Adware.Ipinsight.C (AdAware), Trojan.Win32.IEDummy.FD (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 037a0f79c43dbe32f03c8a887831ab5e
SHA1: 280b8211f704c5782ec1e2472cfaae819b03eec3
SHA256: 09cf46fb690752c5168753a97cb6909a79b9faabb9463d7a61978f2d1d12ecb5
SSDeep: 49152:VuVHtthooxZZKwdFkqq29tbBMMyvT399XGzrOIXvDKb: HuoAwdFkqwMyT99GzrpbKb
Size: 2147884 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2000-06-16 21:00:04
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
BargainBuddy.exe:1732
EbatesMoeMoneyMaker.exe:1836
ebatesmoemoneymaker14.exe:1784
s4Setp.exe:2116
RegSvr32.exe:1068
RegSvr32.exe:1336
RegSvr32.exe:2020
RegSvr32.exe:2012
RegSvr32.exe:484
RegSvr32.exe:480
bargains.exe:908
SuperBarInstall.exe:604
%original file name%.exe:1560
runonce.exe:1260
Setup.exe:1872
rundll32.exe:452
NLNupgradeV4_6P28.exe:1520
IKernel.exe:1292
IKernel.exe:1596
msbb.exe:380
grpconv.exe:604
iKernel.exe:1708
The Adware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process BargainBuddy.exe:1732 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\Bargain Buddy\bargains.exe (9744 bytes)
%Program Files%\Bargain Buddy\bbchk.exe (12 bytes)
%Program Files%\Bargain Buddy\bin\apuc.dll (601 bytes)
%Program Files%\Bargain Buddy\apuc.dll (1718 bytes)
%Program Files%\Bargain Buddy\bin\bargains.exe (1281 bytes)
%Program Files%\Bargain Buddy\uninst.exe (388 bytes)
The Adware deletes the following file(s):
%Program Files%\Bargain Buddy\bargains.exe (0 bytes)
%Program Files%\Bargain Buddy\apuc.dll (0 bytes)
The process EbatesMoeMoneyMaker.exe:1836 makes changes in the file system.
The Adware deletes the following file(s):
%Program Files%\EbatesMoeMoneyMaker\System\MTemp\encryption.bin (0 bytes)
The process ebatesmoemoneymaker14.exe:1784 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\EbatesMoeMoneyMaker\System\Code\dz.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\da.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\be.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bk.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bb.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\c.class (7 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cn.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bg.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cu.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cx.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\by.class (6 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\j.class (261 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ct.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cc.class (710 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dp.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ec.class (533 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dh.class (534 bytes)
%Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiBA.tmp (7168 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bi.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ck.class (751 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\l.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\br.class (652 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cv.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bv.class (478 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\m.class (538 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bw.class (971 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\y.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dg.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\f.class (684 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dr.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\p.class (229 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bf.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\db.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bh.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bn.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cr.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ea.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\co.class (521 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dt.class (784 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ds.class (8 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cw.class (531 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_proxy.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\x.class (619 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dx.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cp.class (6 bytes)
%Program Files%\EbatesMoeMoneyMaker\ebates_README2.txt (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\w.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dc.class (339 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_conflicts2.htm (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\s.class (568 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cf.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ch.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bq.class (257 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cd.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bd.class (517 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cz.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dw.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bt.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\Main.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bm.class (753 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bs.class (379 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dd.class (15 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dm.class (698 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe (1552 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cb.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\g.class (451 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cj.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\ebatesver2.dls (11 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\de.class (4 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cq.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_preferences0.htm (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bc.class (707 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\eeid14.dls (568 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\v.class (119 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bp.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bo.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\n.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ba.class (535 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_script0.htm (43 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ce.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\sunclass.dls (263 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cm.class (522 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dj.class (755 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dk.class (518 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\q.class (484 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\loader.dls (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\di.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\a.class (373 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ed.class (651 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\t.class (286 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dn.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dv.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\d.class (687 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bu.class (938 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cg.class (544 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_autorediroffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\r.class (634 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\u.class (359 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\system.dls (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ci.class (541 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_memoffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dq.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\e.class (451 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_disable0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\i.class (555 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cy.class (449 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\du.class (182 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ca.class (831 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\eb.class (531 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\df.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dy.class (678 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bx.class (4 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_nonmemoffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bj.class (540 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\personality.dls (784 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\b.class (731 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cs.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\k.class (532 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bz.class (1 bytes)
The process s4Setp.exe:2116 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\MySearch\bar\1.bin\NPMYSRCH.DLL (32 bytes)
%Program Files%\MySearch\bar\1.bin\UNINSTALL.INF (1 bytes)
%Program Files%\MySearch\bar\1.bin\S4BAR.DLL (184 bytes)
%Program Files%\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS (327 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER2.DAT (461 bytes)
%Program Files%\MySearch\bar\1.bin\S42NS.EXE (24 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER.BMP (1 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER.DAT (922 bytes)
The process SuperBarInstall.exe:604 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp\IEManipulate.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB8.tmp (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (13968 bytes)
%Program Files%\SuperBar\settings.cfg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB9.tmp (16424 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp\IEManipulate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp (0 bytes)
The process %original file name%.exe:1560 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\pftw1.pkg (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plfB2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.cab (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.ini (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.iss (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.exe (1726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\extB3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\ikernel.ex_ (6681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.inx (2401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\layout.bin (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data2.cab (20687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.hdr (11 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\pftw1.pkg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plfB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.iss (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\extB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\ikernel.ex_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.inx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\layout.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data2.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.hdr (0 bytes)
The process Setup.exe:1872 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IECB5.tmp (2105 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\temp.000 (11328 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IECB5.tmp (0 bytes)
%Program Files%\Common Files\InstallShield (0 bytes)
%Program Files%\Common Files\InstallShield\IScript (0 bytes)
%Program Files%\Common Files\InstallShield\Engine\6 (0 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32 (0 bytes)
%Program Files%\Common Files\InstallShield\Engine (0 bytes)
The process rundll32.exe:452 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%WinDir%\inf\SETC0.tmp (1 bytes)
%WinDir%\setupapi.log (1728 bytes)
%WinDir%\SETBD.tmp (1281 bytes)
The Adware deletes the following file(s):
%WinDir%\inf\oem10.inf (0 bytes)
%WinDir%\inf\SETC0.tmp (0 bytes)
%WinDir%\SETBD.tmp (0 bytes)
The process NLNupgradeV4_6P28.exe:1520 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dl_ (784 bytes)
%WinDir%\system\RSP.dll (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.igetnet[1].txt (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dll.dat (1568 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%System%\drivers\etc\hosts (841 bytes)
C:\t1fg (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dl_ (588 bytes)
%WinDir%\system\BHO.DLL (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dll.dat (1568 bytes)
%WinDir%\system\WinStart.exe (601 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dl_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dl_ (0 bytes)
The process IKernel.exe:1292 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files%\Blue Haven Media\Value Added Software\msbb7fd0.rra (5294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\711a.rra (1464 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\obje73d9.rra (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\valu789c.rra (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\defa78ea.rra (1 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\ctor731e.rra (3404 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7dfb.rra (1568 bytes)
%Program Files%\Blue Haven Media\Value Added Software\Supe7fb1.rra (12762 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7ddc.rra (8368 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu7e49.rra (2712 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\core72df.rra (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu786d.rra (2712 bytes)
%Program Files%\Blue Haven Media\Value Added Software\NLNu7f91.rra (4314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8} (4 bytes)
%Program Files%\Blue Haven Media\Value Added Software\lice7ee5.rra (4314 bytes)
%Program Files%\Blue Haven Media\Value Added Software\s4Se7eb7.rra (8760 bytes)
%Program Files%\Blue Haven Media\Value Added Software\Barg7f05.rra (6118 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7e2a.rra (92 bytes)
%Program Files%\Common Files\InstallShield\IScript\iscr7531.rra (7348 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7dbd.rra (11 bytes)
%System%\ipin7fef.rra (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\_IsR7909.rra (7348 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\layo7d40.rra (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\isrt78cb.rra (10582 bytes)
%System%\ipin800e.rra (8474 bytes)
%Program Files%\Blue Haven Media\Value Added Software\ebat7f53.rra (7316 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.ini (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.log (139 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\iuse7437.rra (6134 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\value.shl (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\_IsRes.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\default.pal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\isrt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setup.inx (0 bytes)
The process IKernel.exe:1596 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process msbb.exe:380 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5656 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5644 bytes)
Registry activity
The process BargainBuddy.exe:1732 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\Apuc.UrlCatcher]
"(Default)" = "UrlCatcher Class"
[HKLM\SOFTWARE\Bargains]
"PartnerName" = "RANY"
[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}]
"(Default)" = "IUrlCatcher"
[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Bargains]
"ServerPort" = "80"
[HKCR\Apuc.UrlCatcher.1\CLSID]
"(Default)" = "{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bargain Buddy]
"UninstallString" = "%Program Files%\Bargain Buddy\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Apuc.UrlCatcher\CLSID]
"(Default)" = "{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}"
[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]
"(Default)" = "UrlCatcher Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Bargains]
"ServerName" = "adpopper.outblaze.com"
[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Apuc.UrlCatcher.1]
"(Default)" = "UrlCatcher Class"
[HKLM\SOFTWARE\Bargains]
"Binary" = "bin"
"ConfigUpdateQueryUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=config"
[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bargain Buddy]
"DisplayName" = "Bargain Buddy"
[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\TypeLib]
"(Default)" = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}"
[HKLM\SOFTWARE\Bargains]
"MainDir" = "%Program Files%\Bargain Buddy"
[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0]
"(Default)" = "apuc 1.0 Type Library"
[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0\0\win32]
"(Default)" = "%Program Files%\Bargain Buddy\bin\apuc.dll"
[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Bargain Buddy\bin\"
[HKLM\SOFTWARE\Bargains]
"BuildNumber" = "6008"
"serverpath" = "/scripts/adpopper/webservice.main?type=upload"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 F1 73 4C 25 95 DC 02 F7 F1 9D 2F 8B 36 79 F7"
[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\InprocServer32]
"(Default)" = "C:\PROGRA~1\BARGAI~1\bin\apuc.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Bargains]
"FirstHitUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=first_hit"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\ProgID]
"(Default)" = "Apuc.UrlCatcher.1"
[HKLM\SOFTWARE\Bargains]
"ADDataUpdateQueryUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=data"
[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\VersionIndependentProgID]
"(Default)" = "Apuc.UrlCatcher"
[HKLM\SOFTWARE\Bargains]
"SoftwareUpdateQueryUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=software"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]
"(Default)" = "Url Catcher"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bargains" = "%Program Files%\Bargain Buddy\bin\bargains.exe"
The Adware deletes the following value(s) in system registry:
The Adware disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adp"
The process EbatesMoeMoneyMaker.exe:1836 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"Default Visible" = "Yes"
"ButtonText" = "Ebates"
[HKCU\Control Panel\Desktop]
"ForegroundLockTimeout" = "0"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"HotIcon" = "%Program Files%\EbatesMoeMoneyMaker\System\Images\ebates1_hot.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ebatesver2.xml]
"(Default)" = "Ebates Moe Money Maker"
"DisplayName" = "Ebates Moe Money Maker"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"Script" = "file://%Program Files%\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Ebates]
"(Default)" = "file://%Program Files%\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Ebates]
"Contexts" = "63"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"Icon" = "%Program Files%\EbatesMoeMoneyMaker\System\Images\ebates1.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ebatesver2.xml]
"UninstallString" = "javaw -cp %Program Files%\EbatesMoeMoneyMaker\System\Code Main lp: %Program Files%\EbatesMoeMoneyMaker ls: deletefeature ld: feature=ebatesver2.xml"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 29 62 A3 F1 D3 94 B9 03 47 6E 78 7B 74 8E 5B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ebatesmoemoneymaker14.exe:1784 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 90 D6 26 1C FF 15 71 6E 51 BA C4 4C E8 11 C4"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EbatesMoeMoneyMaker" = "javaw -cp %Program Files%\EbatesMoeMoneyMaker\System\Code Main lp: %Program Files%\EbatesMoeMoneyMaker"
The process s4Setp.exe:2116 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\MySearchToolBar.NetscapeShutdown.1\CLSID]
"(Default)" = "{014DA6C5-189F-421a-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search IE Installer"
[HKLM\SOFTWARE\MySearch\bar]
"CurInstall" = "1"
[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\MySearchToolBar.NetscapeStartup.1\CLSID]
"(Default)" = "{014DA6C7-189F-421a-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\0\win32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKLM\SOFTWARE\MySearch\bar]
"dir" = "%Program Files%\MySearch\bar\"
[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My &Search Bar"
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID]
"(Default)" = "MySearchToolBar.NetscapeStartup"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Blue Haven Media\Value Added Software\s4Setp.exe,"
[HKCR\MySearchToolBar.SettingsPlugin]
"(Default)" = "My Search Settings Plugin"
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{014DA6C9-189F-421a-88CD-07CFE51CFF10}" = ""
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\MySearch\bar\partner]
"mysearchurl" = "http://ms107.mysearch.com/"
[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\MySearchToolBar.NetscapeStartup\CurVer]
"(Default)" = "MySearchToolBar.NetscapeStartup.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall]
"UninstallString" = "RunDll32 advpack.dll,LaunchINFSection %Program Files%\MySearch\bar\1.bin\uninstall.inf,Uninstall"
[HKCR\MySearchToolBar.SettingsPlugin\CLSID]
"(Default)" = "{014DA6CB-189F-421a-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\MySearchToolBar.NetscapeShutdown\CurVer]
"(Default)" = "MySearchToolBar.NetscapeShutdown.1"
[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MySearchToolBar.NetscapeShutdown]
"(Default)" = "MySearchBarNetscapeShutdown Class"
[HKCR\MySearchToolBar.NetscapeStartup.1]
"(Default)" = "MySearchBarNetscapeStartup Class"
[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "IMySearchSettings"
[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "MySearchBarNetscapeShutdown Class"
[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search BHO"
