Adware.Ipinsight.C_037a0f79c4

by malwarelabrobot on September 19th, 2014 in Malware Descriptions.

Adware.Ipinsight.C (AdAware), Trojan.Win32.IEDummy.FD (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 037a0f79c43dbe32f03c8a887831ab5e
SHA1: 280b8211f704c5782ec1e2472cfaae819b03eec3
SHA256: 09cf46fb690752c5168753a97cb6909a79b9faabb9463d7a61978f2d1d12ecb5
SSDeep: 49152:VuVHtthooxZZKwdFkqq29tbBMMyvT399XGzrOIXvDKb: HuoAwdFkqwMyT99GzrpbKb
Size: 2147884 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2000-06-16 21:00:04
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):

BargainBuddy.exe:1732
EbatesMoeMoneyMaker.exe:1836
ebatesmoemoneymaker14.exe:1784
s4Setp.exe:2116
RegSvr32.exe:1068
RegSvr32.exe:1336
RegSvr32.exe:2020
RegSvr32.exe:2012
RegSvr32.exe:484
RegSvr32.exe:480
bargains.exe:908
SuperBarInstall.exe:604
%original file name%.exe:1560
runonce.exe:1260
Setup.exe:1872
rundll32.exe:452
NLNupgradeV4_6P28.exe:1520
IKernel.exe:1292
IKernel.exe:1596
msbb.exe:380
grpconv.exe:604
iKernel.exe:1708

The Adware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process BargainBuddy.exe:1732 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\Bargain Buddy\bargains.exe (9744 bytes)
%Program Files%\Bargain Buddy\bbchk.exe (12 bytes)
%Program Files%\Bargain Buddy\bin\apuc.dll (601 bytes)
%Program Files%\Bargain Buddy\apuc.dll (1718 bytes)
%Program Files%\Bargain Buddy\bin\bargains.exe (1281 bytes)
%Program Files%\Bargain Buddy\uninst.exe (388 bytes)

The Adware deletes the following file(s):

%Program Files%\Bargain Buddy\bargains.exe (0 bytes)
%Program Files%\Bargain Buddy\apuc.dll (0 bytes)

The process EbatesMoeMoneyMaker.exe:1836 makes changes in the file system.
The Adware deletes the following file(s):

%Program Files%\EbatesMoeMoneyMaker\System\MTemp\encryption.bin (0 bytes)

The process ebatesmoemoneymaker14.exe:1784 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\EbatesMoeMoneyMaker\System\Code\dz.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\da.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\be.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bk.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bb.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\c.class (7 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cn.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bg.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cu.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cx.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\by.class (6 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\j.class (261 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ct.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cc.class (710 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dp.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ec.class (533 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dh.class (534 bytes)
%Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiBA.tmp (7168 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bi.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ck.class (751 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\l.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\br.class (652 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cv.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bv.class (478 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\m.class (538 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bw.class (971 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\y.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dg.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\f.class (684 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dr.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\p.class (229 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bf.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\db.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bh.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bn.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cr.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ea.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\co.class (521 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dt.class (784 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ds.class (8 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cw.class (531 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_proxy.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\x.class (619 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dx.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cp.class (6 bytes)
%Program Files%\EbatesMoeMoneyMaker\ebates_README2.txt (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\w.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dc.class (339 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_conflicts2.htm (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\s.class (568 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cf.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ch.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bq.class (257 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cd.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bd.class (517 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cz.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dw.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bt.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\Main.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bm.class (753 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bs.class (379 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dd.class (15 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dm.class (698 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe (1552 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cb.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\g.class (451 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cj.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\ebatesver2.dls (11 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\de.class (4 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cq.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_preferences0.htm (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bc.class (707 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\eeid14.dls (568 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\v.class (119 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bp.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bo.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\n.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ba.class (535 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_script0.htm (43 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ce.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\Applications\sunclass.dls (263 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cm.class (522 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dj.class (755 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dk.class (518 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\q.class (484 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\loader.dls (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\di.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\a.class (373 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ed.class (651 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\t.class (286 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dn.class (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dv.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\d.class (687 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bu.class (938 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cg.class (544 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_autorediroffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\r.class (634 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\u.class (359 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\system.dls (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ci.class (541 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_memoffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dq.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\e.class (451 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_disable0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\i.class (555 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cy.class (449 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\du.class (182 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\ca.class (831 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\eb.class (531 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\df.class (3 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\dy.class (678 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bx.class (4 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bl.class (1 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_nonmemoffer0.htm (2 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bj.class (540 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\System\personality.dls (784 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\b.class (731 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\cs.class (5 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\k.class (532 bytes)
%Program Files%\EbatesMoeMoneyMaker\System\Code\bz.class (1 bytes)

The process s4Setp.exe:2116 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\MySearch\bar\1.bin\NPMYSRCH.DLL (32 bytes)
%Program Files%\MySearch\bar\1.bin\UNINSTALL.INF (1 bytes)
%Program Files%\MySearch\bar\1.bin\S4BAR.DLL (184 bytes)
%Program Files%\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS (327 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER2.DAT (461 bytes)
%Program Files%\MySearch\bar\1.bin\S42NS.EXE (24 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER.BMP (1 bytes)
%Program Files%\MySearch\bar\1.bin\PARTNER.DAT (922 bytes)

The process SuperBarInstall.exe:604 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp\IEManipulate.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB8.tmp (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (13968 bytes)
%Program Files%\SuperBar\settings.cfg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB9.tmp (16424 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp\IEManipulate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp (0 bytes)

The process %original file name%.exe:1560 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\pftw1.pkg (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plfB2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.cab (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.ini (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.iss (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.exe (1726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\extB3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\ikernel.ex_ (6681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.inx (2401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\layout.bin (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data2.cab (20687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.hdr (11 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\pftw1.pkg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plfB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.iss (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\extB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\ikernel.ex_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.inx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\layout.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data2.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.hdr (0 bytes)

The process Setup.exe:1872 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IECB5.tmp (2105 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\temp.000 (11328 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IECB5.tmp (0 bytes)
%Program Files%\Common Files\InstallShield (0 bytes)
%Program Files%\Common Files\InstallShield\IScript (0 bytes)
%Program Files%\Common Files\InstallShield\Engine\6 (0 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32 (0 bytes)
%Program Files%\Common Files\InstallShield\Engine (0 bytes)

