps loaded status = %s
[INIT]: CheckSite timeout set to %dms.
[INIT]: CheckSite timeout set to %dms.
[INIT]: FireFox status = %s
[INIT]: FireFox status = %s
FireFox disabled
FireFox disabled
FireFox enabled
FireFox enabled
MyAccountUrl
MyAccountUrl
[V] Module %s version is %s and the Agentprefs version is %s
[V] Module %s version is %s and the Agentprefs version is %s
[P] Skipping InfoPop#%d, Opt Out Detected (%s).
[P] Skipping InfoPop#%d, Opt Out Detected (%s).
[Mouradeling] Url "%s" matches regex "%s". Mouradeling on.
[Mouradeling] Url "%s" matches regex "%s". Mouradeling on.
[Mouradeling] Reset timeout to %d sec.
[Mouradeling] Reset timeout to %d sec.
[PBM] pid(%d) = Unsupported: AOL.
[PBM] pid(%d) = Unsupported: AOL.
[PBM] pid(%d) = Unsupported: Mozilla.
[PBM] pid(%d) = Unsupported: Mozilla.
mozilla.exe
mozilla.exe
[PBM] pid(%d) = Unsupported: Netscape 6.
[PBM] pid(%d) = Unsupported: Netscape 6.
netscp.exe
netscp.exe
[PBM] pid(%d) = Unsupported: Netscape 4.
[PBM] pid(%d) = Unsupported: Netscape 4.
netscape.exe
netscape.exe
aexplore.exe
aexplore.exe
aol.exe
aol.exe
waol.exe
waol.exe
[PBM] pid(%d) = Firefox
[PBM] pid(%d) = Firefox
firefox.exe
firefox.exe
[PBM] pid(%d) = Internet Explorer.
[PBM] pid(%d) = Internet Explorer.
iexplore.exe
iexplore.exe
[PBM] Browser Process for pid(%d) = (%s)
[PBM] Browser Process for pid(%d) = (%s)
[PBM] Failed to get module file name for browser check. (%d)
[PBM] Failed to get module file name for browser check. (%d)
[PBM] 0 modules returned by enum modules for %d. (%d)
[PBM] 0 modules returned by enum modules for %d. (%d)
[PBM] Failed to get enum modules for %d. (%d)
[PBM] Failed to get enum modules for %d. (%d)
[PBM] Failed to get process handle for browser check. (%d)
[PBM] Failed to get process handle for browser check. (%d)
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
%s_%d
%s_%d
[OO] OptOut for %s at %s
[OO] OptOut for %s at %s
[OO] OptOut for %s and %s at %s
[OO] OptOut for %s and %s at %s
[OO] OptOut for %s removed.
[OO] OptOut for %s removed.
[OO] Remove all OptOuts %s (%d).
[OO] Remove all OptOuts %s (%d).
%Y-%m-%d
%Y-%m-%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Failure to write %s to %s. (%d)
Failure to write %s to %s. (%d)
%s,%d
%s,%d
[M] Upgrade has run more than %d times already. Skip Upgrade.
[M] Upgrade has run more than %d times already. Skip Upgrade.
Clearing upgrade flags: %s
Clearing upgrade flags: %s
[XPD] Popup %s impossible: %d pops already today.
[XPD] Popup %s impossible: %d pops already today.
[XPD] Popup %s impossible: %d pops already in last %d minutes.
[XPD] Popup %s impossible: %d pops already in last %d minutes.
[XPD] Failed to find XPD type %s. Allowing.
[XPD] Failed to find XPD type %s. Allowing.
Rule %s: Popup(%d), Redirect(%d), DoSlider(%d), AdServe(%d), OldPop(%d), %sInfoPop(%d), HideRedirect(%d)
Rule %s: Popup(%d), Redirect(%d), DoSlider(%d), AdServe(%d), OldPop(%d), %sInfoPop(%d), HideRedirect(%d)
&global=click.linksynergy.com&afsrc=1
&global=click.linksynergy.com&afsrc=1
&URL=
&URL=
&tim=%d
&tim=%d
GR_check_site.html
GR_check_site.html
http:
http:
CheckSiteUrl
CheckSiteUrl
TTUrl
TTUrl
[A] Load result: http(%d): %s
[A] Load result: http(%d): %s
[A] Error %d downloading image. But image is cached, using cached image. Returning 304.
[A] Error %d downloading image. But image is cached, using cached image. Returning 304.
[F] Copying image from "%s" to "%s"
[F] Copying image from "%s" to "%s"
[F] Load Image File: %s, Cache date: %s
[F] Load Image File: %s, Cache date: %s
[F] File: %s, Next check date: %s
[F] File: %s, Next check date: %s
%a, %d %b %Y %H:%M:%S GMT
%a, %d %b %Y %H:%M:%S GMT
[F] It is new BANNER/IMAGE %s, force download.
[F] It is new BANNER/IMAGE %s, force download.
[A] Load image: %s
[A] Load image: %s
[A] Agent tracking %s/%s
[A] Agent tracking %s/%s
agenttracking.asp
agenttracking.asp
[A] Search tracking %s
[A] Search tracking %s
/agent/searchtracking.asp
/agent/searchtracking.asp
searchtracking.asp
searchtracking.asp
[A] %s%s%sTracker result: http(%d): %s
[A] %s%s%sTracker result: http(%d): %s
Upgrade: Unable to report (%d,%s): poorly formatted or missing UT url: %s
Upgrade: Unable to report (%d,%s): poorly formatted or missing UT url: %s
[A] Upgrade Tracker result: http(%d): %s/%s
[A] Upgrade Tracker result: http(%d): %s/%s
Upgrade: Reporting result(%d,%s) to %s/%s
Upgrade: Reporting result(%d,%s) to %s/%s
Upgrade Result Report: Reporting result(%d,%s) to %s
Upgrade Result Report: Reporting result(%d,%s) to %s
[A] %d - Unknown error
[A] %d - Unknown error
[D] %s Url has changed. File is necessary to download. (Cache off) (%s->%s)
[D] %s Url has changed. File is necessary to download. (Cache off) (%s->%s)
[D] Storing CID: %s (%s)
[D] Storing CID: %s (%s)
CustomerID funky. Changed from '%s' to '%s'
CustomerID funky. Changed from '%s' to '%s'
setCustomerID: '%s' seems to be in error. Filtered.
setCustomerID: '%s' seems to be in error. Filtered.
[D] Registry CID: %s
[D] Registry CID: %s
[XPan] Regexp_exception: (%d) %s
[XPan] Regexp_exception: (%d) %s
CHTTPLoaderThread
CHTTPLoaderThread
[A] HTTP Loader thread OK
[A] HTTP Loader thread OK
ShopAtHome.com Toolbar
ShopAtHome.com Toolbar
HTTP loader thread. Exit instance
HTTP loader thread. Exit instance
0.0.0.7
0.0.0.7
[M] Opening install page %s
[M] Opening install page %s
[M] Opening feedback %s
[M] Opening feedback %s
[S] Parameters: %s
[S] Parameters: %s
[S] serviceRequest(%s) Command: %s
[S] serviceRequest(%s) Command: %s
&os=%d
&os=%d
uniqueBundleKey=nonbundle
uniqueBundleKey=nonbundle
uniqueBundleKey=
uniqueBundleKey=
updateURL
updateURL
&updateURL=
&updateURL=
validateURL
validateURL
&validateURL=
&validateURL=
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
PopupPassword
PopupPassword
regpass=
regpass=
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
Unknown command %s
Unknown command %s
Clearing cookie %s
Clearing cookie %s
Setting cookie %s to %s
Setting cookie %s to %s
Clearing ini %s
Clearing ini %s
Unexpected # of parameters for %s: %d
Unexpected # of parameters for %s: %d
Setting ini %s to %s
Setting ini %s to %s
[S] UID: %s
[S] UID: %s
[S] IP: %s
[S] IP: %s
[S] Country: %s
[S] Country: %s
[S] Registry query: %s
[S] Registry query: %s
[S] Setup filename: %s
[S] Setup filename: %s
lsp_setup.exe
lsp_setup.exe
[S] Toolbar Update URL: %s
[S] Toolbar Update URL: %s
ToolbarURL
ToolbarURL
;ffTbUrl=
;ffTbUrl=
;toolbarURL=
;toolbarURL=
[S] Update Path: %s
[S] Update Path: %s
[S] Update Domain: %s
[S] Update Domain: %s
;updateURL=
;updateURL=
[S] Auto Upgrade: new value: "%s" enabled: "%s"
[S] Auto Upgrade: new value: "%s" enabled: "%s"
[S] Update enabled: %s
[S] Update enabled: %s
[S] ValidateURL: %s
[S] ValidateURL: %s
;validateURL=
;validateURL=
[S] Validate enabled: %s
[S] Validate enabled: %s
[S] NumberOfDaysNextUpdate: %s
[S] NumberOfDaysNextUpdate: %s
[S] NumberOfDaysNextValidate: %s
[S] NumberOfDaysNextValidate: %s
[S] NumberOfDaysNextHearbeart: %s
[S] NumberOfDaysNextHearbeart: %s
[S]%s
[S]%s
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d:%d
[XmlDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d
[XmlDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d
[XmlDataGC] 0x%x count = (%d). Delete Count = %d
[XmlDataGC] 0x%x count = (%d). Delete Count = %d
[~CAlert] (0x%x)
[~CAlert] (0x%x)
[BD] Destroying Xml Data. 0x%x
[BD] Destroying Xml Data. 0x%x
2000-01-01 12:00:00
2000-01-01 12:00:00
2020-01-01 12:00:00
2020-01-01 12:00:00
[BCEXML] Parse Status = %s
[BCEXML] Parse Status = %s
[BCEXML] Memory Exception parsing XML: %s
[BCEXML] Memory Exception parsing XML: %s
[BCEXML] Error loading XML into parser(%d).
[BCEXML] Error loading XML into parser(%d).
[BCEXML] Parse Result = %s
[BCEXML] Parse Result = %s
//Bce/tb/maxurllength
//Bce/tb/maxurllength
urls
urls
urlsec
urlsec
*shopathome.com,*shopathome.sah.com
*shopathome.com,*shopathome.sah.com
[R] Global Ignore found: %s
[R] Global Ignore found: %s
[X] Specific Suppress "%s" found.
[X] Specific Suppress "%s" found.
14,%s(%s)
14,%s(%s)
[X] Per Merchant Suppress "%s(%s)" found.
[X] Per Merchant Suppress "%s(%s)" found.
[X] Global Suppress "%s" found.
[X] Global Suppress "%s" found.