[HKCU\Software\Netscape\Netscape Navigator\Automation Shutdown]
"MySearchToolBar.NetscapeShutdown.1" = "MySearchToolBar.NetscapeShutdown.1"
[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID]
"(Default)" = "MySearchToolBar.NetscapeShutdown"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 D5 D3 8E A9 36 AE 9F A8 A1 7A 1A 1F 5A F3 DE"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\ProgID]
"(Default)" = "MySearchToolBar.SettingsPlugin.1"
[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\"
[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall]
"DisplayName" = "My Search Bar"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKLM\SOFTWARE\MySearch\bar\partner]
"Search" = "http://ms107.mysearch.com/jsp/bardef.jsp?searchfor="
[HKCR\MySearchToolBar.NetscapeStartup]
"(Default)" = "MySearchBarNetscapeStartup Class"
[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "MySearchBarNetscapeStartup Class"
[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "IMySearchBarNetscapeStartup"
[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\MySearchToolBar.NetscapeShutdown\CLSID]
"(Default)" = "{014DA6C5-189F-421a-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\ProgID]
"(Default)" = "MySearchToolBar.NetscapeStartup.1"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID]
"(Default)" = "MySearchToolBar.SettingsPlugin"
[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Netscape\Netscape Navigator\Automation Startup]
"MySearchToolBar.NetscapeStartup.1" = "MySearchToolBar.NetscapeStartup.1"
[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "_IMySearchSettingsEvents"
[HKLM\SOFTWARE\MySearch\bar\partner]
"Name" = ""
[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"
[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\MySearch\bar\partner]
"cfg" = "http://ms107cfg.mysearch.com/ms107cfg.jsp"
[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search Settings"
[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"
[HKCR\MySearchToolBar.NetscapeShutdown.1]
"(Default)" = "MySearchBarNetscapeShutdown Class"
[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\MySearchToolBar.NetscapeStartup\CLSID]
"(Default)" = "{014DA6C7-189F-421a-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search Bar Installer2"
[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"
[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\MySearch\bar\partner]
"Bitmap" = "%Program Files%\MySearch\bar\1.bin\partner.bmp"
[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MySearchToolBar.SettingsPlugin\CurVer]
"(Default)" = "MySearchToolBar.SettingsPlugin.1"
[HKLM\SOFTWARE\MySearch\bar\partner]
"URL" = ""
[HKCR\MySearchToolBar.SettingsPlugin.1\CLSID]
"(Default)" = "{014DA6CB-189F-421a-88CD-07CFE51CFF10}"
[HKLM\SOFTWARE\MySearch\bar\partner]
"EXE" = ""
[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "IMySearchBarNetscapeShutdown"
[HKCR\MySearchToolBar.SettingsPlugin.1]
"(Default)" = "My Search Settings Plugin"
[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\ProgID]
"(Default)" = "MySearchToolBar.NetscapeShutdown.1"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"
[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\Version]
"(Default)" = "1.0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search BHO"
The process RegSvr32.exe:1068 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 56 FD 27 DE 25 FF DE FA 2E C5 5E AF 5C B7 AB"
The process RegSvr32.exe:1336 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 BC E9 1D 8E 1D DC 14 BB 62 63 D3 FD 0B 7E 26"
The process RegSvr32.exe:2020 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 1E D4 37 88 A8 9E 97 1F 21 93 26 55 86 FF B8"
[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\InprocServer32]
"(Default)" = "%WinDir%\System\BHO.DLL"
[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0\HELPDIR]
"(Default)" = "%WinDir%\System"
[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0]
"(Default)" = "BHO"
[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0\0\win32]
"(Default)" = "%WinDir%\System\BHO.DLL"
[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}]
"(Default)" = "_clsUrlSearch"
[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\TypeLib]
"(Default)" = "{974CC25E-D62C-4278-84E6-A806726E37BC}"
[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\TypeLib]
"(Default)" = "{974CC25E-D62C-4278-84E6-A806726E37BC}"
[HKCR\BHO.clsUrlSearch]
"(Default)" = "BHO.clsUrlSearch"
[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\VERSION]
"(Default)" = "3.0"
[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\BHO.clsUrlSearch\Clsid]
"(Default)" = "{730F2451-A3FE-4A72-938C-FC8A74F15978}"
[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}]
"(Default)" = "BHO.clsUrlSearch"
[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\ProgID]
"(Default)" = "BHO.clsUrlSearch"
[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\TypeLib]
"Version" = "3.0"
The process RegSvr32.exe:2012 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 7F 53 FC 76 1E DB F6 25 C9 B6 5E C0 6B E7 0F"
The process RegSvr32.exe:484 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 3D 24 5E 6F 3D 1E 31 15 CD E3 81 89 B3 6B E4"
The process RegSvr32.exe:480 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 78 80 51 50 AA B0 C6 D6 B4 90 CF D8 28 75 FB"
[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}]
"(Default)" = "_BizLgk"
[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\TypeLib]
"(Default)" = "{676058DB-89BD-11D6-8A8C-0050BA8452C0}"
[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0\HELPDIR]
"(Default)" = "%WinDir%\System"
[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\ProgID]
"(Default)" = "Rsp.BizLgk"
[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}]
"(Default)" = "Rsp.BizLgk"
[HKCR\Rsp.BizLgk]
"(Default)" = "Rsp.BizLgk"
[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\VERSION]
"(Default)" = "1.0"
[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0]
"(Default)" = "Rsp"
[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\InprocServer32]
"(Default)" = "%WinDir%\System\RSP.dll"
[HKCR\Rsp.BizLgk\Clsid]
"(Default)" = "{676058E4-89BD-11D6-8A8C-0050BA8452C0}"
[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\TypeLib]
"(Default)" = "{676058DB-89BD-11D6-8A8C-0050BA8452C0}"
[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0\0\win32]
"(Default)" = "%WinDir%\System\RSP.dll"
The process bargains.exe:908 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 09 85 2C 9A 4B 32 F9 F7 24 AC 48 28 15 21 89"
[HKLM\SOFTWARE\Bargains]
"LastQueryTime" = "0"
"ADDataVersion" = "0"
"UpdateQueryDuration" = "86400"
"MinCountOfUrlsBetweenTwoADs" = "4"
"FirstHit" = "1"
"ConfigVersion" = "0"
"UpdateQueryFailedDuration" = "1200"
"trace" = "0"
"IdleMinutesThreshold" = "5"
"MaxDailyCapPerUSer" = "20"
"MaxDomainCap" = "3"
"MinMinutesBetweenTwoADs" = "2"
The process SuperBarInstall.exe:604 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\SuperBar.Component]
"(Default)" = "SuperBar.Component"
[HKCR\SuperBarExts.SaveDataInterface\CLSID]
"(Default)" = "{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}"
[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}]
"(Default)" = "ISaveDataInterface"
[HKCR\SuperBarExts.SaveDataInterface]
"(Default)" = "SuperBarExts.SaveDataInterface"
[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\SuperBar.Component\CLSID]
"(Default)" = "{835177FE-A8F7-4690-AC10-CBE58765E002}"
[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}\InProcServer32]
"(Default)" = "C:\PROGRA~1\SuperBar\SUPERB~1.DLL"
[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\TypeLib]
"(Default)" = "{60F8FB2A-9915-4202-967D-1FA694A8BCF5}"
[HKCR\SuperBarBHO.Component]
"(Default)" = "SuperBarBHO.Component"
[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}\InProcServer32]
"(Default)" = "C:\PROGRA~1\SuperBar\SUPERB~1.DLL"
[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}]
"(Default)" = "IFireUserProfileEvents"
[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SuperBar"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{835177FE-A8F7-4690-AC10-CBE58765E002}" = ""
[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\superbar]
"Reg State" = "0"
[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}\ProgId]
"(Default)" = "SuperBarBHO.Component"
[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}]
"Version Number" = "2.1.230"
[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0\0\win32]
"(Default)" = "%Program Files%\SuperBar\SuperBarExts.Dll"
[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}\ProgID]
"(Default)" = "SuperBarExts.SaveDataInterface"
[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}]
"(Default)" = "SuperBar"
[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}]
"(Default)" = "SuperBarExts.UserProfileInterface"
[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}\InprocServer32]
"(Default)" = "%Program Files%\SuperBar\SuperBar.Dll"
[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}\ProgId]
"(Default)" = "SuperBar.Component"
[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\SuperBar]
"First" = ""
[HKCR\SuperBarExts.UserProfileInterface\CLSID]
"(Default)" = "{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}"
[HKCR\SuperBarBHO.Component\CLSID]
"(Default)" = "{136A9D1D-1F4B-43D4-8359-6F2382449255}"
[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 E1 C6 AD DC 8A 1F 4B 1C BB 4B 2E BC B2 92 5E"
[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\TypeLib]
"(Default)" = "{60F8FB2A-9915-4202-967D-1FA694A8BCF5}"
[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}]
"(Default)" = "SuperBar"
[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0]
"(Default)" = "SuperBarExts"
[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}\InprocServer32]
"(Default)" = "%Program Files%\SuperBar\SuperBar.Dll"
[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\TypeLib]
"(Default)" = "{60F8FB2A-9915-4202-967D-1FA694A8BCF5}"
[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}]
"(Default)" = "IUserProfileInterface"
[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}\ProgID]
"(Default)" = "SuperBarExts.UserProfileInterface"
[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}]
"(Default)" = "SuperBarExts.SaveDataInterface"
[HKCR\SuperBarExts.UserProfileInterface]
"(Default)" = "SuperBarExts.UserProfileInterface"
The process %original file name%.exe:1560 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 85 B0 47 24 4E AA 55 2E 5D 71 9B 36 85 2F 51"
The process runonce.exe:1260 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 91 6D B5 1B 64 FE 4D 6D E3 0E 59 16 E9 61 B5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Adware deletes the following value(s) in system registry:
The Adware disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"
The process Setup.exe:1872 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 47 62 9D C5 65 BE 56 66 FA E2 BE ED DB 92 CC"
The process rundll32.exe:452 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F FC E7 FE 4A 65 14 8B F9 02 9F CC 5C F6 51 1F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPInsight]
"UninstallString" = "RunDll32 advpack.dll,LaunchINFSection %WinDir%\INF\IPInsigt.inf, Uninstall"
[HKLM\SOFTWARE\IPInsight]
"IdOfDist" = "BLUE6003"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
"INF/IPINSIGT.PNF" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPInsight]
"DisplayName" = "IPInsight"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/IPINSIGT.inf" = "1"
"INF/oem10.PNF" = "1"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
The process NLNupgradeV4_6P28.exe:1520 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 B8 ED 8C 20 D7 2E 05 6B 50 94 D2 3F 59 91 4D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winstart" = "%WinDir%\System\WinStart.exe -boot"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}"
"{CFCDA454-78A0-404A-90E9-AD589DA7E059}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
"ProxyOverride"
[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E3D9BB01-877C-11d6-9408-00409530574B}"
The process IKernel.exe:1292 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\IScript\iscript.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}]
"UninstallString" = "RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.exe"
[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"iKernel.exe" = "1"
[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}]
"(Default)" = "ISetupPropertyBag"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%System%]
"ipinsigt.dll" = "1"
[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\IScript]
"iscript.dll" = "1"
[HKCR\Setup.ScriptEngine.1]
"(Default)" = "InstallShield Script Engine"
[HKCR\Setup.ScriptEngine.1\CLSID]
"(Default)" = "{E7D06080-238B-11D3-80D7-00104B1F6CEA}"
[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}]
"(Default)" = "ISetupScriptEngine"
[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib]
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"
[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}]
"(Default)" = "IPInsigtObj Class"
[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}]
"(Default)" = "ISetupMultiMedia"
[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\IScript\"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Setup.ScriptDriverWrapper\CLSID]
"(Default)" = "{AA7E2086-CB55-11D2-8094-00104B1F9838}"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}]
"(Default)" = "ISetupWindowBillBoards"
[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\ctor.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}]
"(Default)" = "ISetupMainWindow"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Setup.User\CLSID]
"(Default)" = "{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}"
[HKCR\Setup.ScriptEngine\CLSID]
"(Default)" = "{E7D06080-238B-11D3-80D7-00104B1F6CEA}"
[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "InstallShield setup object wrapper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\TypeLib]
"(Default)" = "{BE35582C-9796-4CF1-AED9-556ADA120B38}"
[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\VersionIndependentProgID]
"(Default)" = "IPInsigt.IPInsigtObj"
[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0]
"(Default)" = "Setup UI 1.0 Type Library"
[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"
[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\ctor.dll"
[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0]
"(Default)" = "IPInsigt 1.0 Type Library"
[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}]
"(Default)" = "ISetupUserInterface"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\ProgID]
"(Default)" = "Setup.ScriptDriverWrapper.1"
[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\iuser.dll"
[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}]
"(Default)" = "ISetupMainWindow4"
[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\Setup.ScriptObjectWrapper.1\CLSID]
"(Default)" = "{AA7E2087-CB55-11D2-8094-00104B1F9838}"
[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}]
"(Default)" = "ISetupSDMessage"
[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}]
"(Default)" = "ISetupRebootable"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Setup.ScriptDriverWrapper.1\CLSID]
"(Default)" = "{AA7E2086-CB55-11D2-8094-00104B1F9838}"
[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0]
"(Default)" = "InstallShield Script 1.0 Type Library"
[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\IPInsigt.IPInsigtObj.1]
"(Default)" = "IPInsigtObj Class"
[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}]
"(Default)" = "ISetupWindowImage"
[HKCR\IPInsigt.IPInsigtObj.1\CLSID]
"(Default)" = "{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}"
[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}]
"(Default)" = "ISetupProgress2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 DF 1A A9 59 BB 55 4E 64 F7 84 39 ED DD CE C0"
[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\IPInsight]
"IdOfDist" = "BLUE6003"
[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"objectps.dll" = "1"
[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Setup.ScriptDriverWrapper.1]
"(Default)" = "InstallShield setup object wrapper"
[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib]
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"
[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}]
"(Default)" = "ISetupScriptError"
[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}]
"(Default)" = "ISetupWindowText"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"ctor.dll" = "1"
[HKCR\Setup.ScriptEngine]
"(Default)" = "InstallShield Script Engine"
[HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\ctor.dll"
[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.ScriptEngine.1"
[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}]
"(Default)" = "ISetupObjectLifetime"
[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods]
"(Default)" = "5"
[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}]
"(Default)" = "InstallShield setup user interafce"
[HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Setup.ScriptDriverWrapper]
"(Default)" = "InstallShield setup object wrapper"
[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\IScript\iscript.dll"
[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib]
"Version" = "1.0"
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"
[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}]
"LogFile" = "%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setup.ilg"
[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}]
"(Default)" = "ISetupScriptEngine2"
[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\TypeLib]
"Version" = "1.0"
[HKCR\Setup.ScriptObjectWrapper]
"(Default)" = "InstallShield setup object wrapper"
[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}]
"(Default)" = "ISetupMainWindow2"
[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}]
"(Default)" = "ISetupGUIObject"
[HKCR\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"
[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\TypeLib]
"(Default)" = "{11CC62B9-65F8-4A8B-B33F-5DE4E838442D}"
[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}]
"(Default)" = "ISetupMainWindow3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\Setup.User.1]
"(Default)" = "InstallShield setup user interafce"
[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "InstallShield setup object wrapper"
[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.ScriptEngine"
[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.User"
[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}]
"(Default)" = "ISetupProgress"
[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}]
"(Default)" = "ISetupScriptController"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}]
"(Default)" = "ISetupObjectClass"
[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\"
[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID]
"(Default)" = "Setup.ScriptDriverWrapper"
[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.User.1"
[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupWizardUI"
[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"iuser.dll" = "1"
[HKLM\SOFTWARE\IPInsight]
"IdOfInst" = "{421ADD68-E5A4-405B-A47E-943B7EFCB8D2}"
[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\InprocServer32]
"(Default)" = "%System%\ipinsigt.dll"
[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"corecomp.ini" = "1"
[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib]
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"
[HKCR\Setup.ScriptObjectWrapper\CLSID]
"(Default)" = "{AA7E2087-CB55-11D2-8094-00104B1F9838}"
[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\ProgID]
"(Default)" = "IPInsigt.IPInsigtObj.1"
[HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\objectps.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}]
"(Default)" = "ISetupObjectReboot"
[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}]
"(Default)" = "IIPInsigtObj"
[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID]
"(Default)" = "Setup.ScriptObjectWrapper"
[HKCR\Setup.User]
"(Default)" = "InstallShield setup user interafce"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0\0\win32]
"(Default)" = "%System%\ipinsigt.dll"
[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}]
"DisplayName" = "Value Added Software"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}]
"(Default)" = "ISetupServiceProvider"
[HKCR\Setup.ScriptObjectWrapper.1]
"(Default)" = "InstallShield setup object wrapper"
[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0]
"(Default)" = "InstallShield Runtime 1.0 Type Library"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Setup.User.1\CLSID]
"(Default)" = "{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}"
[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\ProgID]
"(Default)" = "Setup.ScriptObjectWrapper.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}]
"(Default)" = "InstallShield Script Engine"
[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"
[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"
[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\iuser.dll"
The process IKernel.exe:1596 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}]
"(Default)" = "ISetupFileService"
[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCR\Setup.LogServices]
"(Default)" = "SetupLogServices Class"
[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCR\Setup.Kernel]
"(Default)" = "InstallShield setup kernel"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupTransferEvents"
[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\"
[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}]
"(Default)" = "ISetupRegistry2"
[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}]
"(Default)" = "ISetupShellLink2"
[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}]
"(Default)" = "ISetupShell2"
[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}]
"(Default)" = "ISetupShell"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupOpTypes"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupOpType"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\Setup.Kernel\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}]
"(Default)" = "ISetupTransferErrorInfo"