The process rundll32.exe:452 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%WinDir%\inf\SETC0.tmp (1 bytes)
%WinDir%\setupapi.log (1728 bytes)
%WinDir%\SETBD.tmp (1281 bytes)

The Adware deletes the following file(s):

%WinDir%\inf\oem10.inf (0 bytes)
%WinDir%\inf\SETC0.tmp (0 bytes)
%WinDir%\SETBD.tmp (0 bytes)

The process NLNupgradeV4_6P28.exe:1520 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dl_ (784 bytes)
%WinDir%\system\RSP.dll (40 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dll.dat (1568 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%System%\drivers\etc\hosts (841 bytes)
C:\t1fg (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dl_ (588 bytes)
%WinDir%\system\BHO.DLL (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dll.dat (1568 bytes)
%WinDir%\system\WinStart.exe (601 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dl_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rsp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bho.dl_ (0 bytes)

The process IKernel.exe:1292 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\Blue Haven Media\Value Added Software\msbb7fd0.rra (5294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\711a.rra (1464 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\obje73d9.rra (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\valu789c.rra (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\defa78ea.rra (1 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\ctor731e.rra (3404 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7dfb.rra (1568 bytes)
%Program Files%\Blue Haven Media\Value Added Software\Supe7fb1.rra (12762 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7ddc.rra (8368 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu7e49.rra (2712 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\core72df.rra (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu786d.rra (2712 bytes)
%Program Files%\Blue Haven Media\Value Added Software\NLNu7f91.rra (4314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8} (4 bytes)
%Program Files%\Blue Haven Media\Value Added Software\lice7ee5.rra (4314 bytes)
%Program Files%\Blue Haven Media\Value Added Software\s4Se7eb7.rra (8760 bytes)
%Program Files%\Blue Haven Media\Value Added Software\Barg7f05.rra (6118 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7e2a.rra (92 bytes)
%Program Files%\Common Files\InstallShield\IScript\iscr7531.rra (7348 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7dbd.rra (11 bytes)
%System%\ipin7fef.rra (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\_IsR7909.rra (7348 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\layo7d40.rra (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\isrt78cb.rra (10582 bytes)
%System%\ipin800e.rra (8474 bytes)
%Program Files%\Blue Haven Media\Value Added Software\ebat7f53.rra (7316 bytes)
%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.ini (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.log (139 bytes)
%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\iuse7437.rra (6134 bytes)

The Adware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\value.shl (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\_IsRes.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\default.pal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\isrt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setup.inx (0 bytes)

The process IKernel.exe:1596 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process msbb.exe:380 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5656 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5644 bytes)

Registry activity

The process BargainBuddy.exe:1732 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\Apuc.UrlCatcher]
"(Default)" = "UrlCatcher Class"

[HKLM\SOFTWARE\Bargains]
"PartnerName" = "RANY"

[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}]
"(Default)" = "IUrlCatcher"

[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Bargains]
"ServerPort" = "80"

[HKCR\Apuc.UrlCatcher.1\CLSID]
"(Default)" = "{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bargain Buddy]
"UninstallString" = "%Program Files%\Bargain Buddy\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Apuc.UrlCatcher\CLSID]
"(Default)" = "{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}"

[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]
"(Default)" = "UrlCatcher Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Bargains]
"ServerName" = "adpopper.outblaze.com"

[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Apuc.UrlCatcher.1]
"(Default)" = "UrlCatcher Class"

[HKLM\SOFTWARE\Bargains]
"Binary" = "bin"
"ConfigUpdateQueryUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=config"

[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bargain Buddy]
"DisplayName" = "Bargain Buddy"

[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\TypeLib]
"(Default)" = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}"

[HKLM\SOFTWARE\Bargains]
"MainDir" = "%Program Files%\Bargain Buddy"

[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0]
"(Default)" = "apuc 1.0 Type Library"

[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0\0\win32]
"(Default)" = "%Program Files%\Bargain Buddy\bin\apuc.dll"

[HKCR\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Bargain Buddy\bin\"

[HKLM\SOFTWARE\Bargains]
"BuildNumber" = "6008"
"serverpath" = "/scripts/adpopper/webservice.main?type=upload"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 F1 73 4C 25 95 DC 02 F7 F1 9D 2F 8B 36 79 F7"

[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\InprocServer32]
"(Default)" = "C:\PROGRA~1\BARGAI~1\bin\apuc.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Bargains]
"FirstHitUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=first_hit"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\ProgID]
"(Default)" = "Apuc.UrlCatcher.1"

[HKLM\SOFTWARE\Bargains]
"ADDataUpdateQueryUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=data"

[HKCR\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}\VersionIndependentProgID]
"(Default)" = "Apuc.UrlCatcher"

[HKLM\SOFTWARE\Bargains]
"SoftwareUpdateQueryUrl" = "http://adpopper.outblaze.com/scripts/adpopper/webservice.main?version=%d&pid=%s&type=software"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]
"(Default)" = "Url Catcher"

To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bargains" = "%Program Files%\Bargain Buddy\bin\bargains.exe"

The Adware deletes the following value(s) in system registry:
The Adware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adp"

The process EbatesMoeMoneyMaker.exe:1836 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"Default Visible" = "Yes"
"ButtonText" = "Ebates"

[HKCU\Control Panel\Desktop]
"ForegroundLockTimeout" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"HotIcon" = "%Program Files%\EbatesMoeMoneyMaker\System\Images\ebates1_hot.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ebatesver2.xml]
"(Default)" = "Ebates Moe Money Maker"

"DisplayName" = "Ebates Moe Money Maker"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"Script" = "file://%Program Files%\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Ebates]
"(Default)" = "file://%Program Files%\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Ebates]
"Contexts" = "63"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}]
"Icon" = "%Program Files%\EbatesMoeMoneyMaker\System\Images\ebates1.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ebatesver2.xml]
"UninstallString" = "javaw -cp %Program Files%\EbatesMoeMoneyMaker\System\Code Main lp: %Program Files%\EbatesMoeMoneyMaker ls: deletefeature ld: feature=ebatesver2.xml"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 29 62 A3 F1 D3 94 B9 03 47 6E 78 7B 74 8E 5B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ebatesmoemoneymaker14.exe:1784 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 90 D6 26 1C FF 15 71 6E 51 BA C4 4C E8 11 C4"

To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EbatesMoeMoneyMaker" = "javaw -cp %Program Files%\EbatesMoeMoneyMaker\System\Code Main lp: %Program Files%\EbatesMoeMoneyMaker"