[B] Rule %d not found. Default = %s
[B] Rule %d not found. Default = %s
[B] Rule %d = %s
[B] Rule %d = %s
%s xmlData decRef(%d) = 0x%x
%s xmlData decRef(%d) = 0x%x
%s xmlData addRef(%d) = 0x%x
%s xmlData addRef(%d) = 0x%x
[CBceXml::releaseData] decRef(%d) = 0x%x
[CBceXml::releaseData] decRef(%d) = 0x%x
[B] Storing new Xml Data. 0x%x
[B] Storing new Xml Data. 0x%x
[B] Parse Status = %s
[B] Parse Status = %s
[B] Memory Exception parsing XML: %s
[B] Memory Exception parsing XML: %s
[vectorSahGC] decReference (%d)
[vectorSahGC] decReference (%d)
.PAVCSahGC@@
.PAVCSahGC@@
.PAUXmlObject@XML@@
.PAUXmlObject@XML@@
.PAVBanner@@
.PAVBanner@@
.PAVCAlert@@
.PAVCAlert@@
.PAVCCouponAlert@@
.PAVCCouponAlert@@
UrlEx
UrlEx
[B] Deleting duplicate ID: %s %s
[B] Deleting duplicate ID: %s %s
HotImageUrl
HotImageUrl
ImageUrl
ImageUrl
[AlertResponse] ID=%s [%s EXIST] Type=%s Text=%s ImageUrl=%s
[AlertResponse] ID=%s [%s EXIST] Type=%s Text=%s ImageUrl=%s
.PAVSahSearchResponse@@
.PAVSahSearchResponse@@
[XD] Skipping Global Suppress type %d: %s
[XD] Skipping Global Suppress type %d: %s
Program[%s] has exe [%s]
Program[%s] has exe [%s]
Data = %s
Data = %s
ChildNode[%d]: Node Type = %d (NODE_CDATA_SECTION = %d)
ChildNode[%d]: Node Type = %d (NODE_CDATA_SECTION = %d)
Data= %s
Data= %s
[CXMLParser::CreateNode] AppendChildToParent failed: %s
[CXMLParser::CreateNode] AppendChildToParent failed: %s
(0x%x): %s
(0x%x): %s
Unsupport type
Unsupport type
[D] ERROR (%d)! %s loading failed.
[D] ERROR (%d)! %s loading failed.
[D] OK. %s. Last update %s
[D] OK. %s. Last update %s
[D] OK. %s has not been modified.
[D] OK. %s has not been modified.
[D] OK. %s was downloaded.
[D] OK. %s was downloaded.
hXXp://
hXXp://
[D] No %s Filename. Ini file either blank or not writable.
[D] No %s Filename. Ini file either blank or not writable.
[D] XML is invalid or damaged, exception thrown by CodeBuffer in GetFile: %s
[D] XML is invalid or damaged, exception thrown by CodeBuffer in GetFile: %s
[D] OK. Bce Xml. Last update %s
[D] OK. Bce Xml. Last update %s
[D] Validate Path(b): %s
[D] Validate Path(b): %s
[D] Validate Domain(b): %s
[D] Validate Domain(b): %s
agent/bce.sah
agent/bce.sah
[D] Failed to copy %s file from %s to %s. [%d]
[D] Failed to copy %s file from %s to %s. [%d]
[D] Upgrade copied %s file from %s to %s.
[D] Upgrade copied %s file from %s to %s.
[D] Bce specified skin file as: %s
[D] Bce specified skin file as: %s
[D] Error updating file %s: %d
[D] Error updating file %s: %d
SelectRebatesDownload.exe
SelectRebatesDownload.exe
FFToolbar.txt
FFToolbar.txt
agent/agentprefs_.sah
agent/agentprefs_.sah
VVV.shopathome.com
VVV.shopathome.com
[F] Error copying %s to %s. (%d)
[F] Error copying %s to %s. (%d)
[F] Getting update file "%s" from "%s/%s"
[F] Getting update file "%s" from "%s/%s"
[F] Install Tracking: %s
[F] Install Tracking: %s
.PAVCException@@
.PAVCException@@
[F] Exception thrown by CodeBuffer in serviceQuery, %s
[F] Exception thrown by CodeBuffer in serviceQuery, %s
[F] Decrypted buffer: %s
[F] Decrypted buffer: %s
[F] Buffer Size %d is larger than remaining buffer %d.
[F] Buffer Size %d is larger than remaining buffer %d.
smartupdater/smartupdater.dll
smartupdater/smartupdater.dll
cidUrlPages
cidUrlPages
cidUrlSites
cidUrlSites
[F] OK. preferences loaded. %s
[F] OK. preferences loaded. %s
[F] Exception thrown by CodeBuffer reading Prefs, %s
[F] Exception thrown by CodeBuffer reading Prefs, %s
[F] New cab needed, cab dog (%s) version does not match running dog.
[F] New cab needed, cab dog (%s) version does not match running dog.
[F] New update cab downloaded: %s
[F] New update cab downloaded: %s
_.exe
_.exe
[F] New toolbar cab needed, cab toolbar (%s) version does not match running toolbar.
[F] New toolbar cab needed, cab toolbar (%s) version does not match running toolbar.
[F] Unable to create XML temp file, %s (Error=%d)
[F] Unable to create XML temp file, %s (Error=%d)
[F] exception thrown by CodeBuffer in GetFile: %s
[F] exception thrown by CodeBuffer in GetFile: %s
[F] XML Merge failed: Error opening file %s. (Error=%d)
[F] XML Merge failed: Error opening file %s. (Error=%d)
[F] Opened %s, size=%d
[F] Opened %s, size=%d
[F] Failed to open. Creating file %s
[F] Failed to open. Creating file %s
[F] Opening file %s
[F] Opening file %s
Error Parsing Temp XML. Count = %d. Reloading bce.
Error Parsing Temp XML. Count = %d. Reloading bce.
Error Parsing Temp XML. Count = %d. Resetting count and reloading bce.
Error Parsing Temp XML. Count = %d. Resetting count and reloading bce.
%s entry found, but file %s does not seem to exist. Removing entry.
%s entry found, but file %s does not seem to exist. Removing entry.
%s update failed: file %s seems to exist. Using %s entry.
%s update failed: file %s seems to exist. Using %s entry.
[A] %s Upgrade Complete: %s New Version = %s
[A] %s Upgrade Complete: %s New Version = %s
%s entry missing, but file %s seems to exist. Using %s entry.
%s entry missing, but file %s seems to exist. Using %s entry.
[A] %s Upgrade to Uninstall Key Complete: %s New Version = %s
[A] %s Upgrade to Uninstall Key Complete: %s New Version = %s
Deleting Old Uninstall file %s (%s)replaced by newer uninstall file %s.
Deleting Old Uninstall file %s (%s)replaced by newer uninstall file %s.
SAHUninstallKey
SAHUninstallKey
FFToolbar\chrome\skin
FFToolbar\chrome\skin
[F] Loading SelectAlerts Failed (%d)
[F] Loading SelectAlerts Failed (%d)
[F] Loading SelectAlerts: %s
[F] Loading SelectAlerts: %s
Removing Excess %s: %s
Removing Excess %s: %s
[F] %s
[F] %s
[processSkinDirectories] Failed to open file %s. (%d)
[processSkinDirectories] Failed to open file %s. (%d)
[processSkinDirectories] Processed skin file %s.
[processSkinDirectories] Processed skin file %s.
[processSkinDirectories] Error reading file %s.
[processSkinDirectories] Error reading file %s.
.SKIN
.SKIN
[F] Skin Directory[%d] = %s (%d)
[F] Skin Directory[%d] = %s (%d)
[F] Skin[%d](%d) = %s Url = %s
[F] Skin[%d](%d) = %s Url = %s
[F] Signalling Toolbars: %s
[F] Signalling Toolbars: %s
[F] SelectAlerts saved in: %s
[F] SelectAlerts saved in: %s
%xmlv
%xmlv
Only was able to write %d/%d bytes of Basis Xml file: %s
Only was able to write %d/%d bytes of Basis Xml file: %s
Saved BasisXml file: %s
Saved BasisXml file: %s
*.DYM
*.DYM
[F] File %s is not found in %s.
[F] File %s is not found in %s.
[F] Looking for unused files in: %s
[F] Looking for unused files in: %s
DefaultUrl
DefaultUrl
[F] File Added To Toolbar Cache List: %s
[F] File Added To Toolbar Cache List: %s
[F] Load. Image%s, , URL: %s, Local: %s
[F] Load. Image%s, , URL: %s, Local: %s
FFToolbar\chrome\skin\
FFToolbar\chrome\skin\
[F] DownloadAndCache: %s
[F] DownloadAndCache: %s
[FFToolbar] Done Processing Command %s
[FFToolbar] Done Processing Command %s
CmdProcessed
CmdProcessed
[FFToolbar] Command = %s
[FFToolbar] Command = %s
[FFToolbar] Exception parsing %s
[FFToolbar] Exception parsing %s
[FFToolbar] Deleted %s.)
[FFToolbar] Deleted %s.)
[FFToolbar] Error Deleting %s: (%d)
[FFToolbar] Error Deleting %s: (%d)
[FFToolbar] Error allocating %d bytes to read %s
[FFToolbar] Error allocating %d bytes to read %s
[FFToolbar] Error Opening %s: (%d)
[FFToolbar] Error Opening %s: (%d)
SelectRebates.ini
SelectRebates.ini
ShowIEToolBarForAll: No IE Exists, adding %s=1
ShowIEToolBarForAll: No IE Exists, adding %s=1
{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}
{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}
[A] Show FF Toolbar added toolbar to %d Firefox Profiles.
[A] Show FF Toolbar added toolbar to %d Firefox Profiles.
SelectRebatesSkin.dat
SelectRebatesSkin.dat
.PAVCAlerts@@
.PAVCAlerts@@
.PAVCBannerAlerts@@
.PAVCBannerAlerts@@
.PAVCSearchAlerts@@
.PAVCSearchAlerts@@
[U] Exception thrown by CodeBuffer, %s
[U] Exception thrown by CodeBuffer, %s
[F] OK. Preferences. Last update %s
[F] OK. Preferences. Last update %s
[F] Prefs location changed, downloading again: %s %s
[F] Prefs location changed, downloading again: %s %s
[F] Validate Path(a): %s
[F] Validate Path(a): %s
[F] Validate Domain(a): %s
[F] Validate Domain(a): %s
[F] Exception thrown by CodeBuffer in GetPreferences, %s
[F] Exception thrown by CodeBuffer in GetPreferences, %s
[A] Exception thrown by CodeBuffer in ParseXmlFile, %s
[A] Exception thrown by CodeBuffer in ParseXmlFile, %s
[F] Waiting time %d second(s) for next %s...
[F] Waiting time %d second(s) for next %s...
[F] Repeat counter %d
[F] Repeat counter %d
[F] AttemptDownloadPrefs Success. (Event 0x%x)
[F] AttemptDownloadPrefs Success. (Event 0x%x)
[F] Setting up scheduler on %d seconds...
[F] Setting up scheduler on %d seconds...