[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}]
"(Default)" = "ISetupCABFile2"
[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}]
"(Default)" = "ISetupRegistry"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}]
"(Default)" = "ISetupFileErrors"
[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\1.0\FLAGS]
"(Default)" = "1"
[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupComponents"
[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}]
"(Default)" = "ISetupReboot2"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}]
"(Default)" = "ISetupSharedFiles"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}]
"(Default)" = "ISetupBasicFeature"
[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}]
"(Default)" = "ISetupObjectContext"
[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"
[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}]
"(Default)" = "SetupLogServices Class"
[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\Setup.Kernel.1]
"(Default)" = "InstallShield setup kernel"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\VersionIndependentProgID]
"(Default)" = "Setup.LogServices"
[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 E8 2D 23 BA C9 B9 7F EB 59 80 D2 5A D3 00 43"
[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0]
"(Default)" = "Setup Kernel 1.0 Type Library"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}]
"(Default)" = "ISetupLogDB2"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupFeatureLogs"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupMedia"
[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}]
"(Default)" = "ISetupCopyFiles"
[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupCABFile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}]
"(Default)" = "SetupLogServices Class"
[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}]
"(Default)" = "ISetupTextSubstitution"
[HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\1.0\0\win32]
"(Default)" = "%System%\stdole32.tlb"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupOpSequence"
[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}]
"(Default)" = "ISetupInfo"
[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}]
"(Default)" = "ISetupTransferEvents2"
[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"
[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}]
"(Default)" = "ISetupReboot"
[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}]
"(Default)" = "ISetupCABFiles"
[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ProgID]
"(Default)" = "Setup.LogServices.1"
[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupFeature"
[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "InstallShield setup kernel"
[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.Kernel.1"
[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}]
"(Default)" = "ISetupShellLink"
[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupObjectHolder"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}]
"(Default)" = "ISetupTypes"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}]
"(Default)" = "ISetupFileErrorInfo"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupLogDB"
[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupObjects"
[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Setup.LogServices.1\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"
[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}]
"(Default)" = "ISetupComponent2"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupFeatureLog"
[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Setup.Kernel.1\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupDriver"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}]
"(Default)" = "ISetupFilesCost"
[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupFeatures"
[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupLogService"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupStringTable"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.Kernel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}]
"(Default)" = "ISetupFileRegistrar"
[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}]
"(Default)" = "ISetupMedia2"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe"
[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}]
"(Default)" = "ISetupType"
[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupTransfer"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Setup.LogServices.1]
"(Default)" = "SetupLogServices Class"
[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupComponent"
[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupObject"
[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Setup.LogServices\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}]
"(Default)" = "ISetupBasicFeatureStateEvents"
The process msbb.exe:380 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\180solutions\msbb]
"duid" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\180solutions\msbb]
"int_high" = "30323701"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE]
"DisplayName" = "Interstitial Ad Delivery by n-CASE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\180solutions\msbb]
"int_low" = "3998487504"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb]
"DisplayName" = "PAD Lookups by n-CASE"
"UninstallString" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe /uninst_init=y"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\180solutions\msbb]
"key_int_high" = "30323701"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 91 5B 50 D8 73 C0 86 D3 03 31 3D 19 05 CE CA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE]
"UninstallString" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe /disable_ads_init=y"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\180solutions\msbb]
"DID" = "172"
"key_int_low" = "3998487504"
[HKCU\Software\Microsoft\RAS Autodial\Control]
"LoginSessionDisable" = "1"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msbb" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process grpconv.exe:604 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 EF CC DE 63 48 C8 77 D5 55 75 F4 DF FF 59 5B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.grp]
"(Default)" = "MSProgramGroup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The process iKernel.exe:1708 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\Setup.LogServices.1\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"
[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}]
"(Default)" = "SetupLogServices Class"
[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Setup.LogServices]
"(Default)" = "SetupLogServices Class"
[HKCR\Setup.Kernel]
"(Default)" = "InstallShield setup kernel"
[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"
[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\"
[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"
[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.Kernel.1"
[HKCR\Setup.Kernel.1\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"
[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ProgID]
"(Default)" = "Setup.LogServices.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.Kernel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Setup.Kernel\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Setup.Kernel.1]
"(Default)" = "InstallShield setup kernel"
[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "InstallShield setup kernel"
[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\VersionIndependentProgID]
"(Default)" = "Setup.LogServices"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED CF D2 AB E4 23 07 61 83 DC B8 82 1F F5 EC F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}]
"(Default)" = "SetupLogServices Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\Setup.LogServices\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"
[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"
[HKCR\Setup.LogServices.1]
"(Default)" = "SetupLogServices Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Dropped PE files
| MD5 | File path |
|---|---|
| 68d9018bcfa92be76496c143ce4f9dce | c:\Program Files\Bargain Buddy\bbchk.exe |
| 7cea2f1e30d72e581180d8e7d8d3c352 | c:\Program Files\Bargain Buddy\bin\apuc.dll |
| 34ea7c3a3b38367df4ce5af9df3f7b86 | c:\Program Files\Bargain Buddy\bin\bargains.exe |
| 571f5cf91cdd81dc5ee7b05c62381a9f | c:\Program Files\Bargain Buddy\uninst.exe |
| 4e462c620bead34a48b6509899d37652 | c:\Program Files\Blue Haven Media\Value Added Software\BargainBuddy.exe |
| 9910682e8f18775e956743fc6dfa8724 | c:\Program Files\Blue Haven Media\Value Added Software\NLNupgradeV4_6P28.exe |
| 6108b9c43678e89489d5773cf17974cb | c:\Program Files\Blue Haven Media\Value Added Software\SuperBarInstall.exe |
| f4cb48d89f212ffb9381a404c8bb78a8 | c:\Program Files\Blue Haven Media\Value Added Software\ebatesmoemoneymaker14.exe |
| ba1c32a6a67c430ac2dd4d1e00ee17aa | c:\Program Files\Blue Haven Media\Value Added Software\msbb.exe |
| 03759c4c9477b649c73e0bab5782f401 | c:\Program Files\Blue Haven Media\Value Added Software\s4Setp.exe |
| b3fd01873bd5fd163ab465779271c58f | c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe |
| 003a6c011aac993bcde8c860988ce49b | c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll |
| 377765fd4de3912c0f814ee9f182feda | c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll |
| 8f02b204853939f8aefe6b07b283be9a | c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll |
| b2f7e6dc7e4aae3147fbfc74a2ddb365 | c:\Program Files\Common Files\InstallShield\IScript\iscript.dll |
| 4b9068b917a5048389b906fc473fcf3f | c:\Program Files\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe |
| e0927f427281ccde747e10f17df53318 | c:\Program Files\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.exe |
| a74ebf51ef783d587a83ef8f13f140b2 | c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL |
| 1ffa3b2e7d98986a1d77e658a81faab7 | c:\Program Files\MySearch\bar\1.bin\S42NS.EXE |
| c4f850df4d5680ba7e1768e9f28d7280 | c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL |
| d8c584cc212dcfa16a33c5e432124d20 | c:\Program Files\SuperBar\SuperBar.Dll |
| ab80382700b014963d8f60cea2100a21 | c:\Program Files\SuperBar\SuperBarExts.Dll |
| ce05e2c23ff49d780435b6d328023866 | c:\WINDOWS\IPINSIGT.DLL |
| ce05e2c23ff49d780435b6d328023866 | c:\WINDOWS\system32\ipinsigt.dll |
| 1de9f0524cf10109cead1c0ba914a0d8 | c:\WINDOWS\system\BHO.DLL |
| 2072f873933beefb514f2c992a18abd4 | c:\WINDOWS\system\RSP.dll |
| 9910682e8f18775e956743fc6dfa8724 | c:\WINDOWS\system\WinStart.exe |
HOSTS file anomalies
The Adware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 841 bytes in size. The following strings are added to the hosts file listed below:
| 216.177.73.139 | auto.search.msn.com |
| 216.177.73.139 | search.netscape.com |
| 216.177.73.139 | ieautosearch |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
BargainBuddy.exe:1732
EbatesMoeMoneyMaker.exe:1836
ebatesmoemoneymaker14.exe:1784
s4Setp.exe:2116
RegSvr32.exe:1068
RegSvr32.exe:1336
RegSvr32.exe:2020
RegSvr32.exe:2012
RegSvr32.exe:484
RegSvr32.exe:480
bargains.exe:908
SuperBarInstall.exe:604
%original file name%.exe:1560
runonce.exe:1260
Setup.exe:1872
rundll32.exe:452
NLNupgradeV4_6P28.exe:1520
IKernel.exe:1292
IKernel.exe:1596
msbb.exe:380
grpconv.exe:604
iKernel.exe:1708 - Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
%Program Files%\Bargain Buddy\bargains.exe (9744 bytes)
%Program Files%\Bargain Buddy\bbchk.exe (12 bytes)
%Program Files%\Bargain Buddy\bin\apuc.dll (601 bytes)
%Program Files%\Bargain Buddy\apuc.dll (1718 bytes)
%Program Files%\Bargain Buddy\bin\bargains.exe (1281 bytes)
%Program Files%\Bargain Buddy\uninst.exe (388 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dz.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\da.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\be.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bk.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bb.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\c.class (7 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cn.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bg.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cu.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cx.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\by.class (6 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\j.class (261 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ct.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cc.class (710 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dp.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ec.class (533 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dh.class (534 bytes)
%Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiBA.tmp (7168 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bi.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ck.class (751 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\l.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\br.class (652 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cv.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bv.class (478 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\m.class (538 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bw.class (971 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\y.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dg.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\f.class (684 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dr.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\p.class (229 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bf.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\db.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bh.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bn.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cr.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ea.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\co.class (521 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dt.class (784 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ds.class (8 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cw.class (531 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_proxy.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\x.class (619 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dx.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cp.class (6 bytes)
%Program Files%\EbatesMoeMoneyMaker\ebates_README2.txt (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\w.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dc.class (339 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_conflicts2.htm (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\s.class (568 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cf.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ch.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bq.class (257 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cd.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bd.class (517 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cz.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dw.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bt.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\Main.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bm.class (753 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bs.class (379 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dd.class (15 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dm.class (698 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe (1552 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cb.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\g.class (451 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cj.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\ebatesver2.dls (11 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\de.class (4 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cq.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_preferences0.htm (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bc.class (707 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\eeid14.dls (568 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\v.class (119 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bp.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bo.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\n.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ba.class (535 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_script0.htm (43 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ce.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\sunclass.dls (263 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cm.class (522 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dj.class (755 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dk.class (518 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\q.class (484 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\loader.dls (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\di.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\a.class (373 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ed.class (651 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\t.class (286 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dn.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dv.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\d.class (687 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bu.class (938 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cg.class (544 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_autorediroffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\r.class (634 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\u.class (359 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\system.dls (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ci.class (541 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_memoffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dq.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\e.class (451 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_disable0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\i.class (555 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cy.class (449 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\du.class (182 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ca.class (831 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\eb.class (531 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\df.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dy.class (678 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bx.class (4 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_nonmemoffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bj.class (540 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\personality.dls (784 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\b.class (731 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cs.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\k.class (532 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bz.class (1 bytes)
%Program Files%\MySearch\bar\1.bin\NPMYSRCH.DLL (32 bytes)
%Program Files%\MySearch\bar\1.bin\UNINSTALL.INF (1 bytes)
%Program Files%\MySearch\bar\1.bin\S4BAR.DLL (184 bytes)
%Program Files%\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS (327 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER2.DAT (461 bytes)
%Program Files%\MySearch\bar\1.bin\S42NS.EXE (24 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER.BMP (1 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER.DAT (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp\IEManipulate.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB8.tmp (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (13968 bytes)
%Program Files%\SuperBar\settings.cfg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB9.tmp (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\pftw1.pkg (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plfB2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.cab (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.ini (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.iss (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.exe (1726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\extB3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\ikernel.ex_ (6681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.inx (2401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\layout.bin (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data2.cab (20687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.hdr (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IECB5.tmp (2105 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\temp.000 (11328 bytes)
%WinDir%\inf\SETC0.tmp (1 bytes)
%WinDir%\setupapi.log (1728 bytes)
%WinDir%\SETBD.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dl_ (784 bytes)
%WinDir%\system\RSP.dll (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.igetnet[1].txt (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dll.dat (1568 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%System%\drivers\etc\hosts (841 bytes)
C:\t1fg (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dl_ (588 bytes)
%WinDir%\system\BHO.DLL (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dll.dat (1568 bytes)
%WinDir%\system\WinStart.exe (601 bytes)
%Program Files%\Blue Haven Media\Value Added Software\msbb7fd0.rra (5294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\711a.rra (1464 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\obje73d9.rra (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\valu789c.rra (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\defa78ea.rra (1 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\ctor731e.rra (3404 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7dfb.rra (1568 bytes)
%Program Files%\Blue Haven Media\Value Added Software\Supe7fb1.rra (12762 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7ddc.rra (8368 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu7e49.rra (2712 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\core72df.rra (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu786d.rra (2712 bytes)
%Program Files%\Blue Haven Media\Value Added Software\NLNu7f91.rra (4314 bytes)
