Adware.Sahat.BK (B) (Emsisoft), Adware.Sahat.BK (AdAware), Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5509fb2384bbad63429c0d991155fc12
SHA1: e395720f4dbdb4b96c6250b6d8278918ed7864e8
SHA256: 9545efb36f3dac9e1a582d47dfd6f8f60c7c698023745c1cac2a28696433fa6c
SSDeep: 6144:GM/in98C/WvBJIzvGO8QC2VP8nVG2CPRgLXM 1mq7kycl8dk3LNr6XoRDae8N5Y7:XC98CQnmGl2q gL8 13gyc6EZou AzJ
Size: 735336 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Mindspark Interactive Network, Inc.
Created at: 2010-11-01 23:14:48
Analyzed on: WindowsXP SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
regsvr32.exe:820
ShopAtHome_Toolbar_Installer.exe:1752
SelectRebates.exe:316
SelectRebatesDownload.exe:1316
SelectRebatesDownload.exe:572
%original file name%.exe:188
The Adware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ShopAtHome_Toolbar_Installer.exe:1752 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\M0EE06I5.tmp (146 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (6307 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2836 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3980 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12195 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (0 bytes)
%Program Files%\SelectRebates\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (0 bytes)
The process SelectRebates.exe:316 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (7 bytes)
%Program Files%\SelectRebates\srtmpsquibk9ci1u.tmp (6 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (167132 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (7726 bytes)
%Program Files%\SelectRebates\srtmpgfidl3p70s1.tmp (7387 bytes)
%Program Files%\SelectRebates\srtmpprffko8l5sg.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpsqukqopku3q.tmp (4 bytes)
%Program Files%\SelectRebates\srtmpprf4l6o1035.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Program Files%\SelectRebates\srtmpprf5iq8thc6.tmp (2 bytes)
The Adware deletes the following file(s):
%Program Files%\SelectRebates\srtmpsquibk9ci1u.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpgfidl3p70s1.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprffko8l5sg.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqukqopku3q.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprf4l6o1035.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprf5iq8thc6.tmp (0 bytes)
The process SelectRebatesDownload.exe:1316 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2B8OUOM8.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
The process SelectRebatesDownload.exe:572 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\SelectRebates\srtmpgfidl3p70s1.tmp (159361 bytes)
%Program Files%\SelectRebates\srtmpprffko8l5sg.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpsqukqopku3q.tmp (460 bytes)
%Program Files%\SelectRebates\srtmpprf4l6o1035.tmp (25 bytes)
%Program Files%\SelectRebates\srtmpprf5iq8thc6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DIR8T6J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\M0EE06I5.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OD2BWHUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5BELTVT7.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G9E7WXE3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\816NKHAZ\desktop.ini (67 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2B8OUOM8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5BELTVT7.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\M0EE06I5.tmp (0 bytes)
Registry activity
The process regsvr32.exe:820 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\ShopAtHome\Toolbar]
"EditWidthcombo1" = "1"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\VersionIndependentProgID]
"(Default)" = "ShopAtHome.IEToolbar"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCU\Software\ShopAtHome\Toolbar]
"KeepHistory" = "1"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\"
[HKCU\Software\ShopAtHome\Toolbar]
"RunSearchDragAutomatically" = "1"
"corruptedMsg" = "One of the XML files is corrupted or invalid. Press OK to uninstall."
"lastVersionMsg" = "You have the latest version of the ShopAtHome Toolbar."
"ShowExternalSearches" = "1"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\VersionIndependentProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}" = "00"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\ToolBand.ShopAtHomeIEHelper\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"
[HKCR\ToolBand.ShopAtHomeIEHelper.1\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\ProgID]
"(Default)" = "ShopAtHome.IEToolbar.1"
[HKCU\Software\ShopAtHome\Toolbar]
"PopStop" = "Untitled Toolbar has blocked a Pop-up window"
[HKCR\ToolBand.ShopAtHomeIEHelper]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCU\Software\ShopAtHome\Toolbar]
"autoUpdateMsg" = "New version of ShopAtHome Toolbar is available. Would you like to download and install new version?"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\0\win32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCR\ShopAtHome.IEToolbar\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"
[HKCU\Software\ShopAtHome\Toolbar]
"firstTime" = "1"
"ErrorMsg" = "Error"
"#EditWidthcombo1#" = "Widthcombo11"
"versionError" = "Can not find current version information."
