Adware.Sahat.BK (B) (Emsisoft), Adware.Sahat.BK (AdAware), Trojan.Win32.IEDummy.FD, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 88a2a8cb6048c78b99b0d9e4ea0821db
SHA1: 0b73c59891fd578dfd9b917b3c04a31c0450d0a6
SHA256: cbd9f8b49e732e0157445a1e371880f97741845a0389bb61ebaf922f92a7b398
SSDeep: 6144:bM/in98C/WvBJIzvGO8QC2Vd8nVG2CPRgLXM 1mq7kycl8dk3LNr6XoRDae8N5YT:yC98CQnmGl2U gL8 13gyc6EZou AZL
Size: 735336 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: VideoPerformer
Created at: 2010-11-01 23:14:48
Analyzed on: WindowsXP SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
%original file name%.exe:632
ShopAtHome_Toolbar_Installer.exe:1328
SelectRebates.exe:844
SelectRebatesDownload.exe:1596
SelectRebatesDownload.exe:1484
regsvr32.exe:660
The Adware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:632 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QVMC6KCE.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKMD5OPO.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4763 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\QVMC6KCE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TMBUVUDC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKMD5OPO.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (0 bytes)
The process ShopAtHome_Toolbar_Installer.exe:1328 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QVMC6KCE.tmp (146 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3756 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12315 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (0 bytes)
%Program Files%\SelectRebates\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (0 bytes)
The process SelectRebates.exe:844 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\SelectRebates\srtmpprfn4m25qbo.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (7 bytes)
%Program Files%\SelectRebates\srtmpprfkinsurbm.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpsqu9nvuch3o.tmp (4 bytes)
%Program Files%\SelectRebates\srtmpprf8cm49qr9.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (11518 bytes)
%Program Files%\SelectRebates\srtmpsqum4l6riq6.tmp (6 bytes)
%Program Files%\SelectRebates\srtmpgfigqpm4mt7.tmp (9607 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (168352 bytes)
The Adware deletes the following file(s):
%Program Files%\SelectRebates\srtmpprfn4m25qbo.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprfkinsurbm.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqu9nvuch3o.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprf8cm49qr9.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqum4l6riq6.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpgfigqpm4mt7.tmp (0 bytes)
The process SelectRebatesDownload.exe:1596 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\SelectRebates\srtmpprfn4m25qbo.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpprfkinsurbm.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpsqu9nvuch3o.tmp (460 bytes)
%Program Files%\SelectRebates\srtmpprf8cm49qr9.tmp (25 bytes)
%Program Files%\SelectRebates\srtmpgfigqpm4mt7.tmp (226329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
The process SelectRebatesDownload.exe:1484 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TMBUVUDC.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
Registry activity
The process %original file name%.exe:632 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 2B 06 E3 D7 69 8F 68 04 9D A0 7C 1A C1 54 F2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process ShopAtHome_Toolbar_Installer.exe:1328 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 60 DB 66 2A 79 5C A5 3B 19 B0 15 92 D9 E4 12"
[HKCU\Software\ShopAtHome\Toolbar]
"TBHideFirst" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ShopAtHome_Toolbar_Installer.exe,"
[HKLM\SOFTWARE\ShopAtHome\SelectRebates]
"SelectRebatesLocation" = "%Program Files%\SelectRebates\SelectRebates.exe"
[HKCU\Software\ShopAtHome\Toolbar]
"TBShowOnce" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
"DisplayName" = "ShopAtHome.com Toolbar"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"
The Adware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
"URLUpdateInfo"
"URLInfoAbout"
The Adware disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SAHAgent"
The process SelectRebates.exe:844 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 68 46 12 54 1F D2 C6 80 F0 A9 52 AF 78 32 E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayName" = "ShopAtHome.com Toolbar"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
[HKLM\SOFTWARE]
"test"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"URLUpdateInfo"
"URLInfoAbout"
The process SelectRebatesDownload.exe:1596 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 0C 39 7E 65 74 1D E7 E4 1F 84 6D B2 2D 1E A3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process SelectRebatesDownload.exe:1484 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 98 3F 0F F0 6F 08 3D 2E 87 0F E6 DF 54 79 A5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:660 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\ShopAtHome\Toolbar]
"EditWidthcombo1" = "1"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\VersionIndependentProgID]
"(Default)" = "ShopAtHome.IEToolbar"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCU\Software\ShopAtHome\Toolbar]
"KeepHistory" = "1"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\"
[HKCU\Software\ShopAtHome\Toolbar]
"RunSearchDragAutomatically" = "1"
"corruptedMsg" = "One of the XML files is corrupted or invalid. Press OK to uninstall."
"lastVersionMsg" = "You have the latest version of the ShopAtHome Toolbar."
"ShowExternalSearches" = "1"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\VersionIndependentProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}" = "00"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\ToolBand.ShopAtHomeIEHelper\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"
[HKCR\ToolBand.ShopAtHomeIEHelper.1\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\ProgID]
"(Default)" = "ShopAtHome.IEToolbar.1"
[HKCU\Software\ShopAtHome\Toolbar]
"PopStop" = "Untitled Toolbar has blocked a Pop-up window"
[HKCR\ToolBand.ShopAtHomeIEHelper]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCU\Software\ShopAtHome\Toolbar]
"autoUpdateMsg" = "New version of ShopAtHome Toolbar is available. Would you like to download and install new version?"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\0\win32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCR\ShopAtHome.IEToolbar\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"
[HKCU\Software\ShopAtHome\Toolbar]
"firstTime" = "1"
"ErrorMsg" = "Error"
"#EditWidthcombo1#" = "Widthcombo11"
"versionError" = "Can not find current version information."