%Program Files%\Blue Haven Media\Value Added Software\lice7ee5.rra (4314 bytes)
%Program Files%\Blue Haven Media\Value Added Software\s4Se7eb7.rra (8760 bytes)
%Program Files%\Blue Haven Media\Value Added Software\Barg7f05.rra (6118 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7e2a.rra (92 bytes)
%Program Files%\Common Files\InstallShield\IScript\iscr7531.rra (7348 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7dbd.rra (11 bytes)
%System%\ipin7fef.rra (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\_IsR7909.rra (7348 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\layo7d40.rra (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\isrt78cb.rra (10582 bytes)
%System%\ipin800e.rra (8474 bytes)
%Program Files%\Blue Haven Media\Value Added Software\ebat7f53.rra (7316 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.ini (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.log (139 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\iuse7437.rra (6134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5656 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bargains" = "%Program Files%\Bargain Buddy\bin\bargains.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EbatesMoeMoneyMaker" = "javaw -cp %Program Files%\EbatesMoeMoneyMaker\System\Code Main lp: %Program Files%\EbatesMoeMoneyMaker"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winstart" = "%WinDir%\System\WinStart.exe -boot"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msbb" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Blue Haven Media
Product Name: Value Added Software
Product Version: 1.00.000
Legal Copyright:
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32i.exe
File Version: 1.00.000
File Description:
Comments:
Language: English (United States)
Company Name: Blue Haven MediaProduct Name: Value Added SoftwareProduct Version: 1.00.000Legal Copyright: Legal Trademarks: Original Filename: stub32i.exe Internal Name: stub32i.exe File Version: 1.00.000File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 67194 | 69632 | 4.48253 | c5ed1c470db2fcb57b814d82c0292896 |
| .rdata | 73728 | 6120 | 8192 | 3.19984 | d17184d8f4b5b34c55189f25493c2c91 |
| .data | 81920 | 15612 | 8192 | 1.68059 | ff95d6d261e578ed8925d2003fa45169 |
| .rsrc | 98304 | 70152 | 73728 | 2.60145 | 07c7762c6a42bb4d1b8932041f320747 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 13
c177c231b5a85c06c22ed115800feff7
0bf147382799515e3c33a5814c7675f9
636f2207175d0dbac9caada17919c398
2ccfa707196e7c3260de15c5eb336ae5
b798b4a63b357a5871682d065a4c68b0
168a10fe1a6892b2ec39b04eb9d8666c
499b765e6181c36420f5b1acc9b0cd99
feec223442a50392288274b01492ee5d
23b5b69dabc4e49d3e594b990f980a36
7d308ead4444c35f3bf63de5f0203b45
b0deff82a56c74caaa8dddff4e34d26f
3334bb58e20d931bb24a0bce42518588
b07aafcbd133e77e93440983b901abc1
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://173.194.43.51/adsense/domains/caf.js | |
| hxxp://www.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= | 208.73.211.250 |
| hxxp://50.63.202.57/external/builds/common/equivalent_domains.htm | |
| hxxp://www.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA | 208.73.211.250 |
| hxxp://173.194.43.34/__utm.gif?utmwv=5.5.7&utms=1&utmn=290033122&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=1886333531&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&utmht=1410993257858&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ | |
| hxxp://oversee.vo.llnwd.net/css/mobile/15009.css | |
| hxxp://173.194.43.34/ga.js | |
| hxxp://69.64.147.249/thankyou.php?campaign="C:Program FilesInternet Exploreriexplore.exe" -nohome&ai=1 | |
| hxxp://173.194.43.34/__utm.gif?utmwv=5.5.7&utms=1&utmn=1517658899&utmhn=www.ignkeywords.com&utmcs=utf-8&utmsr=1024x768&utmvp=788x438&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=ignkeywords.com&utmhid=678486429&utmr=0&utmp=/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&utmht=1410993258967&utmac=UA-33908493-1&utmcc=__utma=1.780670961.1410993259.1410993259.1410993259.1;+__utmz=1.1410993259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~ | |
| hxxp://173.194.43.56/domainads/tracking/caf.gif?ts=1410993259077&rid=2427752 | |
| hxxp://oversee.vo.llnwd.net/js/main.js | |
| hxxp://a1123.g.akamai.net/rmgpsc/7867/body-bg.gif | |
| hxxp://googleapis.l.google.com/ajax/libs/webfont/1/webfont.js | |
| hxxp://50.63.202.57/external/builds/images/moe_question.gif | |
| hxxp://a1123.g.akamai.net/rmgpsc/7867/header-bg.jpg | |
| hxxp://mobileoversee.net/cdn/img/bg_grey_arrows.jpg | 96.31.35.61 |
| hxxp://a1123.g.akamai.net/rmgpsc/7867/logo1.png | |
| hxxp://108.161.188.209/jquery-latest.min.js | |
| hxxp://173.194.43.57/static/caf/slave.html | |
| hxxp://173.194.43.57/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&domain_name=www.ignkeywords.com&client=dp-oversee16_3ph_xml&channel=000821&hl=en&adtest=off&optimize_terms=off&terms=halloween costumes, halloween party, masks, costumes for kids, download google chrome, facebook, minecraft, facebook com&drid=as-drid-2951000310068827&uiopt=false&oe=UTF-8&ie=UTF-8&format=s|r8&adrep=0&num=0&output=caf&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993259124&u_w=1024&u_h=768&biw=788&bih=438&isw=-1&ish=-1&psw=-1&psh=-1&frm=1&uio=uv3cs1ff4fa4sa13sl1sr1cc1--fa2st20sa12lt38&rurl=http://www.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&ref=http://www.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= | |
| hxxp://googleapis.l.google.com/css?family=Libre Baskerville | |
| hxxp://fonts.gstatic.com/s/librebaskerville/v3/pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg.eot | 173.194.43.55 |
| hxxp://69.64.147.249/js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020 | |
| hxxp://50.63.202.57/external/builds/downloads/ebatesver2updates.dls | |
| hxxp://69.64.147.249/css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com | |
| hxxp://69.64.147.249/3205bb82-0660-4d81-8c21-0609eb24aafd.ippi?g=3205bb82-0660-4d81-8c21-0609eb24aafd | |
| hxxp://173.194.43.34/__utm.gif?utmwv=5.5.7&utms=2&utmn=1646000713&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=424774016&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&ai=1&utmht=1410993261530&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ | |
| hxxp://rte-img.nuseek.com/templates/t1020/images/btn-blacklime.png | 69.64.155.190 |
| hxxp://rte-img.nuseek.com/templates/t1020/images/blt-greenarrow.png | 69.64.155.190 |
| hxxp://www.ignkeywords.com/?epl=kTfFgYP5ZwKXEtIYM403DOCiF_IbEgqnSO7in6JFTuQb8agcGurtJRBMr6yXxe5jX3X0jKFFmEEnzVTvSgXz4DiUrvROSZRWWT8mmciaMIviKz_UXhuvEicUixVEKhf1zuSm1ma2v01E8ovntWbEUUcwIgtTGsKI9haCLtnNLVi7WmQVcFXmDNqLDLUWEQdHxiUGE7SUgmZBoVDGRcwuFNiXDsaeukYb_FwFsxvJRoeCpLAlnDXSsFEMsD9_qQyD_vBAzG2Vs1guTckRM6ZyLRwgG99I8UNA7aUaNdZ8YBC5KccT1SdJmfU69HISYsWtkmY614YzTyk1B79cIW6fXfxJjHAUx2nYzajLt_yMFQzeBlfwnedcrrQxMIzqqEYI3R8A6-VdH_fVTnXH3q502Qa5kFACYWGjdlbYk_YAk4GuTaQ37pidwG6QpFSZZUk2uR6BOpEiEIiDnkbpjXOiNCui14mzQz6OosQibZrjbokhclaENUdn1DUTpIaPI6LpxsM4Gcjfzvg78L0QUkgvFeNk23Myn59EXi3n8V06hYTNHE8e1XD8vocft-tJfo0GoB6NDPUoE82kCdGUgGmgacRoyGSARqMxAGgAkGlEnjIFRg006qkHmvTU1NOkAY2A6KlhW5NtxwFA8N__vwAAAAXgfwdAAEiA3zcAABe9kN9ZUyZZQTE2aFpC_AIAAPA | 208.73.211.250 |
| hxxp://173.194.43.57/apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821 | |
| hxxp://ip-50-63-202-57.ip.secureserver.net/external/builds/downloads/build5updates.dls | |
| hxxp://lga15s35-in-f19.1e100.net/images/cleardot.gif | |
| hxxp://www159.mysearch.com/ms107cfg.jsp?v=1.0.3.6&a=042CC084-DC22-4304-9495-E01E3907CC79&b=1 | |
| hxxp://imgfarm.com/images/mysearchbar/customize4a.bmp | 74.113.233.61 |
| hxxp://imgfarm.com/images/mysearchbar/highlight4.bmp | 74.113.233.61 |
| hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.7&utms=1&utmn=1517658899&utmhn=www.ignkeywords.com&utmcs=utf-8&utmsr=1024x768&utmvp=788x438&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=ignkeywords.com&utmhid=678486429&utmr=0&utmp=/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&utmht=1410993258967&utmac=UA-33908493-1&utmcc=__utma=1.780670961.1410993259.1410993259.1410993259.1;+__utmz=1.1410993259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~ | |
| hxxp://www.bluehavenmedia.com/3205bb82-0660-4d81-8c21-0609eb24aafd.ippi?g=3205bb82-0660-4d81-8c21-0609eb24aafd | |
| hxxp://www.bluehavenmedia.com/js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020 | |
| hxxp://code.jquery.com/jquery-latest.min.js | |
| hxxp://cdn.cdncomputer.com/css/mobile/15009.css | 208.111.168.6 |
| hxxp://dp.g.doubleclick.net/static/caf/slave.html | |
| hxxp://c.rmgserving.com/rmgpsc/7867/body-bg.gif | 184.84.243.217 |
| hxxp://cdn.cdncomputer.com/js/main.js | 208.111.168.6 |
| hxxp://www.topmoxie.com/external/builds/downloads/ebatesver2updates.dls | |
| hxxp://www.topmoxie.com/external/builds/downloads/build5updates.dls | |
| hxxp://www.google.com/adsense/domains/caf.js | |
| hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.7&utms=1&utmn=290033122&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=1886333531&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&utmht=1410993257858&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ | |
| hxxp://b.rmgserving.com/rmgpsc/7867/header-bg.jpg | 184.84.243.210 |
| hxxp://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js | 64.233.171.95 |
| hxxp://www.google-analytics.com/ga.js | |
| hxxp://www.topmoxie.com/external/builds/common/equivalent_domains.htm | |
| hxxp://www.bluehavenmedia.com/css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com | |
| hxxp://ms107cfg.mysearch.com/ms107cfg.jsp?v=1.0.3.6&a=042CC084-DC22-4304-9495-E01E3907CC79&b=1 | 74.113.233.58 |
| hxxp://www.bluehavenmedia.com/thankyou.php?campaign="C:Program FilesInternet Exploreriexplore.exe" -nohome&ai=1 | |
| hxxp://www.gstatic.com/domainads/tracking/caf.gif?ts=1410993259077&rid=2427752 | |
| hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821 | |
| hxxp://www.google.com/images/cleardot.gif | |
| hxxp://fonts.googleapis.com/css?family=Libre Baskerville | 64.233.171.95 |
| hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.7&utms=2&utmn=1646000713&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=424774016&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&ai=1&utmht=1410993261530&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ | |
| hxxp://www.topmoxie.com/external/builds/images/moe_question.gif | |
| hxxp://d.rmgserving.com/rmgpsc/7867/logo1.png | 184.84.243.210 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /jquery-latest.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: code.jquery.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:10 GMT
Content-Type: application/x-javascript
Content-Length: 95786
Connection: keep-alive
Last-Modified: Thu, 03 Jul 2014 13:54:44 GMT
Vary: Accept-Encoding
ETag: "53b560a4-1762a"
Expires: Thu, 18 Sep 2014 23:10:58 GMT
Cache-Control: max-age=86400
Cache-Control: public
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes
/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c= a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h ),"object"==typeof g||m.
<<< skipped >>>
GET /ajax/libs/webfont/1/webfont.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Thu, 08 May 2014 18:18:52 GMT
Date: Thu, 18 Sep 2014 02:45:47 GMT
Expires: Thu, 18 Sep 2014 03:45:47 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 6759
X-XSS-Protection: 1; mode=block
Age: 3023
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Alternate-Protocol: 80:quic,p=0.002
...........;.{.H....@../.J.VwW(o..V..m.V]7.>....@..........!M.........3g....'[...8...I<.....S.rB.T;"U0...,.....&..J.j.,..V..v8%....K.H.2.3m..i....K7].>.i.r.ey...J.s$..%)..]@...dZ.O.iB..j....u.,..Y.....X..S.E8....J =.......s.0d....). .oO.O..Ov.a1.C......m...Y.^#S@( >..........}U.....J....<....8M..U....E/...Z....L../..K];:.<...O.W..?\.d....?<.:=....k..g/N.N....R;<...9={ai......i.;.4..$.m.."..r.Z.s..)..(.`kY<#1.......H..b..x.% .ji2I*R.:.....S.[]@....<...9.......}mG3.S;.s.j..eE'.....8...s8....`6..fY.k..$......lB..B..$..........g.^6KSk.=.u.@-3........z....p@..%N...j3.0.......%..2t[7....>2.Ao.<.....M.hp....j.......6]...u..vJ...mo....r.D.a........P.=.<...........9...rY.K."l......8......}..E..Q.4.[.H...D.#bV.".k'E..........v...wX.....y.W.Sj.(_l]..b....#.t.'.Mw.j.1....VX/@D..f..x...B.....G...m..H.....G.:.*....b...J..#C.@zn)h..Tb...'.i..T...3.^...Y>_,.l........go9."#..<...../.....M......|PP..$.... .b.>.{....Y.7%s...}..G.<.g.E....7PP....S.{^...........<....h..a%...Z..r.lo.3.Yx<J..h.......c.NP.2o.@`PL .|yt.E.32....Q.,...$qj*.p.%.GJ..a...4WQ.Q.>.o)....I.|<........T....Z"2B.t..N....s../$...o..!...... :.%@..x$.!...hh......b...b...Y9b......|......:.....!_#x.........<......5...:MI@.Nc........q..u....p..$.6...z..W.ux@...A... .......6.....x..>.pk.y@.i.......*.....F.W..$G....../.. 8z.....N[..4..... u.(.#J ...4r.%.x..%.R0...3B`...1....n_.....(.uT..1.s......%..f.....>~...YH.MY....p.%.X.........G.*.h."..#....%B..:..!..a.s1iE.v.f..X.g.#5....Z.....0IlO...... N..m..
<<< skipped >>>
GET /domainads/tracking/caf.gif?ts=1410993259077&rid=2427752 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gstatic.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Fri, 01 Jun 2012 22:49:22 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,........@..D..;..
GET /css?family=Libre Baskerville HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css
Timing-Allow-Origin: *
Expires: Thu, 18 Sep 2014 03:36:11 GMT
Date: Thu, 18 Sep 2014 03:36:11 GMT
Cache-Control: private, max-age=86400
Content-Encoding: gzip
Content-Length: 265
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=0.002
............KK.@......K.&.jD..M..>.F...L&7..If..m...n..*.......\..B/g...G..*.l"..Dj...n.....\~u,6."R)S2ypk...#..A.Y.#.5.]#....c.."C.}.Jj..6.....R..6^,.s0Y....^Gv:..?...7!c...j...........T.I.......[.%Pl%3]..P.....u.L!. ........p....4....=.....-..Z....SN..{....Q.......
GET /images/mysearchbar/highlight4.bmp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (Compatible; MySearch)
Host: imgfarm.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:15 GMT
Server: Apache
Last-Modified: Mon, 02 Dec 2002 23:11:05 GMT
ETag: "2aeeaf-528-3b0d8ecf47440"
Accept-Ranges: bytes
Content-Length: 1320
Cache-Control: max-age=0
Expires: Thu, 18 Sep 2014 03:36:15 GMT
Connection: close
Content-Type: image/bmp
BM(...........(...T....................................................D........5......................@...f..........................aaa.......................................................................................................................................................................................................................................
GET /templates/t1020/images/btn-blacklime.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rte-img.nuseek.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 1773
Content-Type: image/png
Last-Modified: Tue, 12 Aug 2014 20:29:51 GMT
Accept-Ranges: bytes
ETag: "e89c3b2b6cb6cf1:3ac"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
.PNG........IHDR...F.........J~.A....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:246E21A3257511E39B81EA5DE5296AE8" xmpMM:DocumentID="xmp.did:246E21A4257511E39B81EA5DE5296AE8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:246E21A1257511E39B81EA5DE5296AE8" stRef:documentID="xmp.did:246E21A2257511E39B81EA5DE5296AE8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........PLTE#$''( . " -/.13........f..a..]q.D..V~.O..\09)..R\x9..f..c..S..dYq?..g..`..Y..T[x8p.C]y;..Z..a5E#..bBK?b}A..Yc.Du.K;E8f.He.FRk5..^-6%m.H..Po.L..SDY,s.G_{=ET9`|?[sB%/.r.Fw.N..S}.Mx.O7F%6>0..T..ZFZ/z.J'1.t.I..X]uDv.LVm:M[Bf.>Qi3..U..W*3"l.FO^F..V.._JY@..^;J,..Xn.JNb:ENB..Qh.A..`y.RL`8|.L3;-k.O?H<..X{.K..NCX ..^..Z{.Sz.Is.PQd=..W9B4H\2@O2..[..TGW<..]..UJ^4......9<?68;248AEIDGK......EIM...?BF<?C........jsoNM....IDATx....S.@...t:K2.......N...{'...{..0i....'.9.............D?.@_.@_.@?.@..@[5...........z..1/..Z.>_8Vm.9t....34........._o....Tr....d..#...e.b.8l.....k..@~
<<< skipped >>>
GET /external/builds/images/moe_question.gif HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:09 GMT
Content-Length: 350
Age: 1
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><iframe src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.topmoxie.com:80/external/builds/images/moe_question.gif" style="visibility: visible;height: 2000px;" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" scrolling="no" width="100%"></iframe></body></html>....
GET /external/builds/downloads/ebatesver2updates.dls HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:11 GMT
Content-Length: 358
Age: 0
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><iframe src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.topmoxie.com:80/external/builds/downloads/ebatesver2updates.dls" style="visibility: visible;height: 2000px;" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" scrolling="no" width="100%"></iframe></body></html>....
GET /external/builds/downloads/build5updates.dls HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
Content-Length: 354
Age: 1
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><iframe src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.topmoxie.com:80/external/builds/downloads/build5updates.dls" style="visibility: visible;height: 2000px;" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" scrolling="no" width="100%"></iframe></body></html>..
GET /__utm.gif?utmwv=5.5.7&utms=1&utmn=290033122&utmhn=VVV.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=1886333531&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&utmht=1410993257858&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 11 Sep 2014 03:20:32 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 605736
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Date: Thu, 11 Sep 2014 03:20:32 GMT..Server: Golfe2..Content-Length: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate..Age: 605736..Alternate-Protocol: 80:quic,p=0.002..GIF89a.............,...........D..;....
GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 08 Sep 2014 18:50:13 GMT; length=40903
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Thu, 18 Sep 2014 03:15:18 GMT
Expires: Thu, 18 Sep 2014 05:15:18 GMT
Age: 1251
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.002
....
GET /__utm.gif?utmwv=5.5.7&utms=1&utmn=1517658899&utmhn=VVV.ignkeywords.com&utmcs=utf-8&utmsr=1024x768&utmvp=788x438&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=ignkeywords.com&utmhid=678486429&utmr=0&utmp=/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&utmht=1410993258967&utmac=UA-33908493-1&utmcc=__utma=1.780670961.1410993259.1410993259.1410993259.1;+__utmz=1.1410993259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 11 Sep 2014 03:20:32 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 605737
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............,...........D..;....
GET /__utm.gif?utmwv=5.5.7&utms=2&utmn=1646000713&utmhn=VVV.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=424774016&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&ai=1&utmht=1410993261530&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 11 Sep 2014 03:20:32 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 605740
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............,...........D..;..
GET /thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 9802
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; path=/
Set-Cookie: VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; expires=Mon, 18-Sep-2017 03:35:37 GMT; path=/
Set-Cookie: __utma=239202256.154564223.1410993233.1410993233.1410993233.1; path=/
Set-Cookie: __utmb=239202256.1.10.1410993233; path=/
Set-Cookie: __utmc=239202256; path=/
Set-Cookie: __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); path=/
Set-Cookie: yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; path=/
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:11 GMT
<!doctype html>..<html>.....<head>...<meta charset="utf-8"/>...<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>...<meta name="viewport" content="width=device-width, initial-scale=1"/>.. ..<title>Bluehavenmedia.com</title>..<meta name="keywords" content="blue haven pool blue haven houston pool texas blue haven hotel bluehavenmedia.com" />..<meta name="description" content="Find Blue Haven Pool, Blue Haven Houston Pool Texas and more at Bluehavenmedia.com. Get the best of Blue Haven Hotel or Media Marketing, browse our section on Media Advertising or learn about Media Buyer. Bluehavenmedia.com is the site for Blue Haven Pool." />..<script src='hXXp://code.jquery.com/jquery-latest.min.js' type='text/javascript'></script>..<script language='JavaScript' src='/js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020'></script>.........<title></title>.... <link href="/css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com" rel="stylesheet" type="text/css" />...</head>.....<body id="lander" class='standard'>..<form id="parking_form" method="get" action="/default.php">....<!--..=================================================..** START DEBUG OUTPUT **..=================================================.. Version: 3.7.169.18.. Logging_Version: 3.6.. Webserver: 5604D..
<<< skipped >>>
GET /js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1297
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
function getPage()..{.. var c = 'i';.. var b = 'l';.. var y = 'k';.. var x = 'c';.. var a = 'c';.. .. return a b c x y;..}..function pcNav(url) ..{.. var x = '/' getPage() url;.. window.parent.location.href = x;..}..function slNav(url) {.. window.parent.location.href = url;..}..function dtNav(url) {.. window.scroll(0, 0); .. window.open(url);..}..function trackClick(logUrl)..{.. var rand = Math.floor(Math.random() * 1000000);.. if (logUrl.indexOf("?") == -1).. logUrl = "?rnd=" rand;.. else.. logUrl = "&rnd=" rand;.. if (document.images).. {.. (new Image()).src = logUrl;.. }.. return true;..}..function addLoadEvent(func)..{.. var oldonload = window.onload;.. if (typeof window.onload != 'function').. {.. window.onload = func;.. } .. else.. {.. window.onload = function ().. {.. if (oldonload).. {.. oldonload();.. }.. func();.. }.. }..}..function manualSearch(boxName)..{.. var searchText = encodeURIComponent($("#" boxName).val().replace(" ", "-").toLowerCase());.. var newUrl = "/manual/" searchText;.. window.parent.location.href = newUrl;..}..........