The process s4Setp.exe:2116 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\MySearchToolBar.NetscapeShutdown.1\CLSID]
"(Default)" = "{014DA6C5-189F-421a-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search IE Installer"

[HKLM\SOFTWARE\MySearch\bar]
"CurInstall" = "1"

[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MySearchToolBar.NetscapeStartup.1\CLSID]
"(Default)" = "{014DA6C7-189F-421a-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\0\win32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKLM\SOFTWARE\MySearch\bar]
"dir" = "%Program Files%\MySearch\bar\"

[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My &Search Bar"

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID]
"(Default)" = "MySearchToolBar.NetscapeStartup"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Blue Haven Media\Value Added Software\s4Setp.exe,"

[HKCR\MySearchToolBar.SettingsPlugin]
"(Default)" = "My Search Settings Plugin"

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{014DA6C9-189F-421a-88CD-07CFE51CFF10}" = ""

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\MySearch\bar\partner]
"mysearchurl" = "http://ms107.mysearch.com/"

[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\MySearchToolBar.NetscapeStartup\CurVer]
"(Default)" = "MySearchToolBar.NetscapeStartup.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall]
"UninstallString" = "RunDll32 advpack.dll,LaunchINFSection %Program Files%\MySearch\bar\1.bin\uninstall.inf,Uninstall"

[HKCR\MySearchToolBar.SettingsPlugin\CLSID]
"(Default)" = "{014DA6CB-189F-421a-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\MySearchToolBar.NetscapeShutdown\CurVer]
"(Default)" = "MySearchToolBar.NetscapeShutdown.1"

[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MySearchToolBar.NetscapeShutdown]
"(Default)" = "MySearchBarNetscapeShutdown Class"

[HKCR\MySearchToolBar.NetscapeStartup.1]
"(Default)" = "MySearchBarNetscapeStartup Class"

[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "IMySearchSettings"

[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "MySearchBarNetscapeShutdown Class"

[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search BHO"

[HKCU\Software\Netscape\Netscape Navigator\Automation Shutdown]
"MySearchToolBar.NetscapeShutdown.1" = "MySearchToolBar.NetscapeShutdown.1"

[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID]
"(Default)" = "MySearchToolBar.NetscapeShutdown"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 D5 D3 8E A9 36 AE 9F A8 A1 7A 1A 1F 5A F3 DE"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\ProgID]
"(Default)" = "MySearchToolBar.SettingsPlugin.1"

[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\"

[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKCR\CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall]
"DisplayName" = "My Search Bar"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKLM\SOFTWARE\MySearch\bar\partner]
"Search" = "http://ms107.mysearch.com/jsp/bardef.jsp?searchfor=

"

[HKCR\MySearchToolBar.NetscapeStartup]
"(Default)" = "MySearchBarNetscapeStartup Class"

[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "MySearchBarNetscapeStartup Class"

[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "IMySearchBarNetscapeStartup"

[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\MySearchToolBar.NetscapeShutdown\CLSID]
"(Default)" = "{014DA6C5-189F-421a-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}\ProgID]
"(Default)" = "MySearchToolBar.NetscapeStartup.1"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}\1.0]
"(Default)" = "Toolbar 1.0 Type Library"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\VersionIndependentProgID]
"(Default)" = "MySearchToolBar.SettingsPlugin"

[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Netscape\Netscape Navigator\Automation Startup]
"MySearchToolBar.NetscapeStartup.1" = "MySearchToolBar.NetscapeStartup.1"

[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "_IMySearchSettingsEvents"

[HKLM\SOFTWARE\MySearch\bar\partner]
"Name" = ""

[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"(Default)" = "%Program Files%\MySearch\bar\1.bin\S4BAR.DLL"

[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MySearch\bar\partner]
"cfg" = "http://ms107cfg.mysearch.com/ms107cfg.jsp"

[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search Settings"

[HKCR\Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"

[HKCR\MySearchToolBar.NetscapeShutdown.1]
"(Default)" = "MySearchBarNetscapeShutdown Class"

[HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\MySearchToolBar.NetscapeStartup\CLSID]
"(Default)" = "{014DA6C7-189F-421a-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search Bar Installer2"

[HKCR\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421a-88CD-07CFE51CFF10}"

[HKCR\Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MySearch\bar\partner]
"Bitmap" = "%Program Files%\MySearch\bar\1.bin\partner.bmp"

[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MySearchToolBar.SettingsPlugin\CurVer]
"(Default)" = "MySearchToolBar.SettingsPlugin.1"

[HKLM\SOFTWARE\MySearch\bar\partner]
"URL" = ""

[HKCR\MySearchToolBar.SettingsPlugin.1\CLSID]
"(Default)" = "{014DA6CB-189F-421a-88CD-07CFE51CFF10}"

[HKLM\SOFTWARE\MySearch\bar\partner]
"EXE" = ""

[HKCR\Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}]
"(Default)" = "IMySearchBarNetscapeShutdown"

[HKCR\MySearchToolBar.SettingsPlugin.1]
"(Default)" = "My Search Settings Plugin"

[HKCR\CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}\ProgID]
"(Default)" = "MySearchToolBar.NetscapeShutdown.1"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}\TypeLib]
"(Default)" = "{014DA6C0-189F-421A-88CD-07CFE51CFF10}"

[HKCR\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}\Version]
"(Default)" = "1.0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}]
"(Default)" = "My Search BHO"

The process RegSvr32.exe:1068 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 56 FD 27 DE 25 FF DE FA 2E C5 5E AF 5C B7 AB"

The process RegSvr32.exe:1336 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 BC E9 1D 8E 1D DC 14 BB 62 63 D3 FD 0B 7E 26"

The process RegSvr32.exe:2020 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 1E D4 37 88 A8 9E 97 1F 21 93 26 55 86 FF B8"

[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\InprocServer32]
"(Default)" = "%WinDir%\System\BHO.DLL"

[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0\HELPDIR]
"(Default)" = "%WinDir%\System"

[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0]
"(Default)" = "BHO"

[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0\0\win32]
"(Default)" = "%WinDir%\System\BHO.DLL"

[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}]
"(Default)" = "_clsUrlSearch"

[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\TypeLib]
"(Default)" = "{974CC25E-D62C-4278-84E6-A806726E37BC}"

[HKCR\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}\3.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\TypeLib]
"(Default)" = "{974CC25E-D62C-4278-84E6-A806726E37BC}"