[checkNextUpdate] Retry mode finished: %s
[checkNextUpdate] Retry mode finished: %s
[checkNextUpdate] Retry mode timeout %d second(s). Attempt counter: %d
[checkNextUpdate] Retry mode timeout %d second(s). Attempt counter: %d
[checkNextUpdate] Retry mode upto 10 times started at: %s
[checkNextUpdate] Retry mode upto 10 times started at: %s
[checkNextUpdate] Update enabled: %s
[checkNextUpdate] Update enabled: %s
[checkNextUpdate] Update Skipped: AutoUpdateFailedCount=%d > %d
[checkNextUpdate] Update Skipped: AutoUpdateFailedCount=%d > %d
[checkNextUpdate] Update needed. _retryMode = %s
[checkNextUpdate] Update needed. _retryMode = %s
[checkNextUpdate] InstallMustValidate enabled: %s
[checkNextUpdate] InstallMustValidate enabled: %s
[checkNextUpdate] Validate enabled: %s
[checkNextUpdate] Validate enabled: %s
[F] Upgrade Path: %s.
[F] Upgrade Path: %s.
[A] SahUpgrade RUN_ONCE key found.
[A] SahUpgrade RUN_ONCE key found.
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
[A] AutoUpgradeStatus is %s, but it can not be cleared so no pop.
[A] AutoUpgradeStatus is %s, but it can not be cleared so no pop.
[A] Report AutoUpgradeStatus: Auto(%s) Status(%s) Result(%s).
[A] Report AutoUpgradeStatus: Auto(%s) Status(%s) Result(%s).
[F] Error upgrading (%d): %s
[F] Error upgrading (%d): %s
Failed to extract toolbar cab name from ToolbarURL: %s
Failed to extract toolbar cab name from ToolbarURL: %s
[F] Iterate Toolbar Cabinet Failed. Unpacked %d Files. Error(%d %d)
[F] Iterate Toolbar Cabinet Failed. Unpacked %d Files. Error(%d %d)
[F] Download Toolbar File (%s)(%s) to %s
[F] Download Toolbar File (%s)(%s) to %s
Toolbar Upgrade Failed: Unable to find windows temporary folder.
Toolbar Upgrade Failed: Unable to find windows temporary folder.
[F] Error launching updater (%d)
[F] Error launching updater (%d)
[F] Starting updater: %s
[F] Starting updater: %s
[F] Iterate Cabinet Failed. Unpacked %d Files. Error(%d %d)
[F] Iterate Cabinet Failed. Unpacked %d Files. Error(%d %d)
[F] Path: %s
[F] Path: %s
[F] Server: %s
[F] Server: %s
update911.exe
update911.exe
setup911.tmp
setup911.tmp
Unable to find windows temporary folder.
Unable to find windows temporary folder.
0.0.0.0
0.0.0.0
[F] SelectRebatesUpgrade signal unexpected value = %s(%d) (Error=%d)
[F] SelectRebatesUpgrade signal unexpected value = %s(%d) (Error=%d)
[F] SelectRebatesUpgrade Failed: CreateProcess failed (%d)
[F] SelectRebatesUpgrade Failed: CreateProcess failed (%d)
[F] SelectRebatesUpgrade: Launching %s
[F] SelectRebatesUpgrade: Launching %s
[F] SelectRebatesUpgrade. Execute newer SelectRebates (%s). (Upgrading from %s)
[F] SelectRebatesUpgrade. Execute newer SelectRebates (%s). (Upgrading from %s)
[F] SelectRebatesUpgrade Failed. Unable to find new SelectRebates file %s.
[F] SelectRebatesUpgrade Failed. Unable to find new SelectRebates file %s.
[F] SelectRebatesUpgrade. ERROR: %s found on the command line. Infinite Upgrade Loop Diffused?
[F] SelectRebatesUpgrade. ERROR: %s found on the command line. Infinite Upgrade Loop Diffused?
[F] SelectRebatesUpgrade. New SelectRebates (%s) running.
[F] SelectRebatesUpgrade. New SelectRebates (%s) running.
[F] SelectRebatesUpgrade. SelectRebates running, but version (%s) does not match expected(%s).
[F] SelectRebatesUpgrade. SelectRebates running, but version (%s) does not match expected(%s).
[F] SelectRebatesUpgrade COMPLETE! Deleted upgrade file %s
[F] SelectRebatesUpgrade COMPLETE! Deleted upgrade file %s
[F] SelectRebatesUpgrade. Failed to delete upgrade file %s. (%d).
[F] SelectRebatesUpgrade. Failed to delete upgrade file %s. (%d).
[F] SelectRebatesUpgrade. Error: New and Old SelectRebates have the same filename: %s
[F] SelectRebatesUpgrade. Error: New and Old SelectRebates have the same filename: %s
[F] SelectRebatesUpgrade Failed. Unable to parse module name %s.
[F] SelectRebatesUpgrade Failed. Unable to parse module name %s.
[F] Removing %s and %s temp directories.
[F] Removing %s and %s temp directories.
[F] Delete Upgrade File: %s %s
[F] Delete Upgrade File: %s %s
[F] Delete EulaUpgrade File: %s %s
[F] Delete EulaUpgrade File: %s %s
Failed (%d)
Failed (%d)
[F] Checking for upgrade files to remove. UpgradeStatus=%s
[F] Checking for upgrade files to remove. UpgradeStatus=%s
[F] SelectRebatesUpgrade Copy Failed (%d)... Try again later.
[F] SelectRebatesUpgrade Copy Failed (%d)... Try again later.
[F] SelectRebatesUpgrade Complete. New file %s copied. Status=%s
[F] SelectRebatesUpgrade Complete. New file %s copied. Status=%s
[F] SelectRebatesUpgrade. Replacing %s (%s)
[F] SelectRebatesUpgrade. Replacing %s (%s)
[F] SelectRebatesUpgrade. Copying New %s (%s)
[F] SelectRebatesUpgrade. Copying New %s (%s)
ShowWindow = (%d): %s
ShowWindow = (%d): %s
CCheckServerDialog::MyCreateFont = 0x%x
CCheckServerDialog::MyCreateFont = 0x%x
CCheckServerDialog::OnPaint::serverUp(%d):%s
CCheckServerDialog::OnPaint::serverUp(%d):%s
%s is temporarily unavailable for cash back rebates.
%s is temporarily unavailable for cash back rebates.
%s is again available for cash back rebates.
%s is again available for cash back rebates.
[P] Skipping Popup: MID = %d, PopupID = %d
[P] Skipping Popup: MID = %d, PopupID = %d
[P] Skipping Older Popup: MID = %d, PopupID = %d
[P] Skipping Older Popup: MID = %d, PopupID = %d
[P] Rule set: DoRedirect = %s, DoPopup = %s, DoSlider = %s, RedirectSuppress = %s (%s)Pop(%d) (Rule: %s)
[P] Rule set: DoRedirect = %s, DoPopup = %s, DoSlider = %s, RedirectSuppress = %s (%s)Pop(%d) (Rule: %s)
[R] Rule %d for MID=%d is not defined
[R] Rule %d for MID=%d is not defined
[R] Upgrade Rule %d for MID=%d is not defined
[R] Upgrade Rule %d for MID=%d is not defined
[P] Upgrade DoPopup = %s %sPop(%d) (Rule: %s)
[P] Upgrade DoPopup = %s %sPop(%d) (Rule: %s)
[R] Dog NeedsUpgrade. Rule %d for MID=%d.
[R] Dog NeedsUpgrade. Rule %d for MID=%d.
[P] Rule ID: %d
[P] Rule ID: %d
[P] NeedsUpgrade: %s
[P] NeedsUpgrade: %s
[P] Current Browser Has A visible Toolbar: %s
[P] Current Browser Has A visible Toolbar: %s
[P] DisableRedirects user: %s
[P] DisableRedirects user: %s
[P] Stealth user: (%s) = %s
[P] Stealth user: (%s) = %s
[P] Failed fo find popup (%d).
[P] Failed fo find popup (%d).
[P] Error loading InfoPop %d for mid(%d). Popup %d not found.
[P] Error loading InfoPop %d for mid(%d). Popup %d not found.
[P] Building Popup for %d: %d
[P] Building Popup for %d: %d
[P] Image is not set for popunderID=%s
[P] Image is not set for popunderID=%s
[P] Image is not found for popunderID=%s
[P] Image is not found for popunderID=%s
[P] Building Popunder for %d: %d
[P] Building Popunder for %d: %d
checkpassword
checkpassword
[P] Unable to write PopupHtmlFile: %s
[P] Unable to write PopupHtmlFile: %s
[P] Do Secondary reg pop option is: %d
[P] Do Secondary reg pop option is: %d
[P] Do initial reg pop option is: %d
[P] Do initial reg pop option is: %d
Error-%s
Error-%s
[P] Do Donovan's Popup(%d) here for mid(%d): %s
[P] Do Donovan's Popup(%d) here for mid(%d): %s
XPDX(%d)
XPDX(%d)
BLD(%d)
BLD(%d)
[P] Error building InfoPop %d for mid(%d). Popup %d replace failed.
[P] Error building InfoPop %d for mid(%d). Popup %d replace failed.
XPD(%d)
XPD(%d)
NF(%d)
NF(%d)
[P] Error building InfoPop %d for mid(%d). Popup %d not found.
[P] Error building InfoPop %d for mid(%d). Popup %d not found.
[P] Building InfoPop for %d: %d
[P] Building InfoPop for %d: %d
Mozilla
Mozilla
[PT] Warning: No version operator found processing popup.
[PT] Warning: No version operator found processing popup.
Unable to create IE control container in PopWindow, Last Error = %d
Unable to create IE control container in PopWindow, Last Error = %d
Shell.Explorer.2
Shell.Explorer.2
v=1,pid=%d,data=%s,%s
v=1,pid=%d,data=%s,%s
Unable to parse destination url: %s
Unable to parse destination url: %s
Unable to open link in PopWindow navigate: %s
Unable to open link in PopWindow navigate: %s
Unable to parse url: %s
Unable to parse url: %s
PopWindow navigate: %s
PopWindow navigate: %s
[CWindowImplBaseT::StartWindowProc] pThis(0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x) StartWindowProc(0x%x)
[CWindowImplBaseT::StartWindowProc] pThis(0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x) StartWindowProc(0x%x)
[CWindowImplBaseT::WindowProc] pThis(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!
[CWindowImplBaseT::WindowProc] pThis(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!
[CWindowImplBaseT::WindowProc] pThis(0x%x) m_hWnd(0x%x) wndProc(0x%x)
[CWindowImplBaseT::WindowProc] pThis(0x%x) m_hWnd(0x%x) wndProc(0x%x)
[Luke's Debug] Toolbar HWND = 0xx
[Luke's Debug] Toolbar HWND = 0xx
[Luke's Debug] Parent HWND = 0xx
[Luke's Debug] Parent HWND = 0xx
Create POP Url!.
Create POP Url!.
[~BrowserDataWrangler] rc=%d
[~BrowserDataWrangler] rc=%d
[B] AdServe. Shell windows init %s. (result = %d)
[B] AdServe. Shell windows init %s. (result = %d)
[B] FireFox Document Complete CopyData: %d(%d)
[B] FireFox Document Complete CopyData: %d(%d)
[B] FireFox Document Complete
[B] FireFox Document Complete
Exception in SaveFireFoxCopyDataContent
Exception in SaveFireFoxCopyDataContent
[M] WM_COPYDATA message. Type: %d
[M] WM_COPYDATA message. Type: %d
Unknown ItemID in Firefox data: %d
Unknown ItemID in Firefox data: %d
Error in Firefox COPYDATA. Data Overflow.