"UpdateAutomatically" = "0"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\ProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"
[HKCU\Software\ShopAtHome\Toolbar]
"DescriptiveText" = "1"
"OpenNew" = "0"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCU\Software\ShopAtHome\Toolbar]
"AutoComplete" = "1"
"closeAllWindowsForUpdate" = "All running IE Windows will be closed before updating the ShopAtHome Toolbar. Continue?"
"RunSearchAutomatically" = "1"
"toolbar_version" = "undefined"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCU\Software\ShopAtHome\Toolbar]
"updateMsg" = "This will try to update the ShopAtHome Toolbar from the server. Continue?"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 1C 01 F2 39 B1 7A 2B A5 8E 6A 77 9F D1 A8 E2"
[HKCU\Software\ShopAtHome\Toolbar]
"toolbar_id" = "{336D31AE-23DC-43d5-924C-A1EC2C2FF15C}"
[HKCR\ShopAtHome.IEToolbar.1]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCU\Software\ShopAtHome\Toolbar]
"contextMenuItemName" = "ShopAtHome Toolbar search"
[HKCR\ShopAtHome.IEToolbar.1\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"
[HKCU\Software\ShopAtHome\Toolbar]
"ShowFindButtons" = "0"
[HKCR\ToolBand.ShopAtHomeIEHelper\CurVer]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"
[HKCR\ShopAtHome.IEToolbar]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCR\ToolBand.ShopAtHomeIEHelper.1]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCR\ShopAtHome.IEToolbar\CurVer]
"(Default)" = "ShopAtHome.IEToolbar.1"
[HKCU\Software\ShopAtHome\Toolbar]
"AlertMsg" = "Alert"
"uninstallMsg" = "This will remove the ShopAtHome Toolbar from your computer! Are you sure?"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0]
"(Default)" = "ShopAtHome Toolbar 1.0 Type Library"
[HKCU\Software\ShopAtHome\Toolbar\tb_items]
"Widthcombo11" = "1"
[HKCU\Software\ShopAtHome\Toolbar]
"connectionError" = "Can't establish a connection."
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"ThreadingModel" = "Apartment"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper"
The Adware deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"
The process ShopAtHome_Toolbar_Installer.exe:1752 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 3D 5F AB F3 C6 30 CD 8B CE B9 AD B9 06 84 92"
[HKCU\Software\ShopAtHome\Toolbar]
"TBHideFirst" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ShopAtHome_Toolbar_Installer.exe,"
[HKLM\SOFTWARE\ShopAtHome\SelectRebates]
"SelectRebatesLocation" = "%Program Files%\SelectRebates\SelectRebates.exe"
[HKCU\Software\ShopAtHome\Toolbar]
"TBShowOnce" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
"DisplayName" = "ShopAtHome.com Toolbar"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"
The Adware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
"URLUpdateInfo"
"URLInfoAbout"
The Adware disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SAHAgent"
The process SelectRebates.exe:316 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 89 58 E4 02 61 86 C8 84 B0 73 7F 76 69 B8 B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayName" = "ShopAtHome.com Toolbar"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
[HKLM\SOFTWARE]
"test"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"URLUpdateInfo"
"URLInfoAbout"
The process SelectRebatesDownload.exe:1316 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 69 17 C3 70 70 6E 49 C7 0F 65 3C 8F 96 9D 34"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process SelectRebatesDownload.exe:572 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 E5 72 26 AB A0 DF 48 05 2D 6C B6 41 CA B5 A9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:188 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 37 28 54 74 9B B6 9F 5C DF 8D DE D2 C1 2C 6E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 84ffd42c17931a9d1f8361e7680c78de | c:\Program Files\SelectRebates\SRFF3.dll |