[HKCR\BHO.clsUrlSearch]
"(Default)" = "BHO.clsUrlSearch"

[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\VERSION]
"(Default)" = "3.0"

[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BHO.clsUrlSearch\Clsid]
"(Default)" = "{730F2451-A3FE-4A72-938C-FC8A74F15978}"

[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}]
"(Default)" = "BHO.clsUrlSearch"

[HKCR\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}\ProgID]
"(Default)" = "BHO.clsUrlSearch"

[HKCR\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}\TypeLib]
"Version" = "3.0"

The process RegSvr32.exe:2012 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 7F 53 FC 76 1E DB F6 25 C9 B6 5E C0 6B E7 0F"

The process RegSvr32.exe:484 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 3D 24 5E 6F 3D 1E 31 15 CD E3 81 89 B3 6B E4"

The process RegSvr32.exe:480 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 78 80 51 50 AA B0 C6 D6 B4 90 CF D8 28 75 FB"

[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}]
"(Default)" = "_BizLgk"

[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\TypeLib]
"(Default)" = "{676058DB-89BD-11D6-8A8C-0050BA8452C0}"

[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0\HELPDIR]
"(Default)" = "%WinDir%\System"

[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\ProgID]
"(Default)" = "Rsp.BizLgk"

[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}]
"(Default)" = "Rsp.BizLgk"

[HKCR\Rsp.BizLgk]
"(Default)" = "Rsp.BizLgk"

[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\VERSION]
"(Default)" = "1.0"

[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0]
"(Default)" = "Rsp"

[HKCR\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}\InprocServer32]
"(Default)" = "%WinDir%\System\RSP.dll"

[HKCR\Rsp.BizLgk\Clsid]
"(Default)" = "{676058E4-89BD-11D6-8A8C-0050BA8452C0}"

[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}\TypeLib]
"(Default)" = "{676058DB-89BD-11D6-8A8C-0050BA8452C0}"

[HKCR\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}\1.0\0\win32]
"(Default)" = "%WinDir%\System\RSP.dll"

The process bargains.exe:908 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 09 85 2C 9A 4B 32 F9 F7 24 AC 48 28 15 21 89"

[HKLM\SOFTWARE\Bargains]
"LastQueryTime" = "0"
"ADDataVersion" = "0"
"UpdateQueryDuration" = "86400"
"MinCountOfUrlsBetweenTwoADs" = "4"
"FirstHit" = "1"
"ConfigVersion" = "0"
"UpdateQueryFailedDuration" = "1200"
"trace" = "0"
"IdleMinutesThreshold" = "5"
"MaxDailyCapPerUSer" = "20"
"MaxDomainCap" = "3"
"MinMinutesBetweenTwoADs" = "2"

The process SuperBarInstall.exe:604 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\SuperBar.Component]
"(Default)" = "SuperBar.Component"

[HKCR\SuperBarExts.SaveDataInterface\CLSID]
"(Default)" = "{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}"

[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}]
"(Default)" = "ISaveDataInterface"

[HKCR\SuperBarExts.SaveDataInterface]
"(Default)" = "SuperBarExts.SaveDataInterface"

[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\SuperBar.Component\CLSID]
"(Default)" = "{835177FE-A8F7-4690-AC10-CBE58765E002}"

[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}\InProcServer32]
"(Default)" = "C:\PROGRA~1\SuperBar\SUPERB~1.DLL"

[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\TypeLib]
"(Default)" = "{60F8FB2A-9915-4202-967D-1FA694A8BCF5}"

[HKCR\SuperBarBHO.Component]
"(Default)" = "SuperBarBHO.Component"

[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}\InProcServer32]
"(Default)" = "C:\PROGRA~1\SuperBar\SUPERB~1.DLL"

[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}]
"(Default)" = "IFireUserProfileEvents"

[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SuperBar"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{835177FE-A8F7-4690-AC10-CBE58765E002}" = ""

[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\superbar]
"Reg State" = "0"

[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}\ProgId]
"(Default)" = "SuperBarBHO.Component"

[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}]
"Version Number" = "2.1.230"

[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0\0\win32]
"(Default)" = "%Program Files%\SuperBar\SuperBarExts.Dll"

[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}\ProgID]
"(Default)" = "SuperBarExts.SaveDataInterface"

[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}]
"(Default)" = "SuperBar"

[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}]
"(Default)" = "SuperBarExts.UserProfileInterface"

[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}\InprocServer32]
"(Default)" = "%Program Files%\SuperBar\SuperBar.Dll"

[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}\ProgId]
"(Default)" = "SuperBar.Component"

[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\SuperBar]
"First" = ""

[HKCR\SuperBarExts.UserProfileInterface\CLSID]
"(Default)" = "{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}"

[HKCR\SuperBarBHO.Component\CLSID]
"(Default)" = "{136A9D1D-1F4B-43D4-8359-6F2382449255}"

[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DF7D760C-B7E2-4735-BB77-F5A1A9745E16}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 E1 C6 AD DC 8A 1F 4B 1C BB 4B 2E BC B2 92 5E"

[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\TypeLib]
"(Default)" = "{60F8FB2A-9915-4202-967D-1FA694A8BCF5}"

[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}]
"(Default)" = "SuperBar"

[HKCR\TypeLib\{60F8FB2A-9915-4202-967D-1FA694A8BCF5}\1.0]
"(Default)" = "SuperBarExts"

[HKCR\CLSID\{835177FE-A8F7-4690-AC10-CBE58765E002}\InprocServer32]
"(Default)" = "%Program Files%\SuperBar\SuperBar.Dll"

[HKCR\CLSID\{136A9D1D-1F4B-43D4-8359-6F2382449255}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}\TypeLib]
"(Default)" = "{60F8FB2A-9915-4202-967D-1FA694A8BCF5}"

[HKCR\Interface\{B8AFA251-4EFB-4703-87D4-DA7D2435BA5E}]
"(Default)" = "IUserProfileInterface"

[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{9D1B86C7-1B93-4586-9009-EA3BD0AD63A5}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E5DFB380-3988-4C07-8AFB-8A47769D9DB5}\ProgID]
"(Default)" = "SuperBarExts.UserProfileInterface"

[HKCR\CLSID\{D7F2FD62-6C1B-4B52-85B1-F65A414BF050}]
"(Default)" = "SuperBarExts.SaveDataInterface"