Error in Firefox COPYDATA. Data Overflow.
[B] FireFox COPYDATA %d(navPtr=%d, ver=%d)
[B] FireFox COPYDATA %d(navPtr=%d, ver=%d)
Exception in ProcessFireFoxContent
Exception in ProcessFireFoxContent
[B] FireFox. Toolbar call
[B] FireFox. Toolbar call
[B] searchIE failed to find a browser object: "%s" (0x%x).
[B] searchIE failed to find a browser object: "%s" (0x%x).
[B] Creating new Attribute called: "%s".
[B] Creating new Attribute called: "%s".
Advise#%d-%s
Advise#%d-%s
[X] Deleting Attribute called: "%s"
[X] Deleting Attribute called: "%s"
[B] exception 2 thrown by searchIE. exceptionTrack = %d
[B] exception 2 thrown by searchIE. exceptionTrack = %d
[B] exception 1 thrown by searchIE. exceptionTrack = %d
[B] exception 1 thrown by searchIE. exceptionTrack = %d
[B] Browser FOUND. Top window: 0x%x, class: %s
[B] Browser FOUND. Top window: 0x%x, class: %s
[B] Checking HWND 0xx against 0xx in searchIE
[B] Checking HWND 0xx against 0xx in searchIE
[B] Window 0x%x was found by old code
[B] Window 0x%x was found by old code
[B] exception thrown by searchIE. exceptionTrack = %d
[B] exception thrown by searchIE. exceptionTrack = %d
[B] Hidden browser FOUND. Top window: 0x%x, class: %s
[B] Hidden browser FOUND. Top window: 0x%x, class: %s
[B] Window 0x%x was found by new code
[B] Window 0x%x was found by new code
[B] Found %i number of shell windows
[B] Found %i number of shell windows
[B] %s
[B] %s
Cannot get count. Try to get ShellWindows again.
Cannot get count. Try to get ShellWindows again.
MException trying to navigate same IE tab to: %s
MException trying to navigate same IE tab to: %s
[BrowseToUrl] Browse to IE tab (0x%x): %s
[BrowseToUrl] Browse to IE tab (0x%x): %s
[IEEvents] DISPID_PROPERTYCHANGE - %s
[IEEvents] DISPID_PROPERTYCHANGE - %s
[E] DISPID_PROPERTYCHANGE: LookupFailed 0x%x
[E] DISPID_PROPERTYCHANGE: LookupFailed 0x%x
[B] ExtraHeaders: [%s] URL: %s
[B] ExtraHeaders: [%s] URL: %s
[B] Headers: [%s] URL: %s
[B] Headers: [%s] URL: %s
[E] DISPID_BEFORENAVIGATE2: %s
[E] DISPID_BEFORENAVIGATE2: %s
[E] DISPID_BEFORENAVIGATE2: LookupFailed 0x%x
[E] DISPID_BEFORENAVIGATE2: LookupFailed 0x%x
[E] DISPID_DOCUMENTCOMPLETE: %s
[E] DISPID_DOCUMENTCOMPLETE: %s
[E] DISPID_DOCUMENTCOMPLETE: LookupFailed 0x%x
[E] DISPID_DOCUMENTCOMPLETE: LookupFailed 0x%x
[IEEvents] (0x%x) %d
[IEEvents] (0x%x) %d
[IEEvents] (0x%x) %d %d, %d
[IEEvents] (0x%x) %d %d, %d
[B] CBrowserEvents::toolbar. MAIN Frame URL: %s
[B] CBrowserEvents::toolbar. MAIN Frame URL: %s
[X] remove is removing attribute: "%s"
[X] remove is removing attribute: "%s"
[X] removeAll is removing attribute: "%s"
[X] removeAll is removing attribute: "%s"
[Mouradeling] Canceling redirect for 0x%x to: %s
[Mouradeling] Canceling redirect for 0x%x to: %s
Removing Mouradeling %d from _mouradelingList
Removing Mouradeling %d from _mouradelingList
BrowserEventsTimerProc(0x%x,%d,%d,%d)
BrowserEventsTimerProc(0x%x,%d,%d,%d)
[Mouradeling] SetTimer(0,0,%d,BrowserEventsTimerProc)
[Mouradeling] SetTimer(0,0,%d,BrowserEventsTimerProc)
[B] Unhanded Exception in executeMouradelingAction.
[B] Unhanded Exception in executeMouradelingAction.
[Mouradeling] Browse to IE tab (0x%x): %s
[Mouradeling] Browse to IE tab (0x%x): %s
[Mouradeling] Cancelled: No source url.
[Mouradeling] Cancelled: No source url.
[BrowserEventsTimerProc] Mouradeling %s(flag=%d). DC(#%d)-> pid(%d) mid(%d): %s)
[BrowserEventsTimerProc] Mouradeling %s(flag=%d). DC(#%d)-> pid(%d) mid(%d): %s)
[Mouradeling] Url matches regex "%s". Mouradeling filter on. Skipping DC. (%s)
[Mouradeling] Url matches regex "%s". Mouradeling filter on. Skipping DC. (%s)
MozillaUIWindowClass
MozillaUIWindowClass
MozillaWindowClass
MozillaWindowClass
mozilla firefox
mozilla firefox
windows internet explorer
windows internet explorer
[P] Error launching api pop: %d
[P] Error launching api pop: %d
[S] Start Search PopUnder #%s
[S] Start Search PopUnder #%s
[S] Unable to update SearchPopunderNumber. Skipping search: LastError=%d
[S] Unable to update SearchPopunderNumber. Skipping search: LastError=%d
S2> UniversalRequest response: %d
S2> UniversalRequest response: %d
S2> Params: %s
S2> Params: %s
[S] Search url: %s
[S] Search url: %s
[S] Search string: %s
[S] Search string: %s
[S] Search off, ignoring search term: %s
[S] Search off, ignoring search term: %s
[S] Secondary Registration Delay %d seconds.
[S] Secondary Registration Delay %d seconds.
[S] Start session for: %s. %d second timeout then checking for next update
[S] Start session for: %s. %d second timeout then checking for next update
[S] Search: Search123 : %s
[S] Search: Search123 : %s
[S] Search Disabled: %s
[S] Search Disabled: %s
[S] Search pop-under is restricted by Rule: %d
[S] Search pop-under is restricted by Rule: %d
[S] Search pop-under is disabled. Enabled only for countries:
[S] Search pop-under is disabled. Enabled only for countries:
S2> Unable to update Search2Number. Skipping search2: LastError=%d
S2> Unable to update Search2Number. Skipping search2: LastError=%d
[S] Duplicate Search found: %s
[S] Duplicate Search found: %s
[S] ProcessSearchEngine: %s
[S] ProcessSearchEngine: %s
[S] FindWhat: %s
[S] FindWhat: %s
193.168.0.12
193.168.0.12
&mt=%s&ip_addr=%s
&mt=%s&ip_addr=%s
[S] Search123: %s
[S] Search123: %s
src="hXXp://
src="hXXp://
[M] LibraryHooked (%d)
[M] LibraryHooked (%d)
[M] Hooking Skipped: Running process (%d) matches pid.
[M] Hooking Skipped: Running process (%d) matches pid.
[M] Hooking Skipped: Process %d is already hooked (Lib Hook = 0x%x).
[M] Hooking Skipped: Process %d is already hooked (Lib Hook = 0x%x).
[M] LoadLibrary Install Process Hook: hwnd:0x%x tid:0x%x pid:%d
[M] LoadLibrary Install Process Hook: hwnd:0x%x tid:0x%x pid:%d
[M] LoadLibrary Install Process Hook Skipped: IE8 IS NOT detected (found explorer.exe instead)! hwnd:0x%x tid:0x%x pid:%d
[M] LoadLibrary Install Process Hook Skipped: IE8 IS NOT detected (found explorer.exe instead)! hwnd:0x%x tid:0x%x pid:%d
[LibHook] Remote LoadLibrary %s: hModule=0x%x
[LibHook] Remote LoadLibrary %s: hModule=0x%x
[LibHook] CreateRemoteThread failed. 0xx
[LibHook] CreateRemoteThread failed. 0xx
[LibHook] Found pre-existing DLL in Process ID 0xx, backing out
[LibHook] Found pre-existing DLL in Process ID 0xx, backing out
[LibHook] VirtualAllocEx failed. h=0x%x error=%d
[LibHook] VirtualAllocEx failed. h=0x%x error=%d
[LibHook] Could not open Process = 0xx
[LibHook] Could not open Process = 0xx
[M] Injecting Hook into process id 0x%x
[M] Injecting Hook into process id 0x%x
[M] Hooking Skipped: Process %d hooked itself!
[M] Hooking Skipped: Process %d hooked itself!
[M] Toolbar Hook Detected: pidA=%d pidB=%d
[M] Toolbar Hook Detected: pidA=%d pidB=%d
[M] Unable to remove hook on pid %d, no hLibModule found.
[M] Unable to remove hook on pid %d, no hLibModule found.
[M] FreeLibrary result = %d
[M] FreeLibrary result = %d
[M] Failed to CreateRemoteThread to unload hook in (%d)
[M] Failed to CreateRemoteThread to unload hook in (%d)
[M] FreeLibrary Remotely run FreeLibrary in process handle (0x%x)
[M] FreeLibrary Remotely run FreeLibrary in process handle (0x%x)
[M] OpenProcess failed. (%d)
[M] OpenProcess failed. (%d)
[M] FreeLibrary Install Process Hook: pid:%d
[M] FreeLibrary Install Process Hook: pid:%d
[M] Browser Found (%s, %s) Post BEMessage_CheckWindow... enum HWND: 0x%x
[M] Browser Found (%s, %s) Post BEMessage_CheckWindow... enum HWND: 0x%x
[CCheckBrowser] PID = ] HWND = 0x%5x Class = s
[CCheckBrowser] PID = ] HWND = 0x%5x Class = s
[CBP] Image Found: %s
[CBP] Image Found: %s
background-image: url(
background-image: url(
[TBar] Regexp_exception: (%d) %s
[TBar] Regexp_exception: (%d) %s
[TBar] RegEx. UrlEx: %s, id: %s
[TBar] RegEx. UrlEx: %s, id: %s
[TBar] Regexp_exception search: (%d) %s
[TBar] Regexp_exception search: (%d) %s
[M] UrlEx AlertRequests are off.
[M] UrlEx AlertRequests are off.
[M] SearchEx and UrlEx AlertRequests are off. Skipping RegEx.
[M] SearchEx and UrlEx AlertRequests are off. Skipping RegEx.
[TBar] CCheckBrowser::RegExToolBar. No url terms.
[TBar] CCheckBrowser::RegExToolBar. No url terms.