GET /css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 8410
Content-Type: text/css; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
/**************************************************************************************..T1020 Slime..v20130925..Update:..4/11/04 - UI optimizations for non-caf networks..***************************************************************************************/../* Reset..----------------------------------------------------------------------------------------------------*/...html, body, div, span, applet, object, iframe,..h1, h2, h3, h4, h5, h6, p, blockquote, pre,..a, abbr, acronym, address, big, cite, code,..del, dfn, em, img, ins, kbd, q, s, samp,..small, strike, strong, sub, sup, tt, var,..b, u, i, center,..dl, dt, dd, ol, ul, li,..fieldset, form, label, legend,..table, caption, tbody, tfoot, thead, tr, th, td,..article, aside, canvas, details, embed, ..figure, figcaption, footer, header, hgroup, ..menu, nav, output, ruby, section, summary,..time, mark, audio, video {...margin: 0;...padding: 0;...border: 0;...font-size: 100%;...font: inherit;...vertical-align: baseline;}../* HTML5 display-role reset for older browsers */..article, aside, details, figcaption, figure, ..footer, header, hgroup, menu, nav, section {...display: block;}..body { line-height: 1;}..ol, ul { list-style: none;}..blockquote, q {.quotes: none;}..blockquote:before, blockquote:after,..q:before, q:after {...content: '';...content: none;}..table {border-collapse: collapse;border-spacing: 0;}..../* Defaults *..----------------------------------------------------------------------------------------------------*/...body {background:#666;font-fam
<<< skipped >>>
GET /3205bb82-0660-4d81-8c21-0609eb24aafd.ippi?g=3205bb82-0660-4d81-8c21-0609eb24aafd HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
GET /rmgpsc/7867/logo1.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.rmgserving.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.4
Content-Type: image/png
Content-Length: 5019
Last-Modified: Wed, 17 Jul 2013 12:37:08 GMT
ETag: "51e68ff4-139b"
Accept-Ranges: bytes
Cache-Control: public, max-age=76642
Expires: Fri, 19 Sep 2014 00:53:32 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Connection: keep-alive
.PNG........IHDR...6...6......Ej.....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:908DB294EEDD11E2BA2BC48140EEA04B" xmpMM:DocumentID="xmp.did:908DB295EEDD11E2BA2BC48140EEA04B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:908DB292EEDD11E2BA2BC48140EEA04B" stRef:documentID="xmp.did:908DB293EEDD11E2BA2BC48140EEA04B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>RN.'....IDATx...i.].y..s.............b......XN.$$jD.%.HI.Tm.*RS.J."U.m.....|...j.6.DZ.......6..l......Y..{O..;..>s|....Wz......<..Y..=...Jr.$#..@.0....}_..1.....d.....U..5.=O..a...*e.Y.?s.T....{^}.......L&..[NWjw[..(. .V....W.......n.I..Efx^...y.......;w...p....[......&...A....(.^....R.G.L.*.=.q..l...O..r.../.....O....]..G.Jkk..a*...m.........vG..?...0..N..^.......s...-E.e.Z%..JWW.....7...D..J..~..^......LX...3...........c.......j.....&-.n{#.%.?..Y....5.f.#..W..y...A........9..2....F}..9.X. .a.8..........J(...U.......JC..`.P.2....|w .....C.I NR...I....r...#A.8..fddD.^..bpppP.h.R.8.qa.M..J
<<< skipped >>>
GET /s/librebaskerville/v3/pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg.eot HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.gstatic.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: font/eot
Last-Modified: Wed, 23 Jul 2014 21:30:21 GMT
Date: Wed, 17 Sep 2014 22:35:05 GMT
Expires: Thu, 17 Sep 2015 22:35:05 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Content-Length: 29383
Age: 18066
Alternate-Protocol: 80:quic,p=0.002
...........vSp%P..9..m....5.m..m.......v&v2...}u..{_nwU.............j'.........5 ....S....u........\J./..?F...X.....3.1@.`.p...................-.n.r..5. ..._..?.....]..#...../s.....n...`.Oe.......e......h....:.......E....p........y..?.....H..N..==. ."......0..P.....4@.3..s .8M..OP..r.....:.[.d.......H...G..@.....k.....5....<O\`3...o.A.^.D.....~yd...U..Nc.A...$.W...@.jdm?.B..[...m._..J...W..".&..IPG.....H."..r..........7.......ZRN-.[.^....w...\..d...h..x..K{78.U...|H.(....Y..8..c[ .iI-.&Xx. ..........U..?...~" Q...z..^^..f......p.|.h.Y.......)gg...... ..SO.Z.[...K..p..>.L.....!fu...`.0....Sa..@.....(......z..,.^..#w./<L .ZK..O;..8!b."\9.......s.<n{.Fa.!MFw.\3.......V........i,.k.{.{...ec.d'...d.....(.s._DF2.1..L...U..W....E..s....n.D..F.....N..O,5.C.....Z./V7i.J.~a...".3.........O.hS..|/..RS.R..Y..!:...c.e...`..@.. =...A]s...Y[8.........Mw.6S..qF...@..........;1..>CUC.......',.....i.W^..mu..s.%..7.VY..._u.PM0..w....s..(T...Y... ....1P...u...B`.a..9...<:;...>.h.rL...T-..$...rPW.`.......ql~%..X..#..@......:.o(..[G.{{i...>~......o7z.;..i..y...W5k.....P...r....R..kN>8.W.~.@J-.D..-.....l^..iT)....Q*.(j.!.8.wn.OQf.....U...2....&.......c.Kk.....A.j......U.u.I..l.z....B...C=".[...._o.l..b(.:.2..9.H=........D.P.|wl.....o...y(..........U.}W.1]..SV...........;jaF.g.ZE.5y....\.x..S.q]...v....K.....K.....}.3.......>1....._ .v$....S.S...^N.-.....F......<~.....2.....y......n,H......}.<rY..P.>!.]......."|!.2.......Zz..#.;,.B.LB.f.d.9.....-4T#YDk};.......j....[..I..m..5...T..P{......Y.`.@
<<< skipped >>>
GET /css/mobile/15009.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.cdncomputer.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.0.52 (CentOS)
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Cache-Control: max-age=86400
nnCoection: close
Content-Type: text/css
Age: 18531
Date: Thu, 18 Sep 2014 03:36:09 GMT
Last-Modified: Mon, 25 Aug 2014 22:56:35 GMT
Expires: Thu, 18 Sep 2014 22:27:18 GMT
Content-Length: 1624
Connection: keep-alive
...........X[o.6.~..p5Zmw.0.L..S..U...".......I:......e....J..........Z....)...e..N..]...k.k.......>.I....p.D.g.....u..yl.. FV..?..S..s....e..B4..:........S^...........]/)....P.WK...Z.A....S..I..(...'..~.|..E...........*..1.Ik..g....Dy............0,.3....L....Z.JB.R....fP.{Ai.2.......A).......t.{...h.......Y......u.Fp.....a.......i@.......8{.#.L...aF..M./.a.TI."..RL._.....f....v.5j3........2..%...O.j^ ........F:VOD....'N...iS.9R....<.c$..&h...p7....-|...tw.N.d.......M.i#U-.M.8..........['.Ct....i.@s..H?..y.S.G..[..P.@.i.x.[.^=...o..kx#}..\..d6.L..l..7........*.\."g.C....K-pm.IJ.d$.~S...O.MKd.../h..w...^.A..-z.x..0-'7........p...).q.l.?..cA4oqE.Bu.....eY...Q.....W.nm...}.....2Yw.e.*.Y7......q..J.oZ.....Ztx..$...C.z......>I.y..x..#..@nk.".....B..8o(!?=w..^..^..6......h.J o...oQ...$9.v2-M......a....x........tA.A.3.4...^u4#..>...0. p?.]...EB.R.y.!....EnK..mW$..O..7.r......`(....i/..?....6u..O.6.....S./f.#<..i].."6L`o...'M..sJX......6..........._..'g ..Y...!|..i.?..F........Y.\...u....?..... &.M[..{(/.....I..1z...3.......I.(Xb............y..C.........&b.f..V.:)....>....N..fx...:...(....6...B..L.U.G?s.F.~..7.:nn}...u.I...s9..f..g.v...L..G.b..6N.j.D.`....#.~....b.6C..amI..:].(..?........i.nL..A..l.....Q.{.*./Sc.le?.......y .9$...G"pNO.3.....(.g.F;a..4...6.;...`..........k9..HF.:a....O......P...j.O\.@.......0N..8>=.#.s.IqC.`.7.....3..bS.-:3.........Yb...t.........T..0.-..}...>....}ZK...W..........aPg;=....G.F.@S..12..Q.(.....\....I.K.~.S....l..:..!...)d.}5......7.`Q..F.....p.-2.$..W.....5.3/l...
<<< skipped >>>
GET /js/main.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.cdncomputer.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.0.52 (CentOS)
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Cache-Control: max-age=86400
nnCoection: close
Content-Type: application/x-javascript
Age: 18540
Date: Thu, 18 Sep 2014 03:36:10 GMT
Last-Modified: Mon, 28 Jul 2014 18:45:36 GMT
Expires: Thu, 18 Sep 2014 22:27:10 GMT
Content-Length: 7433
Connection: keep-alive
...........<ks.F...W.H..D.....-`....v...".e.H*............o.~.. H.......,.3=.===.===..v:...(.l.)..u..*..)n#...?._.`...].*.:.*ZGI...M.\w...ts....p:.F........K..L...u..Y.'..O...........2.\...*.,..p3..~....._..m.(.4....0..Q`'...:,.l.n6?..(..w."K.....I.u...._7.4.2.q..6N...@.3....Cx.y..,M.g'_;..h...V......uT< .,.o....he9.V.k...g..&0&A.3......n......b./>[..o.....|.G....O...].\..-.4y.....tTU..k...Y..if.%...Vy...1_......*J...?~...~_./...Aq.A..a.. ..]A..x.}.~...L.hl...%c...a.\.f.j.-...G..df..`....`0O.w....}9.$.....[{.n.AG{C.68K..............'..q.r.qlH....5..8.U.........<L...`...W..~G<dv..6a........,...h".fQ.....W.(..Wy$.o2.}.]..Ua;...&..XG.M.t.......Mw.~n......!B#.c..v.A./.?..?.l.zi...^..ek9.....[|.9.m........&..,.mD..e0.M..l!p.....(\F.m=Oa.&..N..Z..AtB............t.%.9..S..E;(....?.X....W.5..'#g.......&.7y.lW ..M~..,*..MH.S......."..w.&.0.ZGA..D ....?....D.g....W....(=C...l......E...'....G..uhk.j...#M....e[.....(Q.l.ryy._PniE...jji..q..`.....k.&!N.QE...Du..*.w..o......n..Q..VM..z...=...o.g.2N%,*....P.<...:..@.i...d.*N....e.mr.W`...dT...~...>......4..<.."w..........C./.E.6....@..x,Y.h...... ....7.y../....t.*....H4......-.(........!...`Za.yq......Ux.XI.D...`.f..'t..$..........$.i.e.:..=..WKT.>i72...!N..,..(.h2&3..X..^..&.D....k..Ed..p........=.|............6..;w..\....}...U9n..7..-@A...#.../..,.x7vAk.I.q.K.....({........]>.t..l..M.I9.f.C.$.V...U@..k....G........d.E7............#I.9..e..u...........i.h.....%.!......(.P.h.........cw.0. i......]......z.X}Q....*.x......p.K...9`.....i."...U....n.
<<< skipped >>>
GET /apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&domain_name=VVV.ignkeywords.com&client=dp-oversee16_3ph_xml&channel=000821&hl=en&adtest=off&optimize_terms=off&terms=halloween costumes, halloween party, masks, costumes for kids, download google chrome, facebook, minecraft, facebook com&drid=as-drid-2951000310068827&uiopt=false&oe=UTF-8&ie=UTF-8&format=s|r8&adrep=0&num=0&output=caf&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993259124&u_w=1024&u_h=768&biw=788&bih=438&isw=-1&ish=-1&psw=-1&psh=-1&frm=1&uio=uv3cs1ff4fa4sa13sl1sr1cc1--fa2st20sa12lt38&rurl=http://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&ref=http://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_A
HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Thu, 18 Sep 2014 03:36:11 GMT
Server: domainserver
Cache-Control: private
Content-Length: 621
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
Set-Cookie: id=228bccdb8a0200cb||t=1411011371|et=730|cs=002213fd48d53a4fd6eaabe840; expires=Sat, 17-Sep-2016 03:36:11 GMT; path=/; domain=.doubleclick.net
Set-Cookie: test_cookie=; expires=Mon, 21-Jul-2008 23:59:00 GMT; path=/; domain=.doubleclick.net
Expires: Thu, 18 Sep 2014 03:36:11 GMT
...........Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`.....Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N....\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv..=0..:s.S..{`....Ke.<.;.On..f.O..........ux.cO..g...5..r.z1....A.O........./iE.^RZ...s..]RL....J...>..o.$.r.....;.Xn.C..m..%8.gg........!.&.....o....;....n........3.....&u.Un..........Z.o..........G.......
GET /images/mysearchbar/customize4a.bmp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (Compatible; MySearch)
Host: imgfarm.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:14 GMT
Server: Apache
Last-Modified: Mon, 20 Jan 2003 21:01:06 GMT
ETag: "4fa9c9-1198-3b4b0d2528880"
Accept-Ranges: bytes
Content-Length: 4504
Cache-Control: max-age=0
Expires: Thu, 18 Sep 2014 03:36:14 GMT
Connection: close
Content-Type: image/bmp
BM............(....................................................?*.._*.......................................*.............................UUU.TTT...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /adsense/domains/caf.js HTTP/1.1
Accept: */*
Referer: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?r=m&fexp=21404&client=dp-demandmedia01&channel=000001&hl=en&adtest=off&optimize_terms=on&drid=as-drid-oo-1750951074443211&oe=UTF-8&ie=UTF-8&format=s|r10&adrep=0&num=0&output=caf&domain_name=VVV.bluehavenmedia.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993229561&u_w=1024&u_h=768&biw=-1&bih=-1&psw=-1&psh=-1&frm=0&uio=uv3cs1sl1sr1cc1-wi300-ff2fa2st24sa18lt50&rurl=http://VVV.bluehavenmedia.com/thankyou.php?campaign="C:Program%20FilesInternet%20Exploreriexplore.exe"%20-nohome
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 18 Sep 2014 03:35:42 GMT
Expires: Thu, 18 Sep 2014 03:35:42 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. ..b..._..........
GET /adsense/domains/caf.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 18 Sep 2014 03:36:09 GMT
Expires: Thu, 18 Sep 2014 03:36:09 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. ..b..._..........
GET /adsense/domains/caf.js HTTP/1.1
Accept: */*
Referer: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&domain_name=VVV.ignkeywords.com&client=dp-oversee16_3ph_xml&channel=000821&hl=en&adtest=off&optimize_terms=off&terms=halloween costumes, halloween party, masks, costumes for kids, download google chrome, facebook, minecraft, facebook com&drid=as-drid-2951000310068827&uiopt=false&oe=UTF-8&ie=UTF-8&format=s|r8&adrep=0&num=0&output=caf&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993259124&u_w=1024&u_h=768&biw=788&bih=438&isw=-1&ish=-1&psw=-1&psh=-1&frm=1&uio=uv3cs1ff4fa4sa13sl1sr1cc1--fa2st20sa12lt38&rurl=http://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&ref=http://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 18 Sep 2014 03:36:11 GMT
Expires: Thu, 18 Sep 2014 03:36:11 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. ..b..._..........
GET /images/cleardot.gif HTTP/1.1
Accept: */*
Referer: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT
Date: Thu, 18 Sep 2014 03:36:14 GMT
Expires: Thu, 18 Sep 2014 03:36:14 GMT
Cache-Control: private, max-age=31536000
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,...........D..;..
GET /static/caf/slave.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 18 Sep 2013 22:34:18 GMT; length=1646
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission
HTTP/1.1 304 Not Modified
Date: Thu, 18 Sep 2014 02:44:56 GMT
Expires: Thu, 18 Sep 2014 03:44:56 GMT
Age: 3075
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.002
X-Google-Cookies-Blocked: test_cookie=
....