[HKCR\SuperBarExts.UserProfileInterface]
"(Default)" = "SuperBarExts.UserProfileInterface"

The process %original file name%.exe:1560 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 85 B0 47 24 4E AA 55 2E 5D 71 9B 36 85 2F 51"

The process runonce.exe:1260 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 91 6D B5 1B 64 FE 4D 6D E3 0E 59 16 E9 61 B5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Adware deletes the following value(s) in system registry:
The Adware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process Setup.exe:1872 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 47 62 9D C5 65 BE 56 66 FA E2 BE ED DB 92 CC"

The process rundll32.exe:452 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F FC E7 FE 4A 65 14 8B F9 02 9F CC 5C F6 51 1F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPInsight]
"UninstallString" = "RunDll32 advpack.dll,LaunchINFSection %WinDir%\INF\IPInsigt.inf, Uninstall"

[HKLM\SOFTWARE\IPInsight]
"IdOfDist" = "BLUE6003"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
"INF/IPINSIGT.PNF" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPInsight]
"DisplayName" = "IPInsight"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/IPINSIGT.inf" = "1"
"INF/oem10.PNF" = "1"

To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The process NLNupgradeV4_6P28.exe:1520 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 B8 ED 8C 20 D7 2E 05 6B 50 94 D2 3F 59 91 4D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winstart" = "%WinDir%\System\WinStart.exe -boot"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB}"
"{CFCDA454-78A0-404A-90E9-AD589DA7E059}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
"ProxyOverride"

[HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E3D9BB01-877C-11d6-9408-00409530574B}"

The process IKernel.exe:1292 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\IScript\iscript.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}]
"UninstallString" = "RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.exe"

[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"iKernel.exe" = "1"

[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}]
"(Default)" = "ISetupPropertyBag"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%System%]
"ipinsigt.dll" = "1"

[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\IScript]
"iscript.dll" = "1"

[HKCR\Setup.ScriptEngine.1]
"(Default)" = "InstallShield Script Engine"

[HKCR\Setup.ScriptEngine.1\CLSID]
"(Default)" = "{E7D06080-238B-11D3-80D7-00104B1F6CEA}"

[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}]
"(Default)" = "ISetupScriptEngine"

[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib]
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"

[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}]
"(Default)" = "IPInsigtObj Class"

[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}]
"(Default)" = "ISetupMultiMedia"

[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\IScript\"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Setup.ScriptDriverWrapper\CLSID]
"(Default)" = "{AA7E2086-CB55-11D2-8094-00104B1F9838}"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}]
"(Default)" = "ISetupWindowBillBoards"

[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\ctor.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}]
"(Default)" = "ISetupMainWindow"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Setup.User\CLSID]
"(Default)" = "{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}"

[HKCR\Setup.ScriptEngine\CLSID]
"(Default)" = "{E7D06080-238B-11D3-80D7-00104B1F6CEA}"

[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "InstallShield setup object wrapper"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\TypeLib]
"(Default)" = "{BE35582C-9796-4CF1-AED9-556ADA120B38}"

[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\VersionIndependentProgID]
"(Default)" = "IPInsigt.IPInsigtObj"

[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0]
"(Default)" = "Setup UI 1.0 Type Library"

[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"

[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\ctor.dll"

[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0]
"(Default)" = "IPInsigt 1.0 Type Library"

[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}]
"(Default)" = "ISetupUserInterface"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\ProgID]
"(Default)" = "Setup.ScriptDriverWrapper.1"

[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\iuser.dll"

[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}]
"(Default)" = "ISetupMainWindow4"

[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\Setup.ScriptObjectWrapper.1\CLSID]
"(Default)" = "{AA7E2087-CB55-11D2-8094-00104B1F9838}"

[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}]
"(Default)" = "ISetupSDMessage"

[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}]
"(Default)" = "ISetupRebootable"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Setup.ScriptDriverWrapper.1\CLSID]
"(Default)" = "{AA7E2086-CB55-11D2-8094-00104B1F9838}"

[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0]
"(Default)" = "InstallShield Script 1.0 Type Library"

[HKCR\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\IPInsigt.IPInsigtObj.1]
"(Default)" = "IPInsigtObj Class"

[HKCR\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}]
"(Default)" = "ISetupWindowImage"

[HKCR\IPInsigt.IPInsigtObj.1\CLSID]
"(Default)" = "{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}"

[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}]
"(Default)" = "ISetupProgress2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 DF 1A A9 59 BB 55 4E 64 F7 84 39 ED DD CE C0"

[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\IPInsight]
"IdOfDist" = "BLUE6003"

[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"objectps.dll" = "1"

[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Setup.ScriptDriverWrapper.1]
"(Default)" = "InstallShield setup object wrapper"

[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib]
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"

[HKCR\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}]
"(Default)" = "ISetupScriptError"

[HKCR\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}]
"(Default)" = "ISetupWindowText"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"ctor.dll" = "1"

[HKCR\Setup.ScriptEngine]
"(Default)" = "InstallShield Script Engine"

[HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\ctor.dll"

[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.ScriptEngine.1"

[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}]
"(Default)" = "ISetupObjectLifetime"

[HKCR\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods]
"(Default)" = "5"

[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}]
"(Default)" = "InstallShield setup user interafce"

[HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Setup.ScriptDriverWrapper]
"(Default)" = "InstallShield setup object wrapper"

[HKCR\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\IScript\iscript.dll"

[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib]
"Version" = "1.0"
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"

[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}]
"LogFile" = "%Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setup.ilg"

[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}]
"(Default)" = "ISetupScriptEngine2"

[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\TypeLib]
"Version" = "1.0"

[HKCR\Setup.ScriptObjectWrapper]
"(Default)" = "InstallShield setup object wrapper"

[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}]
"(Default)" = "ISetupMainWindow2"

[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}]
"(Default)" = "ISetupGUIObject"

[HKCR\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"

[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\TypeLib]
"(Default)" = "{11CC62B9-65F8-4A8B-B33F-5DE4E838442D}"

[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}]
"(Default)" = "ISetupMainWindow3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Setup.User.1]
"(Default)" = "InstallShield setup user interafce"

[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "InstallShield setup object wrapper"

[HKCR\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.ScriptEngine"

[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.User"

[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}]
"(Default)" = "ISetupProgress"

[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}]
"(Default)" = "ISetupScriptController"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}]
"(Default)" = "ISetupObjectClass"

[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\"