[TBar] CCheckBrowser::RegExToolBar. Query %s, phrase: %s
[TBar] CCheckBrowser::RegExToolBar. Query %s, phrase: %s
[TBar] CCheckBrowser::RegExToolBar Sending ESearch search phrase to AlertServe: %s
[TBar] CCheckBrowser::RegExToolBar Sending ESearch search phrase to AlertServe: %s
[TBar] Sent Search Phrase to IE Toolbar History: %s
[TBar] Sent Search Phrase to IE Toolbar History: %s
%d|%d|%s
%d|%d|%s
[R] Skip: Blank Url
[R] Skip: Blank Url
[R] Skip: MID=%d. Redirect OFF (No Need) URL (%s)
[R] Skip: MID=%d. Redirect OFF (No Need) URL (%s)
[R] Skip: MID=%d doRedirect is false. AutoRedirect is turned OFF
[R] Skip: MID=%d doRedirect is false. AutoRedirect is turned OFF
[R] Skip: MID=%d Trigger=%s has redirect set to no. AutoRedirect is turned OFF
[R] Skip: MID=%d Trigger=%s has redirect set to no. AutoRedirect is turned OFF
[R] Skip: MID=%d is not SAH client, AutoRedirect is turned OFF
[R] Skip: MID=%d is not SAH client, AutoRedirect is turned OFF
[R] AutoRedirect: %s
[R] AutoRedirect: %s
[R] MID=%d SAH client, AutoRedirect ON
[R] MID=%d SAH client, AutoRedirect ON
[R] Skip: MID=%d SAH client, AutoRedirect OFF
[R] Skip: MID=%d SAH client, AutoRedirect OFF
[R] Skip: SPECIFIC domain. Redirect OFF. (MID=%d)
[R] Skip: SPECIFIC domain. Redirect OFF. (MID=%d)
[R] Skip: SEEING EYE HELPER REDIRECT OFF: Redirect OFF. (MID=%d)
[R] Skip: SEEING EYE HELPER REDIRECT OFF: Redirect OFF. (MID=%d)
[R] Skip: Delay Redirects Until %s: Redirect OFF. (MID=%d)
[R] Skip: Delay Redirects Until %s: Redirect OFF. (MID=%d)
[R] Current Hook version is: %s
[R] Current Hook version is: %s
[R] No popup specified for MID=%d.
[R] No popup specified for MID=%d.
[R] Skip. Check Site! popup (%d)%d
[R] Skip. Check Site! popup (%d)%d
[R] Redirects are disabled until: %s
[R] Redirects are disabled until: %s
[R] OptInRedirect option is: %s
[R] OptInRedirect option is: %s
[R] Hook(%d): %s
[R] Hook(%d): %s
[R] Hook: * %s
[R] Hook: * %s
[R] Suppress is turned ON for MID:%d for %d seconds
[R] Suppress is turned ON for MID:%d for %d seconds
[R] Suppress turned ON for url "%s" for %d seconds
[R] Suppress turned ON for url "%s" for %d seconds
[R] MID=%d. Site Down: Redirect back ON
[R] MID=%d. Site Down: Redirect back ON
[R] MID=%d. Redirect is turned ON
[R] MID=%d. Redirect is turned ON
[R] GLOBAL domain. Redirect is turned OFF for MID=%d (%s)
[R] GLOBAL domain. Redirect is turned OFF for MID=%d (%s)
[R] MID=%d. Redirect OFF, Suppress%s Timeout for another %d seconds.
[R] MID=%d. Redirect OFF, Suppress%s Timeout for another %d seconds.
[R] Ignore URL E: %s
[R] Ignore URL E: %s
webfastconnect
webfastconnect
[R] AdServe URL. Globally suppressed for %d more seconds.
[R] AdServe URL. Globally suppressed for %d more seconds.
[R] Ignore Frameset URL: %s
[R] Ignore Frameset URL: %s
[R] Ignore URL D: %s
[R] Ignore URL D: %s
[R] Ignore URL C: %s
[R] Ignore URL C: %s
topmoxie.com
topmoxie.com
[R] Ignore URL B: %s
[R] Ignore URL B: %s
sysupdates.com
sysupdates.com
[R] Ignore URL A: %s
[R] Ignore URL A: %s
ebates.com
ebates.com
[R] MID=%d. Redirect OFF (MarkAsNotRedirect)
[R] MID=%d. Redirect OFF (MarkAsNotRedirect)
[R] New GLOBAL Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)
[R] New GLOBAL Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)
[R] Resetting GLOBAL Suppress Time to %d seconds. PID(%d) Type = %s (%x)
[R] Resetting GLOBAL Suppress Time to %d seconds. PID(%d) Type = %s (%x)
[R] New Per Merchant Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)
[R] New Per Merchant Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)
[R] Resetting Per Merchant Suppress Time to %d seconds. PID(%d) Type = %s (%x)
[R] Resetting Per Merchant Suppress Time to %d seconds. PID(%d) Type = %s (%x)
[R]Removing GLOBAL domain for PID %d. Type = %x (%s)
[R]Removing GLOBAL domain for PID %d. Type = %x (%s)
[R]Removing expired suppress for PID %d. Type = %x (%s)
[R]Removing expired suppress for PID %d. Type = %x (%s)
[R]Removing suppress for PID %d. %s (%d) 1
[R]Removing suppress for PID %d. %s (%d) 1
[R] Suppress Found PID(%d) / MID(%d). Type = %s (%x) (%d sec remain)
[R] Suppress Found PID(%d) / MID(%d). Type = %s (%x) (%d sec remain)
[R] Removing Suppress PID(%d) / MID(%d). Type = %s (%x)
[R] Removing Suppress PID(%d) / MID(%d). Type = %s (%x)
[R]Removing GLOBAL domain for PID %d. 1
[R]Removing GLOBAL domain for PID %d. 1
Checking FramesetoutList: pid(%d) mid(%d)
Checking FramesetoutList: pid(%d) mid(%d)
Redirect detected, : pid(%d) mid(%d): %s
Redirect detected, : pid(%d) mid(%d): %s
[R] Unexpected framesetout. Not triggering extra Redirect AlertRequest for %d
[R] Unexpected framesetout. Not triggering extra Redirect AlertRequest for %d
[R] InfoPop(%d) found... we are probably in the redirect thread, and I'm not sure what to do at this point... defininitely can't build the pop here. Going to push it to the popup thread to build and download.
[R] InfoPop(%d) found... we are probably in the redirect thread, and I'm not sure what to do at this point... defininitely can't build the pop here. Going to push it to the popup thread to build and download.
[confirmRedirectOccurred] Also recording framesetout on unexpected pid= %d mid(%d)
[confirmRedirectOccurred] Also recording framesetout on unexpected pid= %d mid(%d)
[confirmRedirectOccurred] ared(NULL) pid(%d), mid(%d)
[confirmRedirectOccurred] ared(NULL) pid(%d), mid(%d)
[confirmRedirectOccurred][DC Mouradeling - Off] (Flag=%d)
[confirmRedirectOccurred][DC Mouradeling - Off] (Flag=%d)
[confirmRedirectOccurred][Mouradeling - Off] %s (%s)
[confirmRedirectOccurred][Mouradeling - Off] %s (%s)
No Url
No Url
[confirmRedirectOccurred][Mouradeling - On] Wait for ON_DOCUMENT_COMPLETE and goto %s
[confirmRedirectOccurred][Mouradeling - On] Wait for ON_DOCUMENT_COMPLETE and goto %s
[confirmRedirectOccurred] ared(#%d)->pid(%d) mid(%d) Popup(%d, %d, %d, %d)
[confirmRedirectOccurred] ared(#%d)->pid(%d) mid(%d) Popup(%d, %d, %d, %d)
[M] FrameSetOut from toolbar: %s
[M] FrameSetOut from toolbar: %s
[M] persistID[%d] size = %d
[M] persistID[%d] size = %d
decodeQueryStringCoderZip2 failed. bad buffer size= %d.
decodeQueryStringCoderZip2 failed. bad buffer size= %d.
Incorrect key length
Incorrect key length
\wininit.ini
\wininit.ini
PendingFileRenameOperations
PendingFileRenameOperations
[CQueuePending] UnPendMove List of files: %s
[CQueuePending] UnPendMove List of files: %s
[CQueuePending] Processing %d ClearPend File%s.
[CQueuePending] Processing %d ClearPend File%s.
UnPendMove(%s) %s
UnPendMove(%s) %s
Detected Pending Move of %s
Detected Pending Move of %s
Found %d default detection items.
Found %d default detection items.
Detected the following items: %s
Detected the following items: %s
Item #%s %s found (%s)
Item #%s %s found (%s)
pad.exe
pad.exe
can.exe
can.exe
tmgr.exe
tmgr.exe
ield.exe
ield.exe
svc.exe
svc.exe
KERNEL32.DLL
KERNEL32.DLL
%d.%d.%d.%d
%d.%d.%d.%d
\StringFileInfo\XX\FileVersion
\StringFileInfo\XX\FileVersion
[DT] Transaction 0x%x sis clearing wrapper 0x%x
[DT] Transaction 0x%x sis clearing wrapper 0x%x
~CDownloadTransactionWrapper 0x%x
~CDownloadTransactionWrapper 0x%x
Error sending WM_COPYDATA message to 0x%x. Error downloading.
Error sending WM_COPYDATA message to 0x%x. Error downloading.
[U] Timeout Waiting for Download Done - %d (%d)
[U] Timeout Waiting for Download Done - %d (%d)
[U] Window found: %x. Send WM_COPYDATA from 0x%x.
[U] Window found: %x. Send WM_COPYDATA from 0x%x.
[U] Storing this transaction (0x%x) in wrapper 0x%x
[U] Storing this transaction (0x%x) in wrapper 0x%x
[U] Buffer length = %d
[U] Buffer length = %d
[sendDataBuffer] >>>>> Lock section: %s %s
[sendDataBuffer] >>>>> Lock section: %s %s
[sendDataBuffer] >>>>> Getting Ready to lock section: %s %s
[sendDataBuffer] >>>>> Getting Ready to lock section: %s %s
[U] sendDataBuffer. %s%s
[U] sendDataBuffer. %s%s
Download Exe Window Found 0x%x! Version = %d
Download Exe Window Found 0x%x! Version = %d
Browser Downloader Window Found 0x%x! Version = %d
Browser Downloader Window Found 0x%x! Version = %d
[U] HTTP result: %d
[U] HTTP result: %d
[U] Method: %s Content type: %s
[U] Method: %s Content type: %s
http=
http=
[U] Server: %s path: %s content: %s
[U] Server: %s path: %s content: %s
InternetSetCookie failed to add %d.
InternetSetCookie failed to add %d.
InternetSetCookie failed to remove %d.
InternetSetCookie failed to remove %d.
InternetSetCookie(%s): %s (%s)
InternetSetCookie(%s): %s (%s)
GetCookieValue FINISH: %s
GetCookieValue FINISH: %s
InternetGetCookie failed %d.