| 017e694bf86cd554b0fca3b09957e15f | c:\Program Files\SelectRebates\SRebates.dll |
| 0bf024e4f8fc508acfed092399f0fb4c | c:\Program Files\SelectRebates\SelectRebates.exe |
| 5c2402121f5bf6b7f9e3fe302cb291a0 | c:\Program Files\SelectRebates\SelectRebatesApi.exe |
| 589c85ad4b3fd73456f32eb9d58e2f9c | c:\Program Files\SelectRebates\SelectRebatesDownload.exe |
| 388a88031cb58ff9ca2e879086ce7c15 | c:\Program Files\SelectRebates\SelectRebatesUninstall.exe |
| 28bfc80b6652ae0b1b5e4de75ff2247d | c:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:820
ShopAtHome_Toolbar_Installer.exe:1752
SelectRebates.exe:316
SelectRebatesDownload.exe:1316
SelectRebatesDownload.exe:572
%original file name%.exe:188 - Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\M0EE06I5.tmp (146 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (6307 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2836 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3980 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12195 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpsquibk9ci1u.tmp (6 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (7726 bytes)
%Program Files%\SelectRebates\srtmpgfidl3p70s1.tmp (7387 bytes)
%Program Files%\SelectRebates\srtmpprffko8l5sg.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpsqukqopku3q.tmp (4 bytes)
%Program Files%\SelectRebates\srtmpprf4l6o1035.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Program Files%\SelectRebates\srtmpprf5iq8thc6.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2B8OUOM8.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DIR8T6J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OD2BWHUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5BELTVT7.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G9E7WXE3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\816NKHAZ\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 5, 2, 0, 0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5, 2, 0, 0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 5, 2, 0, 0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 5, 2, 0, 0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 121297 | 121344 | 4.44682 | 4d681f47f45c557319b32552b0a75e91 |
| .rdata | 126976 | 32074 | 32256 | 3.67224 | 3219c7385c305fabe90ec07b6e8aadd5 |
| .data | 159744 | 22044 | 12288 | 3.66629 | 065b3a05a4d71b7eee1b13f35c64674a |
| .rsrc | 184320 | 564256 | 564736 | 3.23182 | 2ce1b2e75e71719365a1b5ca1436ab03 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 28
6611c6765c7a9ba96c603c2e4e8e7f5d
400ed23b09159d5d010333da056d5df3
d0a2b1094c27682c53eec4610a7b8b07
968275f60494e786bf6478c9faa07ec2
3acc1838782f57fb71b7546d103da43d
9d42e12a73f58f22c30ae235dd467324
7513be25b6427a937ab07285fbec9a32
4fefd9bad32d780915a6bb5cb3991a01
233d975873801c04c599dc98b949de30
595b5f67af4bccf6b3fea1fc8a7d8479
7932c59f3150911120f3251d559d02d7
a38ea7a0b22d4ea7fd48e984a587beca
0d7ffe92c40430c935ebcdbcbb0bee46
752a66818dce36e9496076ca9c49cba4
cfe12b97b4ed66f3a5a07c163c26b94f
70227a1ae5e56c4825147345dba9efc9
8d57062abfa5700ce747616f411c8f21
595a857b4cd2d23f00f117854c546528
50c5937d3791358a9beb73d6949396cb
fb9c6f44946d93c054d2fbd02636b76e
1cbcef45f5c7e24a76da775a7101a01e
7b028e77debddd039afecba6034c7bbf
21f281c657ed14d5916d3e2d4985767d
0157714a55d0089189af04b85c2beca0
a189c4f7f7f59b01df8be3d398a3ae35
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://tbws.shopathome.com/RequestHandler.ashx?MfcISAPICommand=set¶m= |