[HKCR\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID]
"(Default)" = "Setup.ScriptDriverWrapper"

[HKCR\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.User.1"

[HKCR\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupWizardUI"

[HKCR\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"iuser.dll" = "1"

[HKLM\SOFTWARE\IPInsight]
"IdOfInst" = "{421ADD68-E5A4-405B-A47E-943B7EFCB8D2}"

[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\InprocServer32]
"(Default)" = "%System%\ipinsigt.dll"

[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%Program Files%\Common Files\InstallShield\engine\6\Intel 32]
"corecomp.ini" = "1"

[HKCR\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib]
"(Default)" = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"

[HKCR\Setup.ScriptObjectWrapper\CLSID]
"(Default)" = "{AA7E2087-CB55-11D2-8094-00104B1F9838}"

[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\ProgID]
"(Default)" = "IPInsigt.IPInsigtObj.1"

[HKCR\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\objectps.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}]
"(Default)" = "ISetupObjectReboot"

[HKCR\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}]
"(Default)" = "IIPInsigtObj"

[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID]
"(Default)" = "Setup.ScriptObjectWrapper"

[HKCR\Setup.User]
"(Default)" = "InstallShield setup user interafce"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{BE35582C-9796-4CF1-AED9-556ADA120B38}\1.0\0\win32]
"(Default)" = "%System%\ipinsigt.dll"

[HKCR\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}]
"DisplayName" = "Value Added Software"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}]
"(Default)" = "ISetupServiceProvider"

[HKCR\Setup.ScriptObjectWrapper.1]
"(Default)" = "InstallShield setup object wrapper"

[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0]
"(Default)" = "InstallShield Runtime 1.0 Type Library"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Setup.User.1\CLSID]
"(Default)" = "{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}"

[HKCR\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\ProgID]
"(Default)" = "Setup.ScriptObjectWrapper.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\Interface\{297AFC77-2039-4D3C-BEF9-598819EB2C8A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}]
"(Default)" = "InstallShield Script Engine"

[HKCR\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib]
"(Default)" = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"

[HKCR\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"(Default)" = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"

[HKCR\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\iuser.dll"

The process IKernel.exe:1596 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}]
"(Default)" = "ISetupFileService"

[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCR\Setup.LogServices]
"(Default)" = "SetupLogServices Class"

[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCR\Setup.Kernel]
"(Default)" = "InstallShield setup kernel"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupTransferEvents"

[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\"

[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}]
"(Default)" = "ISetupRegistry2"

[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}]
"(Default)" = "ISetupShellLink2"

[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}]
"(Default)" = "ISetupShell2"

[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}]
"(Default)" = "ISetupShell"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupOpTypes"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupOpType"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\Setup.Kernel\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}]
"(Default)" = "ISetupTransferErrorInfo"

[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}]
"(Default)" = "ISetupCABFile2"

[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}]
"(Default)" = "ISetupRegistry"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}]
"(Default)" = "ISetupFileErrors"

[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\1.0\FLAGS]
"(Default)" = "1"

[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupComponents"

[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}]
"(Default)" = "ISetupReboot2"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}]
"(Default)" = "ISetupSharedFiles"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}]
"(Default)" = "ISetupBasicFeature"

[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}]
"(Default)" = "ISetupObjectContext"

[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"

[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}]
"(Default)" = "SetupLogServices Class"

[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\Setup.Kernel.1]
"(Default)" = "InstallShield setup kernel"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\VersionIndependentProgID]
"(Default)" = "Setup.LogServices"

[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 E8 2D 23 BA C9 B9 7F EB 59 80 D2 5A D3 00 43"

[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0]
"(Default)" = "Setup Kernel 1.0 Type Library"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}]
"(Default)" = "ISetupLogDB2"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupFeatureLogs"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupMedia"

[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}]
"(Default)" = "ISetupCopyFiles"

[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupCABFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}]
"(Default)" = "SetupLogServices Class"

[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}]
"(Default)" = "ISetupTextSubstitution"

[HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\1.0\0\win32]
"(Default)" = "%System%\stdole32.tlb"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupOpSequence"

[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}]
"(Default)" = "ISetupInfo"

[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}]
"(Default)" = "ISetupTransferEvents2"

[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"

[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}]
"(Default)" = "ISetupReboot"

[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}]
"(Default)" = "ISetupCABFiles"

[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ProgID]
"(Default)" = "Setup.LogServices.1"

[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupFeature"

[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "InstallShield setup kernel"

[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.Kernel.1"

[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}]
"(Default)" = "ISetupShellLink"

[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupObjectHolder"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}]
"(Default)" = "ISetupTypes"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}]
"(Default)" = "ISetupFileErrorInfo"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupLogDB"

[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupObjects"

[HKCR\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Setup.LogServices.1\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"

[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}]
"(Default)" = "ISetupComponent2"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupFeatureLog"

[HKCR\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Setup.Kernel.1\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupDriver"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}]
"(Default)" = "ISetupFilesCost"

[HKCR\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupFeatures"

[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}]
"(Default)" = "ISetupLogService"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupStringTable"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.Kernel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}]
"(Default)" = "ISetupFileRegistrar"

[HKCR\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}]
"(Default)" = "ISetupMedia2"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe"

[HKCR\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}]
"(Default)" = "ISetupType"

[HKCR\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupTransfer"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Setup.LogServices.1]
"(Default)" = "SetupLogServices Class"

[HKCR\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "ISetupComponent"

[HKCR\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}]
"(Default)" = "ISetupObject"

[HKCR\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Setup.LogServices\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}]
"(Default)" = "ISetupBasicFeatureStateEvents"

The process msbb.exe:380 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\180solutions\msbb]
"duid" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\180solutions\msbb]
"int_high" = "30323701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE]
"DisplayName" = "Interstitial Ad Delivery by n-CASE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\180solutions\msbb]
"int_low" = "3998487504"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb]
"DisplayName" = "PAD Lookups by n-CASE"
"UninstallString" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe /uninst_init=y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\180solutions\msbb]
"key_int_high" = "30323701"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 91 5B 50 D8 73 C0 86 D3 03 31 3D 19 05 CE CA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE]
"UninstallString" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe /disable_ads_init=y"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\180solutions\msbb]
"DID" = "172"

"key_int_low" = "3998487504"

[HKCU\Software\Microsoft\RAS Autodial\Control]
"LoginSessionDisable" = "1"