InternetGetCookie failed %d.
GetCookieValue (%s)
GetCookieValue (%s)
[U] Cookie Blocked! Using previous %s cookie value of "%s"
[U] Cookie Blocked! Using previous %s cookie value of "%s"
[U] Clear cookie: %s (%d)
[U] Clear cookie: %s (%d)
[U] Cookie Blocked! Using default cookie value of "%s"
[U] Cookie Blocked! Using default cookie value of "%s"
[U] Get cookie failed. (%s)
[U] Get cookie failed. (%s)
[H] WM_COPYDATA finish. Download Failed, transaction not found (window :%x) (result :%d) (path: %s)
[H] WM_COPYDATA finish. Download Failed, transaction not found (window :%x) (result :%d) (path: %s)
[H] WM_COPYDATA finish. Download Done (window :%x) (result :%d)
[H] WM_COPYDATA finish. Download Done (window :%x) (result :%d)
Download Path %s does not match requested path %s
Download Path %s does not match requested path %s
[HIE] GetWindowText(0x%x)
[HIE] GetWindowText(0x%x)
[FindHookWindow] SearchForDownloadWindow(%d) = 0x%x
[FindHookWindow] SearchForDownloadWindow(%d) = 0x%x
[FindHookWindow] SearchForDownloadWindow(%d)
[FindHookWindow] SearchForDownloadWindow(%d)
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
PsApi.dll
PsApi.dll
[IE8?] GetModuleFileName failed to get browser name (%d)
[IE8?] GetModuleFileName failed to get browser name (%d)
%s at: %d
%s at: %d
[HIE] read map: 0x%x
[HIE] read map: 0x%x
[U] Time-out before close hidden %d sec.
[U] Time-out before close hidden %d sec.
[HIE] Cannot find IE, opening temp IE window, count = %d.
[HIE] Cannot find IE, opening temp IE window, count = %d.
[HIE] Searching for IE window, count = %d
[HIE] Searching for IE window, count = %d
[HIE] Temp IE window, count = %d.
[HIE] Temp IE window, count = %d.
[closeDownloader] Closing hidden Downloader window based on pid(%d) 0x%x
[closeDownloader] Closing hidden Downloader window based on pid(%d) 0x%x
[closeDownloader] Closing hidden Downloader window based on HWND 0x%x
[closeDownloader] Closing hidden Downloader window based on HWND 0x%x
[closeDownloader] pid(%d) hwnd(0x%x)
[closeDownloader] pid(%d) hwnd(0x%x)
[waitForStart]Found hwnd 0x%x.
[waitForStart]Found hwnd 0x%x.
[waitForStart]Searching for %s window.
[waitForStart]Searching for %s window.
[waitForStart] Found hwnd in map: 0x%x.
[waitForStart] Found hwnd in map: 0x%x.
[cleanHIE] IE window cleanup delayed, count = %d
[cleanHIE] IE window cleanup delayed, count = %d
Closing downloader Exe window 0x%x!
Closing downloader Exe window 0x%x!
[closeIE] Quit IE failed, trying WM_CLOSE... 0x%x
[closeIE] Quit IE failed, trying WM_CLOSE... 0x%x
[closeIE] Quitted IE... 0x%x
[closeIE] Quitted IE... 0x%x
[closeIE] Quitting IE... 0x%x
[closeIE] Quitting IE... 0x%x
[openIE] Exception opening IWebBrowser2.
[openIE] Exception opening IWebBrowser2.
[openIE] IWebBrowser2 failed to provide a good HWND.
[openIE] IWebBrowser2 failed to provide a good HWND.
mozillauiwindowclass
mozillauiwindowclass
SearchForTopHiddenIEWindow(%d)
SearchForTopHiddenIEWindow(%d)
URLUpdateInfo
URLUpdateInfo
URLInfoAbout
URLInfoAbout
UninstallUpdateUrl
UninstallUpdateUrl
UninstallAboutUrl
UninstallAboutUrl
UninstallHelpUrl
UninstallHelpUrl
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
[A] Removing uninstall key %s
[A] Removing uninstall key %s
Setting Uninstall Data (%s || %s)
Setting Uninstall Data (%s || %s)
Warning: NOT Releasing Mutex (we don't own it.) (0x%x) (%d)
Warning: NOT Releasing Mutex (we don't own it.) (0x%x) (%d)
Released Mutex (0x%x) = %d, %d
Released Mutex (0x%x) = %d, %d
Timeout waiting for Mutex. (%dms)
Timeout waiting for Mutex. (%dms)
Error waiting for mutex WAIT_FAILED (%d)
Error waiting for mutex WAIT_FAILED (%d)
Unknown Mutex code (%d), error.
Unknown Mutex code (%d), error.
shell32.dll
shell32.dll
shfolder.dll
shfolder.dll
[XmlSkinDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d
[XmlSkinDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d
[XmlSkinDataGC] 0x%x count = (%d). Delete Count = %d
[XmlSkinDataGC] 0x%x count = (%d). Delete Count = %d
COM Error = %d
COM Error = %d
[SAHSKIN] Parse Status = %s
[SAHSKIN] Parse Status = %s
%s XmlSkinData decRef(%d) = 0x%x
%s XmlSkinData decRef(%d) = 0x%x
%s XmlSkinData addRef(%d) = 0x%x
%s XmlSkinData addRef(%d) = 0x%x
[CSahSkin::releaseData] decRef(%d) = 0x%x
[CSahSkin::releaseData] decRef(%d) = 0x%x
[CSahSkin::ParseXmlFile] %s
[CSahSkin::ParseXmlFile] %s
[CSelectAlertSettings] OptOut Found: %s
[CSelectAlertSettings] OptOut Found: %s
SelectAlerts.dat
SelectAlerts.dat
ShopAtHomeToolbar.dll
ShopAtHomeToolbar.dll
firefoxtoolbardir
firefoxtoolbardir
install.rdf
install.rdf
basis.xml.temp
basis.xml.temp
basis.xml
basis.xml
toolbar@shopathome.com
toolbar@shopathome.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
ToolBand.ShopAtHomeIEHelper
ToolBand.ShopAtHomeIEHelper
{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
ShopAtHome.IEToolbar
ShopAtHome.IEToolbar
{462E4AEC-DB3B-4e69-AF61-4F300D76255C}
{462E4AEC-DB3B-4e69-AF61-4F300D76255C}
[F] Toolbar Uninstalled = %s
[F] Toolbar Uninstalled = %s
[F] Toolbar Installed = %s
[F] Toolbar Installed = %s
internet explorer\iexplore.exe
internet explorer\iexplore.exe
Failed to copy toolbar files: %s
Failed to copy toolbar files: %s
Toolbar to install (%s) is older than the existing toolbar (%s): %s
Toolbar to install (%s) is older than the existing toolbar (%s): %s
Error creating %s directory for toolbar (%d)
Error creating %s directory for toolbar (%d)
Registering Firefox Toolbar: %s
Registering Firefox Toolbar: %s
Removed Empty Directory: %s
Removed Empty Directory: %s
Checking for Firefox Toolbar: %s
Checking for Firefox Toolbar: %s
No Firefox Toolbar found at %s
No Firefox Toolbar found at %s
Failed to unregister Firefox Toolbar: %s
Failed to unregister Firefox Toolbar: %s
Removing file: %s
Removing file: %s
Unregistered Firefox Toolbar: %s
Unregistered Firefox Toolbar: %s
Removing directory: %s
Removing directory: %s
Mozilla\Firefox\
Mozilla\Firefox\
Profile%d
Profile%d
Mozilla\Firefox\Profiles.ini
Mozilla\Firefox\Profiles.ini
Firefox is %sinstalled.
Firefox is %sinstalled.
Mozilla\Firefox\Profiles
Mozilla\Firefox\Profiles
Firefox %s complete. #Success = %d #Fail = %d
Firefox %s complete. #Success = %d #Fail = %d
%s FF Toolbar: profiles in %s
%s FF Toolbar: profiles in %s
Failed to find Application Data directory. (%d)
Failed to find Application Data directory. (%d)
[uninstallToolbarRegistrySettings] Deleting Toolbar reg keys for %s.
[uninstallToolbarRegistrySettings] Deleting Toolbar reg keys for %s.
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
[T] Toolbar Upgrade Complete. Deleting old toolbar file: %s
[T] Toolbar Upgrade Complete. Deleting old toolbar file: %s
[Basis] Failed to install new basis %s from to %s (%d)
[Basis] Failed to install new basis %s from to %s (%d)
[Basis] New basis %s copied to %s
[Basis] New basis %s copied to %s
[Basis] Basis restore failed: %s %d
[Basis] Basis restore failed: %s %d
[Basis] Basis restored. Deleting temp Basis: %s
[Basis] Basis restored. Deleting temp Basis: %s
[Basis] Restoring old Basis: %s
[Basis] Restoring old Basis: %s
[Basis] Basis updated. Deleting old Basis: %s
[Basis] Basis updated. Deleting old Basis: %s
[UpgradeToolbar] Failed to copy new toolbar %s over old toolbar %s. (%d)
[UpgradeToolbar] Failed to copy new toolbar %s over old toolbar %s. (%d)
[UpgradeToolbar] Successfully copied new toolbar %s over old toolbar %s.
[UpgradeToolbar] Successfully copied new toolbar %s over old toolbar %s.
[T] Failed to register toolbar: %s
[T] Failed to register toolbar: %s
[T] Failed to set toolbar registry keys: %s
[T] Failed to set toolbar registry keys: %s
[UpgradeToolbar] Toolbar upgrade Pending: %s : %s
[UpgradeToolbar] Toolbar upgrade Pending: %s : %s
Toolbar RegistrationA failed (%d);
Toolbar RegistrationA failed (%d);
[installToolbar] RegisterToolbar regsvr32 failed (%d) with error %d.
[installToolbar] RegisterToolbar regsvr32 failed (%d) with error %d.
[installToolbar] Calling regsvr32 to install toolbar: runProcess(%s)
[installToolbar] Calling regsvr32 to install toolbar: runProcess(%s)
[installToolbar] all %d Registry Keys Set.
[installToolbar] all %d Registry Keys Set.
[installToolbar] Mini Toolbar Key Upgrade failed to Upgrade (%d %d) keys from %s to %s.
[installToolbar] Mini Toolbar Key Upgrade failed to Upgrade (%d %d) keys from %s to %s.
[installToolbar] Mini Toolbar Key Upgrade Upgraded %d keys from %s to %s.
[installToolbar] Mini Toolbar Key Upgrade Upgraded %d keys from %s to %s.
TbReg no rights(%d). Set %d of (%d %d %d) keys.
TbReg no rights(%d). Set %d of (%d %d %d) keys.
[installToolbar] Insufficient rights (%d) to do toolbar registration. Currently have set %d of (%d %d) keys.
[installToolbar] Insufficient rights (%d) to do toolbar registration. Currently have set %d of (%d %d) keys.