GET /apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=228bccdb8a0200cb||t=1411011371|et=730|cs=002213fd48d53a4fd6eaabe840
HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Thu, 18 Sep 2014 03:36:14 GMT
Server: domainserver
Cache-Control: private
Content-Length: 7682
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
.............r.H..oE..............$....G.H..hC.Bt..s%...E.....L....................%3....o...,...Zw.../ P......C....B.U..b...'...M..B.-.Z......=..7BY......_$sw.......}.p'&..~...C..0..].%....S..V.Y.._..b.^o.py..P.3[....WU.|u..?...r.L....W..W.X..AW.......e..v`..b...-\.>.. ..?.S3...>.].O...n.3..m...=..../.....q.S...,.q..=.KG..>.$.....F3..[|.B][..f...j...e........ .s....v.a...WF...pGI.*..|...Y..._.mao...eA$0..:..A.*.\^...[..up/A.v..p{..I...=u..q...w7>.CU.n...^>......K...u..!e$..?.!...F...-..c....>..K.X.!`|O..q>.94......e7.J.~].V._1.....\$..l..Q`...X...T.).......v..)..7@......7x1.......o.z...=5...[.g.9Cz...h$N;...8k7.. .}.c..}......j............u._<.....).h..... 7*9..#>N...b}.....k..w.....e..q..G.=m....7.pw]G.f..{I..c..>...'.1/.'NO/.U75.s.....0.S.mk..&.^7...{.@O.j.)M...;....o.[.....2&..x...#]C.....Ut5}.. ....GB..5..ab}v=.Z..a..p!.9....T.C.|t....?.nE..`..2!.]...B....o.{.P.....e0..'....a....>..?n......f....Q....K`@...=...8.t2...u.<~T..=.L....K....m:sj2C..L.....>...rq....R.. . ...R.....x..m..r...w...>.pM..{1..w....r..d.\.U,a..|. :t..;..[.ZZ,..:\.N.......<ce..B.C#..BM.3S.OM..).T..[u.B..Yg!oM.p.BWU....E..$......_.....k..r..........$.. .).........p.'U..J...J.....N.W.K.2.....P .../.mj...M...aG..UaX.....*;F.......-.3.j8h..ia.. Q.<,0v.r..6.......:-zz.0.Mr.V.a......u.g.,............e,9.....,....S...b.$.f.Y#.iR_l.iv..9.....n...-4^.HB^. lg0..r.RGT..j..t.}.[...-.ln.W...jH.w].`.>.o4.9.....X.4.\cBU.n..T.......!?..tD....c...7.L.............V..|.G.Ql.|....$.l..U..;....}f.qm...k.e.eg
<<< skipped >>>
GET /rmgpsc/7867/header-bg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b.rmgserving.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Content-Type: image/jpeg
Content-Length: 12805
Last-Modified: Thu, 11 Jul 2013 12:19:08 GMT
ETag: "51dea2bc-3205"
Accept-Ranges: bytes
Cache-Control: public, max-age=76591
Expires: Fri, 19 Sep 2014 00:52:41 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Connection: keep-alive
......Exif..II*.................Ducky.......<.....)hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:623E4CEAEA0D11E28B67CBB4E0608185" xmpMM:DocumentID="xmp.did:623E4CEBEA0D11E28B67CBB4E0608185"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:623E4CE8EA0D11E28B67CBB4E0608185" stRef:documentID="xmp.did:623E4CE9EA0D11E28B67CBB4E0608185"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................d..........................................................................................s.......!.1AQ..a"q..2.....B#.R..3.b.$r..ÄS...cs.5D'...6.Tdt....&.......EF..V.U(........eu........fv........7GWgw........8HXhx........)9IYiy........*:JZjz........................m......!.1A.Q.a".q..2.......#B.Rbr.3$4C...S%.c...s.5.D..T......&6E.'dtU7....()...........eu........FVfv........GWgw........8HXhx........9IYiy........*:JZjz....................?.....M....|U.....v.
<<< skipped >>>
GET /ms107cfg.jsp?v=1.0.3.6&a=042CC084-DC22-4304-9495-E01E3907CC79&b=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (Compatible; MySearch)
Host: ms107cfg.mysearch.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:14 GMT
Server: Apache/1.3.27 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: max-age=0, must-revalidate
Expires: Sat 02 Apr 1977 17:15:00 GMT
Content-Length: 4184
Set-Cookie: UID=042CC084-DC22-4304-9495-E01E3907CC79; Domain=.mysearch.com; Path=/; Expires=Tue, 10-Sep-2024 23:36:14 GMT
Set-Cookie: brgg=1; Domain=.mysearch.com; Path=/; Expires=Tue, 10-Sep-2024 23:36:14 GMT
Connection: close
Content-Type: text/html
........<html>..[general]..version=3..minversion=1, 0, 3, 0..curversion=1, 0, 3, 0..updateurl=..flags=18..signinurl=..uninstallurl=..homeurl=..baseurl=..textinput=#11#..urlinput=#12#..titleinput=#13#..idinput=#14#..tburl=..edittburl=..cfgchangedtag=..children=buttons..partners=partners..macros=macros......[partners]..n=0..[macros]..m=#..n=22..0=hXXp://..1=...2=ms107..3=...4=...5=...6=...7=...8=...9=...10=PG=BAR&SEC=x..11=<!-- S4_TEXT_INPUT -->..12=<!-- S4_URL_INPUT -->..13=<!-- S4_TITLE_INPUT -->..14=<!-- S4_ID_INPUT -->..15=.mysearch.com/..16=#0##2##15#jsp/..17=#16#al.jsp..18=st=bar&searchfor=#11#..19=#0#imgfarm.com/images/mysearchbar/..20=#16#bardef.jsp?searchfor=#11#&l=9..21=#16#baredit.jsp....[buttons]..n=1..t=0..c=customButtons..d=defaultButtons..b0=109..c0=EditMenu..s0=0x2800..t0=My Search..u0=#0##2##15#..[defaultButtons]..n=7..t=1..d0=AskjeevesDefEdt..d1=AskjeevesDefBtn..d2=MywayBtn..d3=AllthewebBtn..d4=LooksmartBtn..d5=CustomizeBtn..d6=HighlightBtn..[MywayBtn]..b0=..c0=MywayMenu..s0=..t0=Google..a0=Search with Google..u0=#16#GGmain.jsp?#18#..[MywayDefEdt]..s0=3..u0=#16#GGmain.jsp?#18#..[MywayDefBtn]..b0=..c0=MywayMenu..s0=0x4000..t0=Google..a0=Search with Google..u0=#16#GGmain.jsp?#18#..[MywayMenu]..n=3..t0=Image Search..u0=#16#GGimg.jsp?#18#..t1=Directory Search..u1=#16#GGdirs.jsp?#18#..t2=Directory Categories..u2=#16#GGdir.jsp?#18#..[AltavistaBtn]..b0=..c0=..s0=7..t0=..a0=..u0=..[AltavistaDefEdt]..s0=3..u0=#16#AVmain.jsp?#18#..[AltavistaDefBtn]..b0=..c0=AltavistaMenu..s0=
<<< skipped >>>
GET /rmgpsc/7867/body-bg.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.rmgserving.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.4
Content-Type: image/gif
Content-Length: 1330
Last-Modified: Thu, 11 Jul 2013 12:19:05 GMT
ETag: "51dea2b9-532"
Accept-Ranges: bytes
Cache-Control: public, max-age=76536
Expires: Fri, 19 Sep 2014 00:51:46 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Connection: keep-alive
GIF89a.......***...---...000...333 ...(((,,,'''...%%%""")))......&&&$$$###!!! ...........................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:EE02D9B4EA0D11E284B6B70D9CAB478B" xmpMM:DocumentID="xmp.did:EE02D9B5EA0D11E284B6B70D9CAB478B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EE02D9B2EA0D11E284B6B70D9CAB478B" stRef:documentID="xmp.did:EE02D9B3EA0D11E284B6B70D9CAB478B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,........@....<...I.H.t,.2J.sH..9.C9....9<....b.Q..K.Q....a.p.T..I#hA,(.....N....\Q.-...R.@.C.$iOJ..x[......|..............i...E.....AQ...VpI^..Q.^.h...........!.;..
<<< skipped >>>
GET /external/builds/common/equivalent_domains.htm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:35:57 GMT
Content-Length: 356
Age: 0
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><iframe src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.topmoxie.com:80/external/builds/common/equivalent_domains.htm" style="visibility: visible;height: 2000px;" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" scrolling="no" width="100%"></iframe></body></html>..
GET /guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ignkeywords.com
Connection: Keep-Alive
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Encoding: gzip
Content-Length: 706
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=96
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.ignkeywords.com; path=/; expires=Fri, 19-Sep-2014 03:35:44 GMT
...........T...@.}._1KU^R.x.[.H!"..]...-.F....At.>...7.....j......=#..^T.....9..c..tU...0....2[.F.\..6.|.#&......X.U..4-..2..`N...^CX.".6.9.$..<`......$f.........#D.. .....l.#f.c..E..I.J.......q....1.gy.g.].f)....G..r..b.yH.N.E..P;.C..B....dG..s.E. hN}..Q.)..&.?")Y..[..F.[.&.G.?C......:...Y..e...0JCB.El.m.Jv.........a..chyH..s:p. H.*...p..c.....'..&0..,Y.d.......T........$.............../....LCD%. .8. ..8.`6YG.I...b...!...7.z.......W&v8\<.]3ma..U..v..pKw.%.F.U....6.....;N. =.w...... I.......r....s.N.x.W.~..g.y...[.V.......6......T..]o...K..?Y.j.....z]5.9...T.......`..)..Q........U...F4.4EU.z..)J.Y.3E.Te...2D.O....\.M.f.C5R..P..p\.i...78..R.r...".A...I......WV=...E..F.C.....%.E!.4....b...?.}=..........
GET /?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ignkeywords.com
Connection: Keep-Alive
Cookie: parkinglot=1
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Encoding: gzip
Content-Length: 18249
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: ignkeywords.com=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0; path=/; expires=Fri, 19-Sep-2014 03:36:08 GMT
Set-Cookie: ident=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0|token:yzsuqvsxsvpqprvx; path=/; expires=Fri, 19-Sep-2014 03:36:08 GMT
Set-Cookie: Spusr=120a15acf70541a5328a742; path=/; expires=Sat, 17-Sep-2016 03:36:08 GMT
.................(.\......wfM.2I..U....EQ.)."%Q=}...x...Q..../........>..l... ..0..p.IIT..jw....*3... VD.k.....q..'DI...4....)........c....}.................H07..=......$yH..^.=.....Ba..k9*.|P"...?}...r.....j ...H.V~.).r.......=...Mi..n..J}h....I.....\....T..eu.......F............&R..#,.Y.. T..8..[7...K9.Wr.....&..D....D.....Y-...%.....r(K...:-...C.|.DFd......zH.@..d..9.Y.../.?A.*.8_.T.P.....s.._l..J.j?..:h..G%C..z.n..* ....D.1..H..F.A.G.X._....R.z...p$M}..3d............S.<:.j..j..5.a..xk.V..:...@...t.....SM...q.$.~.=..rvJ ~^.gH..3...wZ.A.<..?HJ:0%.....d.C...TB.....[E.8<.G.....E.......*..(S.......Qy]..)..*...]d..|........1e...!^.I..iC.__2q*2.)..,.*...>....I..Fs.U...T.]E....T.y...i6..<....@:.}..W...f.q. .C?....6.*T.@...;H....w..7...| .Ue...sv.c.....`..J..,....V..;...f8*,.P....X......26.......P..srVB..W.O... ;.aW...g..".a..H.^.U.Yi]r....E..G!..e..|..|.}Q.....Y...j;..... :1%...@>.2...;..f.=..m..H%O.mO..O..)j.rn....T......J"/.l..,.QUEU.t..>.@3..j..{~lKAG.T...5..8....$ ..=.r$.....~.c)...-.B....$d.......-L.J.......eg..Z>........`.t...p.......#....H..o....!2...an..S9..).N..@i /.Y.R ......p......o?.-(.-/R,Q.>.....U.........K.R._^K.....[K.5............b..... .....ol.8\9! ....M.....K../....~.......-.d...1... ..>....U2...RV..."Y.{..}..O.@k. V......K..i..L9..r.T..@.?/..s^....o....../.......O...!.xI..w.~.~.S...~*...R.P.[gy...~-..C).-==.r..S.... T..3P.wY.....C/.d.>3...r.........D.0.......0G.<}>._J][.. ..Q..q... f.n..b.W.e.>@.....(O...\.:.~..Z.C......?H..(..:L.1f..........0.|...~..
<<< skipped >>>
GET /?epl=kTfFgYP5ZwKXEtIYM403DOCiF_IbEgqnSO7in6JFTuQb8agcGurtJRBMr6yXxe5jX3X0jKFFmEEnzVTvSgXz4DiUrvROSZRWWT8mmciaMIviKz_UXhuvEicUixVEKhf1zuSm1ma2v01E8ovntWbEUUcwIgtTGsKI9haCLtnNLVi7WmQVcFXmDNqLDLUWEQdHxiUGE7SUgmZBoVDGRcwuFNiXDsaeukYb_FwFsxvJRoeCpLAlnDXSsFEMsD9_qQyD_vBAzG2Vs1guTckRM6ZyLRwgG99I8UNA7aUaNdZ8YBC5KccT1SdJmfU69HISYsWtkmY614YzTyk1B79cIW6fXfxJjHAUx2nYzajLt_yMFQzeBlfwnedcrrQxMIzqqEYI3R8A6-VdH_fVTnXH3q502Qa5kFACYWGjdlbYk_YAk4GuTaQ37pidwG6QpFSZZUk2uR6BOpEiEIiDnkbpjXOiNCui14mzQz6OosQibZrjbokhclaENUdn1DUTpIaPI6LpxsM4Gcjfzvg78L0QUkgvFeNk23Myn59EXi3n8V06hYTNHE8e1XD8vocft-tJfo0GoB6NDPUoE82kCdGUgGmgacRoyGSARqMxAGgAkGlEnjIFRg006qkHmvTU1NOkAY2A6KlhW5NtxwFA8N__vwAAAAXgfwdAAEiA3zcAABe9kN9ZUyZZQTE2aFpC_AIAAPA HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ignkeywords.com
Connection: Keep-Alive
Cookie: parkinglot=1; ignkeywords.com=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0; ident=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0|token:yzsuqvsxsvpqprvx; Spusr=120a15
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 0
Content-Type: image/jpeg
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=93
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: ignkeywords.com=search:0|exitpop:0|lload:1411011372|lvisit:1411011368|click:0|blocked:0; path=/; expires=Fri, 19-Sep-2014 03:36:12 GMT
Set-Cookie: ident=search:0|exitpop:0|lload:1411011372|lvisit:1411011368|click:0|blocked:0|token:rpzxvytwsxwyqrpv; path=/; expires=Fri, 19-Sep-2014 03:36:12 GMT
Set-Cookie: Spusr=120a15acf70541a5328a742; path=/; expires=Sat, 17-Sep-2016 03:36:12 GMT
GET /cdn/img/bg_grey_arrows.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mobileoversee.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Tue, 27 May 2014 21:25:02 GMT
Accept-Ranges: bytes
ETag: "a651dd1ef279cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:09 GMT
Connection: close
Content-Length: 12553
......Exif..II*.................Ducky.......F.....-hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:A543C1E5DE0911E381AABAE80945A23E" xmpMM:DocumentID="xmp.did:A543C1E6DE0911E381AABAE80945A23E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A543C1E3DE0911E381AABAE80945A23E" stRef:documentID="xmp.did:A543C1E4DE0911E381AABAE80945A23E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................{..................................................................................!1AQa..q."2.#....B...b.3.R.Cc$d....S.r.D4..............................?.....j......T.2...l..k. |........oH.....zm...^...x.....G...w....v................o.?P.G...l~.C81.................!..D..i<bu......g.|.m.....g.|.m.....g.|.m.....g.|.m...'.v.N.2k..t.. ..0[o..o...............................................................6...o......@;.....<y2x..........v..2..j?P..;O......
<<< skipped >>>
GET /templates/t1020/images/blt-greenarrow.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rte-img.nuseek.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 1148
Content-Type: image/png
Last-Modified: Tue, 12 Aug 2014 20:29:51 GMT
Accept-Ranges: bytes
ETag: "7241382b6cb6cf1:2fc"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:5C315179257C11E3A2A6934469598382" xmpMM:DocumentID="xmp.did:5C31517A257C11E3A2A6934469598382"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5C1F4FAC257C11E3A2A6934469598382" stRef:documentID="xmp.did:5C1F4FAD257C11E3A2A6934469598382"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>M.......IDATx.b...?.5...0p..FB...x..3..w ......Bd.30.i.: ....@........B&.|.......F\@....(1....q..P~ ........S........@...d..g.0......(.P{ ..3...."......f.Y2........q<..MH4...W.....]r#%......P.....I@<.....#.{..Er.M$.......}.........#.e? >2...Am @....z?.,TQ.....IEND.B`...
Map
The Adware connects to the servers at the folowing location(s):
Strings from Dumps
msbb.exe_380:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSShD
PSShD
PSSh
PSSh
;%uUS
;%uUS
SSSh8
SSSh8
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
F%D,3
F%D,3
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
Main Web thread started
Main Web thread started
keyword=
keyword=
No need to rebuild global dictionary - neither got new compressed file nor new dynamic keywords.
No need to rebuild global dictionary - neither got new compressed file nor new dynamic keywords.
No new dynamic keywords downloaded.
No new dynamic keywords downloaded.