The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Adware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msbb" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process grpconv.exe:604 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 EF CC DE 63 48 C8 77 D5 55 75 F4 DF FF 59 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process iKernel.exe:1708 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCR\Setup.LogServices.1\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"

[HKCR\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}]
"(Default)" = "SetupLogServices Class"

[HKCR\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Setup.LogServices]
"(Default)" = "SetupLogServices Class"

[HKCR\Setup.Kernel]
"(Default)" = "InstallShield setup kernel"

[HKCR\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"

[HKCR\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\"

[HKCR\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"

[HKCR\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID]
"(Default)" = "Setup.Kernel.1"

[HKCR\Setup.Kernel.1\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"

[HKCR\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ProgID]
"(Default)" = "Setup.LogServices.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID]
"(Default)" = "Setup.Kernel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Setup.Kernel\CLSID]
"(Default)" = "{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32]
"(Default)" = "C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Setup.Kernel.1]
"(Default)" = "InstallShield setup kernel"

[HKCR\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}]
"(Default)" = "InstallShield setup kernel"

[HKCR\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\VersionIndependentProgID]
"(Default)" = "Setup.LogServices"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED CF D2 AB E4 23 07 61 83 DC B8 82 1F F5 EC F9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}]
"(Default)" = "SetupLogServices Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Setup.LogServices\CLSID]
"(Default)" = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}"

[HKCR\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib]
"(Default)" = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"

[HKCR\Setup.LogServices.1]
"(Default)" = "SetupLogServices Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Dropped PE files

MD5 File path
68d9018bcfa92be76496c143ce4f9dce c:\Program Files\Bargain Buddy\bbchk.exe
7cea2f1e30d72e581180d8e7d8d3c352 c:\Program Files\Bargain Buddy\bin\apuc.dll
34ea7c3a3b38367df4ce5af9df3f7b86 c:\Program Files\Bargain Buddy\bin\bargains.exe
571f5cf91cdd81dc5ee7b05c62381a9f c:\Program Files\Bargain Buddy\uninst.exe
4e462c620bead34a48b6509899d37652 c:\Program Files\Blue Haven Media\Value Added Software\BargainBuddy.exe
9910682e8f18775e956743fc6dfa8724 c:\Program Files\Blue Haven Media\Value Added Software\NLNupgradeV4_6P28.exe
6108b9c43678e89489d5773cf17974cb c:\Program Files\Blue Haven Media\Value Added Software\SuperBarInstall.exe
f4cb48d89f212ffb9381a404c8bb78a8 c:\Program Files\Blue Haven Media\Value Added Software\ebatesmoemoneymaker14.exe
ba1c32a6a67c430ac2dd4d1e00ee17aa c:\Program Files\Blue Haven Media\Value Added Software\msbb.exe
03759c4c9477b649c73e0bab5782f401 c:\Program Files\Blue Haven Media\Value Added Software\s4Setp.exe
b3fd01873bd5fd163ab465779271c58f c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
003a6c011aac993bcde8c860988ce49b c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
377765fd4de3912c0f814ee9f182feda c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
8f02b204853939f8aefe6b07b283be9a c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
b2f7e6dc7e4aae3147fbfc74a2ddb365 c:\Program Files\Common Files\InstallShield\IScript\iscript.dll
4b9068b917a5048389b906fc473fcf3f c:\Program Files\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe
e0927f427281ccde747e10f17df53318 c:\Program Files\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.exe
a74ebf51ef783d587a83ef8f13f140b2 c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
1ffa3b2e7d98986a1d77e658a81faab7 c:\Program Files\MySearch\bar\1.bin\S42NS.EXE
c4f850df4d5680ba7e1768e9f28d7280 c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
d8c584cc212dcfa16a33c5e432124d20 c:\Program Files\SuperBar\SuperBar.Dll
ab80382700b014963d8f60cea2100a21 c:\Program Files\SuperBar\SuperBarExts.Dll
ce05e2c23ff49d780435b6d328023866 c:\WINDOWS\IPINSIGT.DLL
ce05e2c23ff49d780435b6d328023866 c:\WINDOWS\system32\ipinsigt.dll
1de9f0524cf10109cead1c0ba914a0d8 c:\WINDOWS\system\BHO.DLL
2072f873933beefb514f2c992a18abd4 c:\WINDOWS\system\RSP.dll
9910682e8f18775e956743fc6dfa8724 c:\WINDOWS\system\WinStart.exe

HOSTS file anomalies

The Adware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 841 bytes in size. The following strings are added to the hosts file listed below:

216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
216.177.73.139 ieautosearch


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Blue Haven Media
Product Name: Value Added Software
Product Version: 1.00.000
Legal Copyright:
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32i.exe
File Version: 1.00.000
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 67194 69632 4.48253 c5ed1c470db2fcb57b814d82c0292896
.rdata 73728 6120 8192 3.19984 d17184d8f4b5b34c55189f25493c2c91
.data 81920 15612 8192 1.68059 ff95d6d261e578ed8925d2003fa45169
.rsrc 98304 70152 73728 2.60145 07c7762c6a42bb4d1b8932041f320747

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 13
c177c231b5a85c06c22ed115800feff7
0bf147382799515e3c33a5814c7675f9
636f2207175d0dbac9caada17919c398
2ccfa707196e7c3260de15c5eb336ae5
b798b4a63b357a5871682d065a4c68b0
168a10fe1a6892b2ec39b04eb9d8666c
499b765e6181c36420f5b1acc9b0cd99
feec223442a50392288274b01492ee5d
23b5b69dabc4e49d3e594b990f980a36
7d308ead4444c35f3bf63de5f0203b45
b0deff82a56c74caaa8dddff4e34d26f
3334bb58e20d931bb24a0bce42518588
b07aafcbd133e77e93440983b901abc1