[installToolbar] Toolbar %s is registered, checking for rights to register %s
[installToolbar] Toolbar %s is registered, checking for rights to register %s
[installToolbar] Existing Toolbar Keys detected. Upgrading %s to %s. (%d,%d %d)(Rights=%d)
[installToolbar] Existing Toolbar Keys detected. Upgrading %s to %s. (%d,%d %d)(Rights=%d)
[installToolbar] RegisterToolbar(%s, %s)
[installToolbar] RegisterToolbar(%s, %s)
Toolbar RegistrationB failed (%d);
Toolbar RegistrationB failed (%d);
[installToolbar] regsvr32 failed (%d) with error %d.
[installToolbar] regsvr32 failed (%d) with error %d.
TbReg only set %d of (%d %d %d) keys.
TbReg only set %d of (%d %d %d) keys.
[installToolbar] Toolbar keys for %s found.
[installToolbar] Toolbar keys for %s found.
[installToolbar] Toolbar registration only set %d of (%d %d) keys.
[installToolbar] Toolbar registration only set %d of (%d %d) keys.
Windows Vista
Windows Vista
Windows 2003
Windows 2003
Windows XP (Whistler)
Windows XP (Whistler)
Windows 2000
Windows 2000
Windows ME
Windows ME
Windows 98
Windows 98
Windows NT 4.0
Windows NT 4.0
Windows 95
Windows 95
Windows NT 3.51
Windows NT 3.51
Deleting %s %s.
Deleting %s %s.
WebFastConnect
WebFastConnect
0123456789
0123456789
Terminate Process %d
Terminate Process %d
CreateProcess pid = %d
CreateProcess pid = %d
CreateProcess Failed (%d)
CreateProcess Failed (%d)
IELaunchURL Failed (hr=%d;Error=%d)
IELaunchURL Failed (hr=%d;Error=%d)
IELaunchURL pid = %d
IELaunchURL pid = %d
\FirefoxHTML\shell\open\command
\FirefoxHTML\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
internet explorer\iexplore.exe" "%%1"
internet explorer\iexplore.exe" "%%1"
.html
.html
[browseWithIWebBrowser2] Exception opening browser
[browseWithIWebBrowser2] Exception opening browser
[browseWithIWebBrowser2] Failed to open browser with HWND: res=%d
[browseWithIWebBrowser2] Failed to open browser with HWND: res=%d
[browseWithIWebBrowser2] Closing HWND: 0x%x
[browseWithIWebBrowser2] Closing HWND: 0x%x
[browseWithIWebBrowser2] Force browser to front: 0x%x
[browseWithIWebBrowser2] Force browser to front: 0x%x
[browseWithIWebBrowser2] Opened browser with HWND: 0x%x pid(%d) ::IsWindow=%d
[browseWithIWebBrowser2] Opened browser with HWND: 0x%x pid(%d) ::IsWindow=%d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
[browseWithIWebBrowser2] %s (hidden=%d,msWait=%d,forceToTop=%d)
[browseWithIWebBrowser2] %s (hidden=%d,msWait=%d,forceToTop=%d)
[RunIe] (0x%x) Skipped: There can be only one.
[RunIe] (0x%x) Skipped: There can be only one.
[RunIe] (0x%x)
[RunIe] (0x%x)
Process pid = %d
Process pid = %d
CreateProcess failed (%d)
CreateProcess failed (%d)
CreateProcess(%s,%s)
CreateProcess(%s,%s)
CreateProcessAsUser failed (%d)
CreateProcessAsUser failed (%d)
OpenProcessToken returned processToken(0x%x). CreateProcessAsUser(%s,%s)
OpenProcessToken returned processToken(0x%x). CreateProcessAsUser(%s,%s)
OpenProcessToken failed (%d)
OpenProcessToken failed (%d)
WaitForSingleObject() = %d
WaitForSingleObject() = %d
ShellExecute failed with error %d.
ShellExecute failed with error %d.
ShellExecute succeeded.
ShellExecute succeeded.
ShellExecute(0,open,%s,%s,0,Hide)
ShellExecute(0,open,%s,%s,0,Hide)
[CopyDirectory_CopyFile] %s: %s -> %s
[CopyDirectory_CopyFile] %s: %s -> %s
[CopyDirectory_NewDirectory] Created Directory: %s
[CopyDirectory_NewDirectory] Created Directory: %s
[CopyDirectory_NewDirectory] Error Creating Directory: %s (%d)
[CopyDirectory_NewDirectory] Error Creating Directory: %s (%d)
[ITB] Installing toolbar files from %s to %s.
[ITB] Installing toolbar files from %s to %s.
[SVistaDll] Failed to load IEIsProtectedModeURL.
[SVistaDll] Failed to load IEIsProtectedModeURL.
[SVistaDll] Congratulation! IEIsProtectedModeURL address is 0x%x
[SVistaDll] Congratulation! IEIsProtectedModeURL address is 0x%x
[SVistaDll] Congratulation! IEIsProtectedModeProcess address is 0x%x
[SVistaDll] Congratulation! IEIsProtectedModeProcess address is 0x%x
[SVistaDll] Failed to load IELaunchURL.
[SVistaDll] Failed to load IELaunchURL.
[SVistaDll] Congratulation! IELaunchURL address is 0x%x
[SVistaDll] Congratulation! IELaunchURL address is 0x%x
IEIsProtectedModeURL
IEIsProtectedModeURL
IELaunchURL
IELaunchURL
ieframe.dll
ieframe.dll
[SVistaDll] Congratulation! ChangeWindowMessageFilter address is 0x%x
[SVistaDll] Congratulation! ChangeWindowMessageFilter address is 0x%x
user32.dll
user32.dll
[SVistaDll] Congratulation! ConvertStringSidToSid address is 0x%x
[SVistaDll] Congratulation! ConvertStringSidToSid address is 0x%x
[SVistaDll] Congratulation! ConvertStringSecurityDescriptorToSecurityDescriptor address is 0x%x
[SVistaDll] Congratulation! ConvertStringSecurityDescriptorToSecurityDescriptor address is 0x%x
Advapi32.dll
Advapi32.dll
[SVistaDll] %s %s%d %s
[SVistaDll] %s %s%d %s
[SVistaDll] IEIsProtectedModeURL uninitialized
[SVistaDll] IEIsProtectedModeURL uninitialized
%s %s
%s %s
BN %d %s
BN %d %s
DC %d %s
DC %d %s
Firefox
Firefox
Firefox DC %s
Firefox DC %s
%d_%s
%d_%s
Error Creating Directory: %s (%d)
Error Creating Directory: %s (%d)
Created Directory: %s
Created Directory: %s
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
POSIX collating elements are not supported
POSIX collating elements are not supported
erroffset passed as NULL
erroffset passed as NULL
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
[TB] %s
[TB] %s
[TB] Seconds last asked %d sec. min_interval: %d sec. (last received: %d sec)
[TB] Seconds last asked %d sec. min_interval: %d sec. (last received: %d sec)
[TB] Last received for favorites: d-d-d d:d:d
[TB] Last received for favorites: d-d-d d:d:d
[TB] Activate favorite trigger. open_interval: %d seconds (157)
[TB] Activate favorite trigger. open_interval: %d seconds (157)
[TB] Last asked for favorites: d-d-d d:d:d
[TB] Last asked for favorites: d-d-d d:d:d
[TB] Activate request. favorite_alert_delay: %d ms
[TB] Activate request. favorite_alert_delay: %d ms
[TB] Add request type="Favorites", Last(Received)Favorites="%s"
[TB] Add request type="Favorites", Last(Received)Favorites="%s"
[TB] Item %s. Type: %s, String: %s, MID: %d
[TB] Item %s. Type: %s, String: %s, MID: %d
[TB] Item %s. Type: %s, String: %s, LastFavorites: %s
[TB] Item %s. Type: %s, String: %s, LastFavorites: %s
[TB] Item %s. Id: %s, Type: %s, String: %s
[TB] Item %s. Id: %s, Type: %s, String: %s
[TB] Delay alert request. Timeout: %dms
[TB] Delay alert request. Timeout: %dms
[TB] Requests size %d. Limit: %d
[TB] Requests size %d. Limit: %d
[TB] AddSearchRequest. Result %s. Id: %s, Type: %s, String: %s
[TB] AddSearchRequest. Result %s. Id: %s, Type: %s, String: %s
[TB] Requests count %d exceeds the limit %d
[TB] Requests count %d exceeds the limit %d
[TB] Removing SahSearchRequest. Id: %s, Type: %s, String: %s
[TB] Removing SahSearchRequest. Id: %s, Type: %s, String: %s
[TB] Dedup seconds expire, %s
[TB] Dedup seconds expire, %s
[TB] ToolBar response: %s.
[TB] ToolBar response: %s.
ToolbarUninstallReport
ToolbarUninstallReport
{0B5DAF6D-4671-49dd-B7E3-69A4293F80B6}
{0B5DAF6D-4671-49dd-B7E3-69A4293F80B6}
%d|%d|
%d|%d|
[D] Timer expired. HWND: %s
[D] Timer expired. HWND: %s
[M] detectionResult = %s
[M] detectionResult = %s
[M] Upgrade Status Delay: %dms
[M] Upgrade Status Delay: %dms
[M] Registration Delay %d seconds.
[M] Registration Delay %d seconds.
[A] Added FF Toolbar extension to %d Firefox Profiles.
[A] Added FF Toolbar extension to %d Firefox Profiles.
[M] CException in theApp.fileManager.checkNextUpdate()
[M] CException in theApp.fileManager.checkNextUpdate()
[M] Start timer %s min
[M] Start timer %s min
UnInstallExecute
UnInstallExecute
[M] Close Hidden in %dms
[M] Close Hidden in %dms
[P] Error launching uninstaller: %d
[P] Error launching uninstaller: %d
[P] Error starting hook update (%d)
[P] Error starting hook update (%d)
[M] Starting full update: %s
[M] Starting full update: %s
You have successfully logged into ShopAtHome.com. Enjoy your Cash Back shopping!
You have successfully logged into ShopAtHome.com. Enjoy your Cash Back shopping!
Incorrect password for this email address. Please try again.
Incorrect password for this email address. Please try again.
Already have a messagebox open with same email/password.
Already have a messagebox open with same email/password.
Thank you for registering with ShopAtHome.com.
Thank you for registering with ShopAtHome.com.
MessageBox: "%s"
MessageBox: "%s"
forgotpassword
forgotpassword
[M] Duplicate registration event: %s
[M] Duplicate registration event: %s
PopUnderURL
PopUnderURL
[M] Shell Execute returned %d.
[M] Shell Execute returned %d.
[M] Opening page %s
[M] Opening page %s
[M] Error Creating CheckServer Thread. (%d)
[M] Error Creating CheckServer Thread. (%d)
[R] Cancelling Popup for %d.
[R] Cancelling Popup for %d.
[R] Hook CheckSite(%d)%d - Site is NOT available.
[R] Hook CheckSite(%d)%d - Site is NOT available.
[R] Queueing Popup for %d.
[R] Queueing Popup for %d.