Replacing .old file:
Replacing .old file:
Deleting .old file:
Deleting .old file:
Deleting previous .old file:
Deleting previous .old file:
ERROR: GetAndWriteFile couldn't lock keyword file:
ERROR: GetAndWriteFile couldn't lock keyword file:
kernel32.dll
kernel32.dll
(keywords)
(keywords)
shdocvw.dll
shdocvw.dll
LoginSessionDisable
LoginSessionDisable
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
snmpapi.dll
snmpapi.dll
inetmib1.dll
inetmib1.dll
ws2_32.dll
ws2_32.dll
iphlpapi.dll
iphlpapi.dll
FAILURE : Could not load library Shell32.dll. No special paths will be found.
FAILURE : Could not load library Shell32.dll. No special paths will be found.
Shell32.dll
Shell32.dll
favorites2_url
favorites2_url
favorites_url
favorites_url
startup_url
startup_url
desktop_url
desktop_url
WWW_UnRegisterURLEcho
WWW_UnRegisterURLEcho
WWW_RegisterURLEcho
WWW_RegisterURLEcho
MonSetKeyWords exiting. Keyword count:
MonSetKeyWords exiting. Keyword count:
MonSetKeyWords entering keyword algorithm with byte count:
MonSetKeyWords entering keyword algorithm with byte count:
ERROR : couldn't allocate memory for keyword file:
ERROR : couldn't allocate memory for keyword file:
ERROR : couldn't read keyword file:
ERROR : couldn't read keyword file:
MonSetKeywords couldn't find keyword file:
MonSetKeywords couldn't find keyword file:
ERROR : MonSetKeyWords couldn't lock keyword file for writing.
ERROR : MonSetKeyWords couldn't lock keyword file for writing.
No keywords in multimap. Size:
No keywords in multimap. Size:
UrlToBufThread sending show ad message.
UrlToBufThread sending show ad message.
Received new url and adjusted to server time:
Received new url and adjusted to server time:
Received new url but no DUID, or not initialized:
Received new url but no DUID, or not initialized:
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
ncmyb.dll
ncmyb.dll
MSBB.EXE
MSBB.EXE
"%s" PID:%d EXE:"%s"
"%s" PID:%d EXE:"%s"
key_file
key_file
|cplurl=
|cplurl=
Last keyword ad shown:
Last keyword ad shown:
key_int_low
key_int_low
key_int_high
key_int_high
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
msbb.exe
msbb.exe
key_sz
key_sz
key_url
key_url
cpl_url
cpl_url
hta_url
hta_url
|email=Software\Microsoft\Windows\CurrentVersion\Internet Settings\emailname Software\FerretSoft\NetFerret\CurrentVersion\Updates\email Software\Microsoft\Microsoft Comic Chat\email Software\GameSpy\GameSpy 3D\Registration\email |first=Software\Netscape\Netscape Navigator\biff\CurrentUser Software\Microsoft\Office\9.0\Outlook\Preferences\AnnotationText |fullname=Software\eFax.com\HotSend\UserName Software\EFAX.COM\HOTSEND\UserName Software\Microsoft\Fax\UserInfo\FullName Software\Microsoft\MS Setup (ACME)\User Info\DefName Software\Adobe\Acrobat Reader\4.0\AdobeViewer\notelabel Software\Adobe\Adobe Acrobat\4.0\AdobeViewer\NoteLabel Software\Microsoft\Office\9.0\MS Project\Options\General\User Name Software\Microsoft\Office\9.0\Outlook\Preferences\AnnotationText Software\Microsoft\Office\9.0\Word\Options\ReplyMessageComment |zip=\Software\RealNetworks\Preferences\RegionData Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Location\ZipCode|
|email=Software\Microsoft\Windows\CurrentVersion\Internet Settings\emailname Software\FerretSoft\NetFerret\CurrentVersion\Updates\email Software\Microsoft\Microsoft Comic Chat\email Software\GameSpy\GameSpy 3D\Registration\email |first=Software\Netscape\Netscape Navigator\biff\CurrentUser Software\Microsoft\Office\9.0\Outlook\Preferences\AnnotationText |fullname=Software\eFax.com\HotSend\UserName Software\EFAX.COM\HOTSEND\UserName Software\Microsoft\Fax\UserInfo\FullName Software\Microsoft\MS Setup (ACME)\User Info\DefName Software\Adobe\Acrobat Reader\4.0\AdobeViewer\notelabel Software\Adobe\Adobe Acrobat\4.0\AdobeViewer\NoteLabel Software\Microsoft\Office\9.0\MS Project\Options\General\User Name Software\Microsoft\Office\9.0\Outlook\Preferences\AnnotationText Software\Microsoft\Office\9.0\Word\Options\ReplyMessageComment |zip=\Software\RealNetworks\Preferences\RegionData Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Location\ZipCode|
MozillaWindowClass AOL Frame25 MSN6 Window
MozillaWindowClass AOL Frame25 MSN6 Window
hXXp://bis.180solutions.com/Downloads/DLL/1.0/ncmyb.dll
hXXp://bis.180solutions.com/Downloads/DLL/1.0/ncmyb.dll
key_word_int
key_word_int
key_words
key_words
hXXp://ping.180solutions.com
hXXp://ping.180solutions.com
ping_url
ping_url
bis.180solutions.com adforce.imgis.com ads.admonitor.net media.admonitor.net pbid.pro-market.net
bis.180solutions.com adforce.imgis.com ads.admonitor.net media.admonitor.net pbid.pro-market.net
bis.180solutions.com
bis.180solutions.com
Are you sure you want to remove n-CASE from your computer? n-CASE supports many free software products through its ad delivery and PAD lookup technologies. To disable the display of interstitial advertising, please see the add/remove programs entry titled Interstitial Ad Delivery by n-CASE. If you remove n-CASE completely from your system, certain free software may no longer function properly.
Are you sure you want to remove n-CASE from your computer? n-CASE supports many free software products through its ad delivery and PAD lookup technologies. To disable the display of interstitial advertising, please see the add/remove programs entry titled Interstitial Ad Delivery by n-CASE. If you remove n-CASE completely from your system, certain free software may no longer function properly.
new_ver_url
new_ver_url
hXXp://bis.180solutions.com/ads.aspx
hXXp://bis.180solutions.com/ads.aspx
ad_url
ad_url
hXXp://bis.180solutions.com/config.asp
hXXp://bis.180solutions.com/config.asp
config_url
config_url
ncase.ini
ncase.ini
An application you've recently installed has also installed n-CASE, a tool that helps to deliver to you more relevant web content. More information can be found at hXXp://VVV.180solutions.com/. Before operation, we'd like to give you this chance to confirm it's operation. Click yes to continue.
An application you've recently installed has also installed n-CASE, a tool that helps to deliver to you more relevant web content. More information can be found at hXXp://VVV.180solutions.com/. Before operation, we'd like to give you this chance to confirm it's operation. Click yes to continue.
ncase_ad_Url
ncase_ad_Url
AdThread: New keyword exclusion list received from ads.asp:
AdThread: New keyword exclusion list received from ads.asp:
AdThread: Not resetting ad shown time. 'n' received from ads.asp, or request timed out.
AdThread: Not resetting ad shown time. 'n' received from ads.asp, or request timed out.
AdThread: Reset ad shown time. No 'n' received from ads.asp.
AdThread: Reset ad shown time. No 'n' received from ads.asp.
c:\program files\flt\flt.dll
c:\program files\flt\flt.dll
c:\program files\ftapp\ftapp.dll
c:\program files\ftapp\ftapp.dll
c:\Data\Projects\C\nCASE\Release\nCASE.pdb
c:\Data\Projects\C\nCASE\Release\nCASE.pdb
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
WININET.dll
WININET.dll
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegFlushKey
RegFlushKey
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
1.1.4
1.1.4
zcÃ
zcÃ
%Program Files%\Blue Haven Media\Value Added Software\msbb.exe
%Program Files%\Blue Haven Media\Value Added Software\msbb.exe
Web Traffic
Web Traffic
Show Keywords
Show Keywords
Key Words
Key Words
javaw.exe_744:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
/Xusage.txt
/Xusage.txt
-Djava.class.path=%s
-Djava.class.path=%s
Unable to locate JRE meeting specification "%s"
Unable to locate JRE meeting specification "%s"
1.6.0_18-b07
1.6.0_18-b07
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
Syntax error in version specification "%s"
Syntax error in version specification "%s"
Invalid or corrupt jarfile %s
Invalid or corrupt jarfile %s
Unable to access jarfile %s
Unable to access jarfile %s
-Djava.awt.headless=
-Djava.awt.headless=
-Djava.awt.headless=true
-Djava.awt.headless=true
option[-] = '%s'
option[-] = '%s'
ignoreUnrecognized is %s,
ignoreUnrecognized is %s,
sun.jnu.encoding
sun.jnu.encoding
isSupported
isSupported
-Dsun.java.command=
-Dsun.java.command=
-Dsun.java.launcher=SUN_STANDARD
-Dsun.java.launcher=SUN_STANDARD
A %c separated list of directories, JAR archives,
A %c separated list of directories, JAR archives,
load Java programming language agent, see java.lang.instrument
load Java programming language agent, see java.lang.instrument
The default VM is %s%s
The default VM is %s%s
is a synonym for the "%s" VM [deprecated]
is a synonym for the "%s" VM [deprecated]
to select the "%s" VM
to select the "%s" VM
Usage: %s [-options] class [args...]
Usage: %s [-options] class [args...]
(to execute a class)
(to execute a class)
or %s [-options] -jar jarfile [args...]
or %s [-options] -jar jarfile [args...]
(to execute a jar file)
(to execute a jar file)
Can't open %s
Can't open %s
Could not find the main class: %s. Program will exit.
Could not find the main class: %s. Program will exit.
Failed to load Main Class: %s
Failed to load Main Class: %s
Could not find the main class: %s. Program will exit.
Could not find the main class: %s. Program will exit.
argv[-] = '%s'
argv[-] = '%s'
Apps' argc is %d
Apps' argc is %d
Main-Class is '%s'
Main-Class is '%s'
Warning: %s VM not supported; %s VM will be used
Warning: %s VM not supported; %s VM will be used
Error: %s VM not supported
Error: %s VM not supported
Error: Unable to resolve VM alias %s
Error: Unable to resolve VM alias %s
Error: Corrupt jvm.cfg file; cycle in alias list.
Error: Corrupt jvm.cfg file; cycle in alias list.
Default VM: %s
Default VM: %s
%s requires class path specification
%s requires class path specification
%s full version "%s"
%s full version "%s"
Warning: %s option is no longer supported.
Warning: %s option is no longer supported.
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=%s
-Xrunhprof:cpu=old,file=%s
%ld micro seconds to parse jvm.cfg
%ld micro seconds to parse jvm.cfg
name: %s vmType: %s alias: %s
name: %s vmType: %s alias: %s
name: %s vmType: %s server_class: %s
name: %s vmType: %s server_class: %s
jvm.cfg[%d] = ->%s
jvm.cfg[%d] = ->%s
Warning: unknown VM type on line %d of `%s'
Warning: unknown VM type on line %d of `%s'
Warning: missing server class VM on line %d of `%s'
Warning: missing server class VM on line %d of `%s'
Warning: missing VM alias on line %d of `%s'
Warning: missing VM alias on line %d of `%s'
Warning: missing VM type on line %d of `%s'
Warning: missing VM type on line %d of `%s'
Warning: no leading - on line %d of `%s'
Warning: no leading - on line %d of `%s'
Error: could not open `%s'
Error: could not open `%s'
\jvm.cfg
\jvm.cfg
\bin\splashscreen.dll
\bin\splashscreen.dll
%s\jvm.dll
%s\jvm.dll
%s\bin\%s\jvm.dll
%s\bin\%s\jvm.dll
Version major.minor.micro = %s.%s
Version major.minor.micro = %s.%s
Failed reading value of registry key:
Failed reading value of registry key:
Software\JavaSoft\Java Runtime Environment\%s\JavaHome
Software\JavaSoft\Java Runtime Environment\%s\JavaHome
Error opening registry key 'Software\JavaSoft\Java Runtime Environment\%s'
Error opening registry key 'Software\JavaSoft\Java Runtime Environment\%s'
Registry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion'
Registry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion'
has value '%s', but '1.6' is required.
has value '%s', but '1.6' is required.
Error opening registry key 'Software\JavaSoft\Java Runtime Environment'
Error opening registry key 'Software\JavaSoft\Java Runtime Environment'
-Dsun.java2d.opengl
-Dsun.java2d.opengl
-Dsun.java2d.d3d
-Dsun.java2d.d3d
-Dsun.java2d.noddraw
-Dsun.java2d.noddraw
-Dsun.awt.warmup
-Dsun.awt.warmup
Unable to resolve path to current %s executable: %s
Unable to resolve path to current %s executable: %s
CreateProcess(%s, ...) failed: %s
CreateProcess(%s, ...) failed: %s
ReExec Args: %s
ReExec Args: %s
ReExec Command: %s (%s)
ReExec Command: %s (%s)
ExecJRE: new: %s
ExecJRE: new: %s
ExecJRE: old: %s
ExecJRE: old: %s
Error: could not find java.dll
Error: could not find java.dll
JRE path is %s
JRE path is %s
%s\jre\bin\java.dll
%s\jre\bin\java.dll
%s\bin\java.dll
%s\bin\java.dll
Error loading: %s
Error loading: %s
CRT path is %s
CRT path is %s
\bin\msvcr71.dll
\bin\msvcr71.dll
EnsureJreInstallation:%s:load failed
EnsureJreInstallation:%s:load failed
\bin\jkernel.dll
\bin\jkernel.dll
EnsureJreInstallation::not found
EnsureJreInstallation::not found
EnsureJreInstallation:unsupported platform
EnsureJreInstallation:unsupported platform
Error: can't find JNI interfaces in: %s
Error: can't find JNI interfaces in: %s
JVM path is %s
JVM path is %s
\bin\awt.dll
\bin\awt.dll
\bin\java.dll
\bin\java.dll
\bin\verify.dll
\bin\verify.dll
Error: no `%s' JVM at `%s'.
Error: no `%s' JVM at `%s'.
Error: no known VMs. (check for corrupt jvm.cfg file)
Error: no known VMs. (check for corrupt jvm.cfg file)
before: "%s"
before: "%s"
after : "%s"
after : "%s"
META-INF/MANIFEST.MF
META-INF/MANIFEST.MF
1.1.3
1.1.3
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
mscoree.dll
mscoree.dll
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
kernel32.dll
kernel32.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
C:\BUILD_~1\jdk6_18\control\build\WINDOW~1\tmp\java\javaw\obj\javaw.pdb
C:\BUILD_~1\jdk6_18\control\build\WINDOW~1\tmp\java\javaw\obj\javaw.pdb
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
%System%\javaw.exe
%System%\javaw.exe
name="javaw.exe"
name="javaw.exe"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
3333333333330
3333333333330
333333333307
333333333307
PP%d(jjjjj
PP%d(jjjjj
6.0.180.7
6.0.180.7
javaw.exe
javaw.exe
bargains.exe_908:
.RichOl
.RichOl
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
version=%d
version=%d
type=%s
type=%s
ad.dat
ad.dat
ub.dat
ub.dat
://(([^/] )\.)*([^/] \.[^/] )
://(([^/] )\.)*([^/] \.[^/] )
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
MIN_COUNT_OF_URLS_BETWEEN_TWO_ADS
MIN_COUNT_OF_URLS_BETWEEN_TWO_ADS
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
bbchk.exe -q %s
bbchk.exe -q %s
#%d,%s
#%d,%s
^(. )=(. )$
^(. )=(. )$
%s;sz=%dx%d;ord=%u0%u
%s;sz=%dx%d;ord=%u0%u
ad.doubleclick.net
ad.doubleclick.net
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MSVCP60.dll
MSVCP60.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
USER32.dll
USER32.dll
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpEndRequestA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestExA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
bargains.exe
bargains.exe
,%d,%s,%d,%d,%d,%d,%d,%d,%d,%d,%d
,%d,%s,%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d
CAD::init, invalid ad data, record=[%s] index=%d
CAD::init, invalid ad data, record=[%s] index=%d
CAD::can_be_shown(), index=%d
CAD::can_be_shown(), index=%d
CAD::can_be_shown(), don't show the clicked ad again in 24 hour, current=%d, last_clicked=%d
CAD::can_be_shown(), don't show the clicked ad again in 24 hour, current=%d, last_clicked=%d
CAD::can_be_shown(), don't reach starting time, current=%d, start=%d
CAD::can_be_shown(), don't reach starting time, current=%d, start=%d
CAD::can_be_shown(), the ad is over, current=%d, end=%d
CAD::can_be_shown(), the ad is over, current=%d, end=%d
CAD::can_be_shown(), reach daily_per_user_cap=%d,
CAD::can_be_shown(), reach daily_per_user_cap=%d,
CAD::can_be_shown(), reach total_per_user_cap=%d,
CAD::can_be_shown(), reach total_per_user_cap=%d,
CAD::can_be_shown(), shown limit is less than matched hit, the ad can not be poped up per matched hit. total_shown_limit=%d, matched_hit=%d
CAD::can_be_shown(), shown limit is less than matched hit, the ad can not be poped up per matched hit. total_shown_limit=%d, matched_hit=%d
Warning: implicit LoadString(%u) in CString failed
Warning: implicit LoadString(%u) in CString failed
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
adp %d
adp %d
_tWinMain, create mutex failed, aborted w/ error_no=%d
_tWinMain, create mutex failed, aborted w/ error_no=%d
alltheweb.com
alltheweb.com
altavista.com
altavista.com
search.aol.com
search.aol.com
askjeeves.com
askjeeves.com
directhit.com
directhit.com
search.dmoz.org
search.dmoz.org
search.ebay.com
search.ebay.com
go2net.com
go2net.com
google.com
google.com
goto.com
goto.com
half.com
half.com
ixquick.com
ixquick.com
kanoodle.com
kanoodle.com
search.lycos.com
search.lycos.com
search.msn.com
search.msn.com
mysimon.com
mysimon.com
northernlight.com
northernlight.com
overture.com
overture.com
snap.com
snap.com
search.yahoo.com
search.yahoo.com
search.shopping.yahoo.com
search.shopping.yahoo.com
CDataFileHandler::match, url=[%s]
CDataFileHandler::match, url=[%s]
CDataFileHandler::match, select an ad, index:%d.