"UpdateAutomatically" = "0"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\ProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"
[HKCU\Software\ShopAtHome\Toolbar]
"DescriptiveText" = "1"
"OpenNew" = "0"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCU\Software\ShopAtHome\Toolbar]
"AutoComplete" = "1"
"closeAllWindowsForUpdate" = "All running IE Windows will be closed before updating the ShopAtHome Toolbar. Continue?"
"RunSearchAutomatically" = "1"
"toolbar_version" = "undefined"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCU\Software\ShopAtHome\Toolbar]
"updateMsg" = "This will try to update the ShopAtHome Toolbar from the server. Continue?"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 69 0A AA 4E F8 E7 C4 09 7E CE 08 B9 CC 15 D8"
[HKCU\Software\ShopAtHome\Toolbar]
"toolbar_id" = "{FE16BFD1-76C9-4f8e-82CC-0415C3F26ABC}"
[HKCR\ShopAtHome.IEToolbar.1]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCU\Software\ShopAtHome\Toolbar]
"contextMenuItemName" = "ShopAtHome Toolbar search"
[HKCR\ShopAtHome.IEToolbar.1\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"
[HKCU\Software\ShopAtHome\Toolbar]
"ShowFindButtons" = "0"
[HKCR\ToolBand.ShopAtHomeIEHelper\CurVer]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"
[HKCR\ShopAtHome.IEToolbar]
"(Default)" = "ShopAtHome.com Toolbar"
[HKCR\ToolBand.ShopAtHomeIEHelper.1]
"(Default)" = "ShopAtHomeIEHelper Class"
[HKCR\ShopAtHome.IEToolbar\CurVer]
"(Default)" = "ShopAtHome.IEToolbar.1"
[HKCU\Software\ShopAtHome\Toolbar]
"AlertMsg" = "Alert"
"uninstallMsg" = "This will remove the ShopAtHome Toolbar from your computer! Are you sure?"
[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0]
"(Default)" = "ShopAtHome Toolbar 1.0 Type Library"
[HKCU\Software\ShopAtHome\Toolbar\tb_items]
"Widthcombo11" = "1"
[HKCU\Software\ShopAtHome\Toolbar]
"connectionError" = "Can't establish a connection."
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"
[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"
[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"ThreadingModel" = "Apartment"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper"
The Adware deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"
Dropped PE files
| MD5 | File path |
|---|---|
| 84ffd42c17931a9d1f8361e7680c78de | c:\Program Files\SelectRebates\SRFF3.dll |
| 017e694bf86cd554b0fca3b09957e15f | c:\Program Files\SelectRebates\SRebates.dll |
| 0bf024e4f8fc508acfed092399f0fb4c | c:\Program Files\SelectRebates\SelectRebates.exe |
| 5c2402121f5bf6b7f9e3fe302cb291a0 | c:\Program Files\SelectRebates\SelectRebatesApi.exe |
| 589c85ad4b3fd73456f32eb9d58e2f9c | c:\Program Files\SelectRebates\SelectRebatesDownload.exe |
| 388a88031cb58ff9ca2e879086ce7c15 | c:\Program Files\SelectRebates\SelectRebatesUninstall.exe |
| 28bfc80b6652ae0b1b5e4de75ff2247d | c:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:632
ShopAtHome_Toolbar_Installer.exe:1328
SelectRebates.exe:844
SelectRebatesDownload.exe:1596
SelectRebatesDownload.exe:1484
regsvr32.exe:660 - Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QVMC6KCE.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CKMD5OPO.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4763 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3756 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12315 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)
%Program Files%\SelectRebates\srtmpprfn4m25qbo.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpprfkinsurbm.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpsqu9nvuch3o.tmp (4 bytes)
%Program Files%\SelectRebates\srtmpprf8cm49qr9.tmp (2 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (11518 bytes)
%Program Files%\SelectRebates\srtmpsqum4l6riq6.tmp (6 bytes)
%Program Files%\SelectRebates\srtmpgfigqpm4mt7.tmp (9607 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TMBUVUDC.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 5, 2, 0, 0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5, 2, 0, 0
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 5, 2, 0, 0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 5, 2, 0, 0File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 121297 | 121344 | 4.44682 | 4d681f47f45c557319b32552b0a75e91 |
| .rdata | 126976 | 32074 | 32256 | 3.67224 | 3219c7385c305fabe90ec07b6e8aadd5 |
| .data | 159744 | 22044 | 12288 | 3.66722 | 475f0fa3b4d53574e2cadfb8cb82bc80 |
| .rsrc | 184320 | 564256 | 564736 | 3.23182 | 2ce1b2e75e71719365a1b5ca1436ab03 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 9
3b493757f823312f972863558a369720
688ca80aa78b4343a7c2d2f86ed36ff5
3ec10249ca7c85295746eeaaecd0e8ac
e8e8fcfffe4f88c1462563a6d5c45478
e0bf3c43452f4d9da23080112a0177ac
9a9f0d3f1943ee9907235530d042257c
7b7438826c6e17b0927711989e90ef11
4da1ff1281e76273c6a72dd84f3f42e6
2df5aac3e356cd3881e39cbf2079fc70
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://tbws.shopathome.com/RequestHandler.ashx?MfcISAPICommand=set¶m= |