[R] Hook CheckSite(%d)%d - Site is available.
[R] Hook CheckSite(%d)%d - Site is available.
[M] WM_USER 112 message. Command: %d
[M] WM_USER 112 message. Command: %d
[M] WM_COPYDATA message. Command: %d.
[M] WM_COPYDATA message. Command: %d.
[M] Obsolete Metaupdate 555 signal from pre 4.2.5.0 hook.
[M] Obsolete Metaupdate 555 signal from pre 4.2.5.0 hook.
Handling class:%s HWND:[0x%.8x] Main window %s: HWND:[0x%.8x]
Handling class:%s HWND:[0x%.8x] Main window %s: HWND:[0x%.8x]
--------- List of handling windows
--------- List of handling windows
Main window %s: HWND:[0x%.8x] Handler pointer:[0x%.8x] Edit HWND:[0x%.8x]
Main window %s: HWND:[0x%.8x] Handler pointer:[0x%.8x] Edit HWND:[0x%.8x]
--------- List of IEFrame windows
--------- List of IEFrame windows
[M] Check for alerts on redirect: URL:%s
[M] Check for alerts on redirect: URL:%s
[M] Optout List Selected: %s
[M] Optout List Selected: %s
[ToolbarAlert] #%d
[ToolbarAlert] #%d
[M] FirefoxToolbar Fso Signal
[M] FirefoxToolbar Fso Signal
[Luke's Debug] Adding new IE8 tab [0xx] found by browser signal toolbartab
[Luke's Debug] Adding new IE8 tab [0xx] found by browser signal toolbartab
[Luke's Debug] Adding new tab [0xx] found by browser signal toolbartab
[Luke's Debug] Adding new tab [0xx] found by browser signal toolbartab
[M] New Browser Signal: WM_USER 500 message. wParam: 0x%x (type=%d)
[M] New Browser Signal: WM_USER 500 message. wParam: 0x%x (type=%d)
[M] %s
[M] %s
Removed HTTP loader thread
Removed HTTP loader thread
WARNING: HTTP loader thread is terminated
WARNING: HTTP loader thread is terminated
WARNING: Failed to post WM_QUIT to redirectThread (%d)
WARNING: Failed to post WM_QUIT to redirectThread (%d)
[M] WebFastConnect Uninstall request
[M] WebFastConnect Uninstall request
WebXb
WebXb
?cmd=status
?cmd=status
[M] Unininstall request reported...
[M] Unininstall request reported...
[M] Uninstall request report failed.
[M] Uninstall request report failed.
[M] Uninstall request report failed... retry in 2 minutes.
[M] Uninstall request report failed... retry in 2 minutes.
ASUninstallReport
ASUninstallReport
UninstallReport
UninstallReport
[M] Registration request reported...
[M] Registration request reported...
[M] Registration request report failed... retry in 2 minutes.
[M] Registration request report failed... retry in 2 minutes.
Install Registration(%d) - %s - %s
Install Registration(%d) - %s - %s
[M] WM_SETTEXT message. Type: %d
[M] WM_SETTEXT message. Type: %d
[LoadCharFileIntoCString] CreateFile Failed %d
[LoadCharFileIntoCString] CreateFile Failed %d
[LoadCharFileIntoCString] %s
[LoadCharFileIntoCString] %s
[CSahEvent] data (0x%x) refCount=%d
[CSahEvent] data (0x%x) refCount=%d
[CSahEvent::=] data (0x%x) refCount=%d
[CSahEvent::=] data (0x%x) refCount=%d
[~CSahEvent] data (0x%x) refCount=%d
[~CSahEvent] data (0x%x) refCount=%d
[CSahEventManager] Error creating event %s.
[CSahEventManager] Error creating event %s.
UniqueBundleKey
UniqueBundleKey
Failed to register %s class! (%d)
Failed to register %s class! (%d)
Downloader %s does not exist?? COpenHiddenIEIfNone will use IE.
Downloader %s does not exist?? COpenHiddenIEIfNone will use IE.
Activating COpenHiddenIEIfNone with %s.
Activating COpenHiddenIEIfNone with %s.
[A] Windows 95/98/ME
[A] Windows 95/98/ME
[A] Windows NT based system
[A] Windows NT based system
aswfctemp.ini
aswfctemp.ini
[A] New bceXMLTmp filename: %s
[A] New bceXMLTmp filename: %s
vincfile.dat
vincfile.dat
[A] New bceXML filename: %s
[A] New bceXML filename: %s
SelectRebatesB.dat
SelectRebatesB.dat
vbcefile.dat
vbcefile.dat
SelectRebatesU.dat
SelectRebatesU.dat
SelectRebatesH.dat
SelectRebatesH.dat
SelectRebatesA.dat
SelectRebatesA.dat
[A] SelectRebatesSelfUpgrade completed! Exiting this instance. (%s)
[A] SelectRebatesSelfUpgrade completed! Exiting this instance. (%s)
SRebates.dll
SRebates.dll
[No Hook Found] Dead Dog! KillSelf(%s)
[No Hook Found] Dead Dog! KillSelf(%s)
SelectRebates.exe
SelectRebates.exe
Uninstaller found at %s. Chameleon Dog!
Uninstaller found at %s. Chameleon Dog!
Uninstaller found at %s. Program Files Dog!
Uninstaller found at %s. Program Files Dog!
SelectRebatesUninstall.exe
SelectRebatesUninstall.exe
USE_IWEBBROWSER2
USE_IWEBBROWSER2
_WINDOWS
_WINDOWS
[A] Using exe substitution ini file: %s
[A] Using exe substitution ini file: %s
[A] Using SelectRebates ini file: %s
[A] Using SelectRebates ini file: %s
[A] Started SelectRebates: %s (built %s %s).
[A] Started SelectRebates: %s (built %s %s).
14:29:29
14:29:29
SRebates.log
SRebates.log
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
[M] CheckD=%s
[M] CheckD=%s
SRFF3.dll
SRFF3.dll
127.0.0.1
127.0.0.1
Setting CheckMeta: %s
Setting CheckMeta: %s
[A]Hook copy failed, using new file for now: %s
[A]Hook copy failed, using new file for now: %s
[A]Old Hook deletion (c): %s
[A]Old Hook deletion (c): %s
[A] Switch to new dll: %s
[A] Switch to new dll: %s
[A]Hook install time: %s. Last Reboot time: %s
[A]Hook install time: %s. Last Reboot time: %s
[A]Deleting new DLL: %s
[A]Deleting new DLL: %s
[A]New DLL Name = %s
[A]New DLL Name = %s
[A]Old DLL Name = %s
[A]Old DLL Name = %s
[A]Loading library: %s
[A]Loading library: %s
[installThreadHook] LoadLibrary(%s) has failed (%d): %s.
[installThreadHook] LoadLibrary(%s) has failed (%d): %s.
[installThreadHook] Thread Hook (%s) has been installed.
[installThreadHook] Thread Hook (%s) has been installed.
[A] AdServe disabled by pref: AdServing=%s.
[A] AdServe disabled by pref: AdServing=%s.
[A] AdServe disabled. On only for countries %s
[A] AdServe disabled. On only for countries %s
[A] AdServe disabled by rule: %s
[A] AdServe disabled by rule: %s
[A]Shell Execute returned %d.
[A]Shell Execute returned %d.
[A] ShellExecuting page %s
[A] ShellExecuting page %s
[A] Browser %s FOUND (0x%x)
[A] Browser %s FOUND (0x%x)
chrome_widgetwin_0
chrome_widgetwin_0
[CWindowImplBaseT::SubclassWindow] (0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x)
[CWindowImplBaseT::SubclassWindow] (0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x)
[CWindowImplBaseT::UnsubclassWindow] this(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!
[CWindowImplBaseT::UnsubclassWindow] this(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!
[CWindowImplBaseT::UnsubclassWindow] (0x%x) m_hWnd(0x%x) our(0x%x) active(0x%x) original(0x%x)
[CWindowImplBaseT::UnsubclassWindow] (0x%x) m_hWnd(0x%x) our(0x%x) active(0x%x) original(0x%x)
[F] Temporary File Name = %s
[F] Temporary File Name = %s
%Program Files%\
%Program Files%\
nts,washingtonpost.com/wp-adv,washingtonpost.com/biz,washingtonpost.com/wp-apps,washingtonpost.com/wp-stat,washingtonpost.com/wpost2,washingtonpost.com/weather,washingtonpost.com/2014,washingtonpost.com/rf,washingtonpost.com/jobs,washingtonpost.com/a,washingtonpost.com/answer-sheet,washingtonpost.com/commons,washingtonpost.com/ask-amy" m="122999" t="0" />
nts,washingtonpost.com/wp-adv,washingtonpost.com/biz,washingtonpost.com/wp-apps,washingtonpost.com/wp-stat,washingtonpost.com/wpost2,washingtonpost.com/weather,washingtonpost.com/2014,washingtonpost.com/rf,washingtonpost.com/jobs,washingtonpost.com/a,washingtonpost.com/answer-sheet,washingtonpost.com/commons,washingtonpost.com/ask-amy" m="122999" t="0" />
ontactinfo.php,zoosk.com/redeemcoins.php,zoosk.com/verify-photo,zoosk.com/date-feedback,zoosk.com/forgot.php,zoosk.com/activate-account,zoosk.com/en,zoosk.com/logout.php,zoosk.com/subscribe,zoosk.com/subscribe.php,zoosk.com/forgot,zoosk.com/settings.php,zoosk.com/discount.php,zoosk.com/contactinfo,zoosk.com/support.php,zoosk.com/minimuminfo.php" m="48476" t="0" />
ontactinfo.php,zoosk.com/redeemcoins.php,zoosk.com/verify-photo,zoosk.com/date-feedback,zoosk.com/forgot.php,zoosk.com/activate-account,zoosk.com/en,zoosk.com/logout.php,zoosk.com/subscribe,zoosk.com/subscribe.php,zoosk.com/forgot,zoosk.com/settings.php,zoosk.com/discount.php,zoosk.com/contactinfo,zoosk.com/support.php,zoosk.com/minimuminfo.php" m="48476" t="0" />
%Program Files%\SelectRebates\Toolbar\
%Program Files%\SelectRebates\Toolbar\
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
%Program Files%\SelectRebates\SelectAlerts.dat
%Program Files%\SelectRebates\SelectAlerts.dat
%Program Files%\SelectRebates\Toolbar\ImageCache
%Program Files%\SelectRebates\Toolbar\ImageCache
%Program Files%\SelectRebates\FFToolbar\
%Program Files%\SelectRebates\FFToolbar\
%Program Files%\SelectRebates\FFToolbar\install.rdf
%Program Files%\SelectRebates\FFToolbar\install.rdf
version="4.4.0.3"
version="4.4.0.3"
name="SelectRebates.exe"
name="SelectRebates.exe"
ShopAtHome.com
ShopAtHome.com
Password
Password
Server : port
Server : port
5, 2, 0, 0
5, 2, 0, 0
iexplore.exe_1756:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512