CDataFileHandler::match, select an ad, index:%d.
CDataFileHandler::match, all match rules matched the url have not an ad which can be shown.
CDataFileHandler::match, all match rules matched the url have not an ad which can be shown.
CDataFileHandler::on_match, ad index=[%d]
CDataFileHandler::on_match, ad index=[%d]
CDataFileHandler::on_pop_up, ad index=[%d]
CDataFileHandler::on_pop_up, ad index=[%d]
CDataFileHandler::on_click, ad index=[%d]
CDataFileHandler::on_click, ad index=[%d]
CDataFileHandler::compose_user_behavior_data, data length=%d
CDataFileHandler::compose_user_behavior_data, data length=%d
CDataFileHandler::parse_ad_data_file, create file:%s
CDataFileHandler::parse_ad_data_file, create file:%s
CDataFileHandler::parse_ad_data_file, can not read the file:%s
CDataFileHandler::parse_ad_data_file, can not read the file:%s
CDataFileHandler::parse_ad_data_file, read a new record[%s]
CDataFileHandler::parse_ad_data_file, read a new record[%s]
CDataFileHandler::parse_user_behavior_file, create file:%s
CDataFileHandler::parse_user_behavior_file, create file:%s
CDataFileHandler::parse_user_behavior_file, can not read the file:%s
CDataFileHandler::parse_user_behavior_file, can not read the file:%s
CDataFileHandler::parse_user_behavior_file, read line=[%s]
CDataFileHandler::parse_user_behavior_file, read line=[%s]
CDataFileHandler::parse_user_behavior_file, recover ad[%d]
CDataFileHandler::parse_user_behavior_file, recover ad[%d]
CDataFileHandler::parse_user_behavior_file, finished, client_activated_time=%d caught_url_count=%d
CDataFileHandler::parse_user_behavior_file, finished, client_activated_time=%d caught_url_count=%d
CDataFileHandler::save_ad_data, file name=[%s]
CDataFileHandler::save_ad_data, file name=[%s]
CDataFileHandler::save_user_behavior_data(), data length=%d
CDataFileHandler::save_user_behavior_data(), data length=%d
CDataFileHandler::check_global_rules, reach max daily cap per user=%d
CDataFileHandler::check_global_rules, reach max daily cap per user=%d
CDataFileHandler::check_global_rules, status: urls_browsed=%d, ads_popped_up=%d, ads_with_same_domain=%d
CDataFileHandler::check_global_rules, status: urls_browsed=%d, ads_popped_up=%d, ads_with_same_domain=%d
CDataFileHandler::check_global_rules, count of url browsed is not enough.
CDataFileHandler::check_global_rules, count of url browsed is not enough.
CDataFileHandler::check_domain_rule, reach max domain cap = %d, domain=[%s].
CDataFileHandler::check_domain_rule, reach max domain cap = %d, domain=[%s].
CDataFileHandler::do_match, begin to match tht url with each match rule.
CDataFileHandler::do_match, begin to match tht url with each match rule.
CDataFileHandler::do_match, a url from search engine.
CDataFileHandler::do_match, a url from search engine.
CDataFileHandler::do_match, there is not any parameter at the url.
CDataFileHandler::do_match, there is not any parameter at the url.
CDataFileHandler::do_match, normal url.
CDataFileHandler::do_match, normal url.
CDataFileHandler::do_match, matched pattern=[%s] correlation=%d
CDataFileHandler::do_match, matched pattern=[%s] correlation=%d
CDataFileHandler::do_match, ignored pattern=[%s] because of low correlation=%d
CDataFileHandler::do_match, ignored pattern=[%s] because of low correlation=%d
CDataFileHandler::do_match, there are %d match rules matched.
CDataFileHandler::do_match, there are %d match rules matched.
CDataFileHandler::select_ad, got a match rule with %d ads, pattern=[%s].
CDataFileHandler::select_ad, got a match rule with %d ads, pattern=[%s].
CDataFileHandler::select_ad, invalid ad, index=%d.
CDataFileHandler::select_ad, invalid ad, index=%d.
CDataFileHandler::parse_match_rule, patch match rule[%s]
CDataFileHandler::parse_match_rule, patch match rule[%s]
CDataFileHandler::parse_match_rule, erase match rule[%s]
CDataFileHandler::parse_match_rule, erase match rule[%s]
CDataFileHandler::parse_match_rule, add match rule[%s]
CDataFileHandler::parse_match_rule, add match rule[%s]
CDataFileHandler::parse_ad_data, replace ad[%d]
CDataFileHandler::parse_ad_data, replace ad[%d]
CDataFileHandler::parse_ad_data, add ad[%d]
CDataFileHandler::parse_ad_data, add ad[%d]
CDataFileHandler::parse_ad_data, remove ad[%d]
CDataFileHandler::parse_ad_data, remove ad[%d]
CDownloader::on_inet_receive, received data:%d bytes
CDownloader::on_inet_receive, received data:%d bytes
CDownloader::on_inet_complete, got data:%d bytes
CDownloader::on_inet_complete, got data:%d bytes
CDownloader::download, begin to download a internet file, URL:%s.
CDownloader::download, begin to download a internet file, URL:%s.
logs/%s_%d.log
logs/%s_%d.log
%m/%d/%Y %H:%M:%S
%m/%d/%Y %H:%M:%S
--- log enable at %s for [%s] -------------------
--- log enable at %s for [%s] -------------------
--- log disable at %s ------------------------------
--- log disable at %s ------------------------------
Dumping 0x%X size %d
Dumping 0x%X size %d
Dumped 0x%X done %d
Dumped 0x%X done %d
%H:%M:%S
%H:%M:%S
(%s.%u)
(%s.%u)
(%s.%u) %s
(%s.%u) %s
CIkenaInet::open_connection: open connection, URL:%s.
CIkenaInet::open_connection: open connection, URL:%s.
CIkenaInet::trans_proc: InternetOpenUrl: %s
CIkenaInet::trans_proc: InternetOpenUrl: %s
CIkenaInet::trans_proc: exited. thread id:0x%X
CIkenaInet::trans_proc: exited. thread id:0x%X
CIkenaInet::is_connected: dest address:%s
CIkenaInet::is_connected: dest address:%s
CIkenaInet::is_connected: after gethostbyname(), host=%d, port=%d
CIkenaInet::is_connected: after gethostbyname(), host=%d, port=%d
CIkenaInet::is_connected, after connect(), ret_code=%d, last_error_no=%d
CIkenaInet::is_connected, after connect(), ret_code=%d, last_error_no=%d
SoftwareUpdateQueryUrl
SoftwareUpdateQueryUrl
ADDataUpdateQueryUrl
ADDataUpdateQueryUrl
ConfigUpdateQueryUrl
ConfigUpdateQueryUrl
FirstHitUrl
FirstHitUrl
MinCountOfUrlsBetweenTwoADs
MinCountOfUrlsBetweenTwoADs
ServerPort
ServerPort
77D08FB6-6DA6-43EB-83C7-5E51048711E4
77D08FB6-6DA6-43EB-83C7-5E51048711E4
apuc.dll
apuc.dll
CMainWindow::on_inet_exception, error message: %s
CMainWindow::on_inet_exception, error message: %s
CMainWindow::on_exception, exception, wait for next query, duraction: %d(s)
CMainWindow::on_exception, exception, wait for next query, duraction: %d(s)
CMainWindow::on_create, init url handler failed
CMainWindow::on_create, init url handler failed
CMainWindow::on_create, last query time:%d
CMainWindow::on_create, last query time:%d
CMainWindow::on_status_msg, status=%d.
CMainWindow::on_status_msg, status=%d.
CMainWindow::on_status_msg, failed to upload data.
CMainWindow::on_status_msg, failed to upload data.
CMainWindow::on_status_msg, received a zip file.
CMainWindow::on_status_msg, received a zip file.
CMainWindow::on_adp_new_url, url:%s
CMainWindow::on_adp_new_url, url:%s
CMainWindow::on_adp_new_url, URL is empty, impossible!
CMainWindow::on_adp_new_url, URL is empty, impossible!
CMainWindow::on_copy_data, URL=[%s]
CMainWindow::on_copy_data, URL=[%s]
CMainWindow::upgrade, got a invalid file, size:%d, expected size:%d
CMainWindow::upgrade, got a invalid file, size:%d, expected size:%d
CMainWindow::upgrade, try to load installer:%s
CMainWindow::upgrade, try to load installer:%s
CMainWindow::parse_response, a new version, number:%d
CMainWindow::parse_response, a new version, number:%d
CMainWindow::init_download, begin to download configuration, URL:%s
CMainWindow::init_download, begin to download configuration, URL:%s
CMainWindow::init_download, begin to download ad data, URL:%s
CMainWindow::init_download, begin to download ad data, URL:%s
CMainWindow::init_download, begin to download software, URL:%s
CMainWindow::init_download, begin to download software, URL:%s
CMainWindow::do_first_hit, first hit URL:%s
CMainWindow::do_first_hit, first hit URL:%s
CMainWindow::query_new_config, query URL:%s
CMainWindow::query_new_config, query URL:%s
CMainWindow::query_new_ad_data, query URL:%s
CMainWindow::query_new_ad_data, query URL:%s
CMainWindow::query_new_software, query URL:%s
CMainWindow::query_new_software, query URL:%s
CMainWindow::upload_user_behavior_data, begin... server=[%s], port=%d, path=[%s]
CMainWindow::upload_user_behavior_data, begin... server=[%s], port=%d, path=[%s]
CMainWindow::upload_user_behavior_data, upload_data=[%s]
CMainWindow::upload_user_behavior_data, upload_data=[%s]
pid=%s
pid=%s
CMainWindow::verify_signature, can not find ikena certificate in the file.
CMainWindow::verify_signature, can not find ikena certificate in the file.
http\shell\open\command
http\shell\open\command
iexplore.exe
iexplore.exe
netscape.exe
netscape.exe
netscp6.exe
netscp6.exe
,%d,%s,%d,%d,%s
,%d,%s,%d,%d,%s
CMatchRule::fill_in, fail to add ad, ad index=%d, match rule patter=[%s]
CMatchRule::fill_in, fail to add ad, ad index=%d, match rule patter=[%s]
CMatchRule::add_ad, dupilicated ad, ad index=%d
CMatchRule::add_ad, dupilicated ad, ad index=%d
CProfileParser::init, buffer length=[%d]
CProfileParser::init, buffer length=[%d]
CProfileParser::has_next, try to find next key-value pair, buffer length=[%d]
CProfileParser::has_next, try to find next key-value pair, buffer length=[%d]
CProfileParser::has_next, find a key-value pair.
CProfileParser::has_next, find a key-value pair.
CProfileParser::has_next, key=[%s], value=[%s]
CProfileParser::has_next, key=[%s], value=[%s]
CProfileParser::has_next, can not find key-value pair.
CProfileParser::has_next, can not find key-value pair.
1.1.3
1.1.3
HttpSendRequestEx
HttpSendRequestEx
CUploader::upload, failed to connect, server=[%s]
CUploader::upload, failed to connect, server=[%s]
CUploader::upload, failed to open request handle, path=[%s]
CUploader::upload, failed to open request handle, path=[%s]
CUploader::post_data, Error on HttpSendRequestEx %d
CUploader::post_data, Error on HttpSendRequestEx %d
CUploader::post_data, %d bytes sent.
CUploader::post_data, %d bytes sent.
CUploader::post_data, Error on HttpEndRequest %d
CUploader::post_data, Error on HttpEndRequest %d
CUrlHandler::on_catch_url, URL:%s
CUrlHandler::on_catch_url, URL:%s
CUrlHandler::on_catch_url, An new ad, index=%d, is triggered by URL=[%s]
CUrlHandler::on_catch_url, An new ad, index=%d, is triggered by URL=[%s]
CUrlHandler::popup_IE, start IE return hr=[%d]
CUrlHandler::popup_IE, start IE return hr=[%d]
CUrlHandler::popup_IE, start IE in method 2 return hr=[%d]
CUrlHandler::popup_IE, start IE in method 2 return hr=[%d]
CUrlHandler::popup_IE, new ad, URL=[%s], width=%d, height=%d
CUrlHandler::popup_IE, new ad, URL=[%s], width=%d, height=%d
CUrlHandler::on_new_window, user clicked the ad, index:%d
CUrlHandler::on_new_window, user clicked the ad, index:%d
CUrlHandler::on_quit
CUrlHandler::on_quit
CZipUtils::extract_zip_file, error %d with zipfile in unzGetGlobalInfo
CZipUtils::extract_zip_file, error %d with zipfile in unzGetGlobalInfo
CZipUtils::extract_zip_file, error %d with zipfile in unzGoToNextFile
CZipUtils::extract_zip_file, error %d with zipfile in unzGoToNextFile
CZipUtils::extract_current_file, error %d with zipfile in unzGetCurrentFileInfo
CZipUtils::extract_current_file, error %d with zipfile in unzGetCurrentFileInfo
CZipUtils::extract_current_file, error %d with zipfile in unzOpenCurrentFile
CZipUtils::extract_current_file, error %d with zipfile in unzOpenCurrentFile
CZipUtils::extract_current_file, error opening %s
CZipUtils::extract_current_file, error opening %s
EbatesMoeMoneyMaker.exe_1836:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSSSSSh
SSSSSSh
VkKeyScanA
VkKeyScanA
MapVirtualKeyA
MapVirtualKeyA
GetKeyState
GetKeyState
keybd_event
keybd_event
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
WS2_32.dll
WS2_32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
WININET.dll
WININET.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
VERSION.dll
VERSION.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
kernel32.dll
kernel32.dll
user32.dll
user32.dll
windowsdesktop
windowsdesktop
%s %d
%s %d
%s %d %I64Ld %I64Ld %I64Ld
%s %d %I64Ld %I64Ld %I64Ld
%d %d %d %d %s
%d %d %d %d %s
getwindowsdirectory
getwindowsdirectory
0.0.0.0;;0.0.0.0;;;;;;
0.0.0.0;;0.0.0.0;;;;;;
%d.%d.%d.%d;;%d.%d.%d.%d;;
%d.%d.%d.%d;;%d.%d.%d.%d;;
MTemp\lock.txt
MTemp\lock.txt
MTemp\encryption.bin
MTemp\encryption.bin
createbrowser:svurl
createbrowser:svurl
{0002DF01-0000-0000-C000-000000000046}
{0002DF01-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{85CB6900-4D95-11CF-960C-0080C7F4EE85}
{85CB6900-4D95-11CF-960C-0080C7F4EE85}
Windows
Windows
{13709620-C279-11CE-A49E-444553540000}
{13709620-C279-11CE-A49E-444553540000}
{D8F015C0-C278-11CE-A49E-444553540000}
{D8F015C0-C278-11CE-A49E-444553540000}
tellproxypassword
tellproxypassword
MTemp\logfile.txt
MTemp\logfile.txt
%s "%s" "%s" %d %d %d %d
%s "%s" "%s" %d %d %d %d
[miniMeRegistry.c:collectdata()] --> Failed #2 RegEnumValue, no more items for: %s
[miniMeRegistry.c:collectdata()] --> Failed #2 RegEnumValue, no more items for: %s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
%s, port %d
%s, port %d
miniMeAccept: accept() error %d
miniMeAccept: accept() error %d
taskQ.mutex
taskQ.mutex
proxypassword_mutex
proxypassword_mutex
HttpOpenRequest
HttpOpenRequest
HTTP/1.0
HTTP/1.0
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
hXXp://
hXXp://
HttpQueryInfo -- 1
HttpQueryInfo -- 1
askforproxypassword
askforproxypassword
HttpSendRequest -- POST version
HttpSendRequest -- POST version
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HttpSendRequest -- GET version
HttpSendRequest -- GET version
iexplore.exe_2188:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512