URLs

URL IP
hxxp://173.194.43.51/adsense/domains/caf.js
hxxp://www.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= 208.73.211.250
hxxp://50.63.202.57/external/builds/common/equivalent_domains.htm
hxxp://www.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA 208.73.211.250
hxxp://173.194.43.34/__utm.gif?utmwv=5.5.7&utms=1&utmn=290033122&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=1886333531&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&utmht=1410993257858&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~
hxxp://oversee.vo.llnwd.net/css/mobile/15009.css
hxxp://173.194.43.34/ga.js
hxxp://69.64.147.249/thankyou.php?campaign="C:Program FilesInternet Exploreriexplore.exe" -nohome&ai=1
hxxp://173.194.43.34/__utm.gif?utmwv=5.5.7&utms=1&utmn=1517658899&utmhn=www.ignkeywords.com&utmcs=utf-8&utmsr=1024x768&utmvp=788x438&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=ignkeywords.com&utmhid=678486429&utmr=0&utmp=/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&utmht=1410993258967&utmac=UA-33908493-1&utmcc=__utma=1.780670961.1410993259.1410993259.1410993259.1;+__utmz=1.1410993259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~
hxxp://173.194.43.56/domainads/tracking/caf.gif?ts=1410993259077&rid=2427752
hxxp://oversee.vo.llnwd.net/js/main.js
hxxp://a1123.g.akamai.net/rmgpsc/7867/body-bg.gif
hxxp://googleapis.l.google.com/ajax/libs/webfont/1/webfont.js
hxxp://50.63.202.57/external/builds/images/moe_question.gif
hxxp://a1123.g.akamai.net/rmgpsc/7867/header-bg.jpg
hxxp://mobileoversee.net/cdn/img/bg_grey_arrows.jpg 96.31.35.61
hxxp://a1123.g.akamai.net/rmgpsc/7867/logo1.png
hxxp://108.161.188.209/jquery-latest.min.js
hxxp://173.194.43.57/static/caf/slave.html
hxxp://173.194.43.57/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&domain_name=www.ignkeywords.com&client=dp-oversee16_3ph_xml&channel=000821&hl=en&adtest=off&optimize_terms=off&terms=halloween costumes, halloween party, masks, costumes for kids, download google chrome, facebook, minecraft, facebook com&drid=as-drid-2951000310068827&uiopt=false&oe=UTF-8&ie=UTF-8&format=s|r8&adrep=0&num=0&output=caf&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993259124&u_w=1024&u_h=768&biw=788&bih=438&isw=-1&ish=-1&psw=-1&psh=-1&frm=1&uio=uv3cs1ff4fa4sa13sl1sr1cc1--fa2st20sa12lt38&rurl=http://www.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&ref=http://www.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
hxxp://googleapis.l.google.com/css?family=Libre Baskerville
hxxp://fonts.gstatic.com/s/librebaskerville/v3/pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg.eot 173.194.43.55
hxxp://69.64.147.249/js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020
hxxp://50.63.202.57/external/builds/downloads/ebatesver2updates.dls
hxxp://69.64.147.249/css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com
hxxp://69.64.147.249/3205bb82-0660-4d81-8c21-0609eb24aafd.ippi?g=3205bb82-0660-4d81-8c21-0609eb24aafd
hxxp://173.194.43.34/__utm.gif?utmwv=5.5.7&utms=2&utmn=1646000713&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=424774016&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&ai=1&utmht=1410993261530&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~
hxxp://rte-img.nuseek.com/templates/t1020/images/btn-blacklime.png 69.64.155.190
hxxp://rte-img.nuseek.com/templates/t1020/images/blt-greenarrow.png 69.64.155.190
hxxp://www.ignkeywords.com/?epl=kTfFgYP5ZwKXEtIYM403DOCiF_IbEgqnSO7in6JFTuQb8agcGurtJRBMr6yXxe5jX3X0jKFFmEEnzVTvSgXz4DiUrvROSZRWWT8mmciaMIviKz_UXhuvEicUixVEKhf1zuSm1ma2v01E8ovntWbEUUcwIgtTGsKI9haCLtnNLVi7WmQVcFXmDNqLDLUWEQdHxiUGE7SUgmZBoVDGRcwuFNiXDsaeukYb_FwFsxvJRoeCpLAlnDXSsFEMsD9_qQyD_vBAzG2Vs1guTckRM6ZyLRwgG99I8UNA7aUaNdZ8YBC5KccT1SdJmfU69HISYsWtkmY614YzTyk1B79cIW6fXfxJjHAUx2nYzajLt_yMFQzeBlfwnedcrrQxMIzqqEYI3R8A6-VdH_fVTnXH3q502Qa5kFACYWGjdlbYk_YAk4GuTaQ37pidwG6QpFSZZUk2uR6BOpEiEIiDnkbpjXOiNCui14mzQz6OosQibZrjbokhclaENUdn1DUTpIaPI6LpxsM4Gcjfzvg78L0QUkgvFeNk23Myn59EXi3n8V06hYTNHE8e1XD8vocft-tJfo0GoB6NDPUoE82kCdGUgGmgacRoyGSARqMxAGgAkGlEnjIFRg006qkHmvTU1NOkAY2A6KlhW5NtxwFA8N__vwAAAAXgfwdAAEiA3zcAABe9kN9ZUyZZQTE2aFpC_AIAAPA 208.73.211.250
hxxp://173.194.43.57/apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821
hxxp://ip-50-63-202-57.ip.secureserver.net/external/builds/downloads/build5updates.dls
hxxp://lga15s35-in-f19.1e100.net/images/cleardot.gif
hxxp://www159.mysearch.com/ms107cfg.jsp?v=1.0.3.6&a=042CC084-DC22-4304-9495-E01E3907CC79&b=1
hxxp://imgfarm.com/images/mysearchbar/customize4a.bmp 74.113.233.61
hxxp://imgfarm.com/images/mysearchbar/highlight4.bmp 74.113.233.61
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.7&utms=1&utmn=1517658899&utmhn=www.ignkeywords.com&utmcs=utf-8&utmsr=1024x768&utmvp=788x438&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=ignkeywords.com&utmhid=678486429&utmr=0&utmp=/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&utmht=1410993258967&utmac=UA-33908493-1&utmcc=__utma=1.780670961.1410993259.1410993259.1410993259.1;+__utmz=1.1410993259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~
hxxp://www.bluehavenmedia.com/3205bb82-0660-4d81-8c21-0609eb24aafd.ippi?g=3205bb82-0660-4d81-8c21-0609eb24aafd
hxxp://www.bluehavenmedia.com/js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020
hxxp://code.jquery.com/jquery-latest.min.js
hxxp://cdn.cdncomputer.com/css/mobile/15009.css 208.111.168.6
hxxp://dp.g.doubleclick.net/static/caf/slave.html
hxxp://c.rmgserving.com/rmgpsc/7867/body-bg.gif 184.84.243.217
hxxp://cdn.cdncomputer.com/js/main.js 208.111.168.6
hxxp://www.topmoxie.com/external/builds/downloads/ebatesver2updates.dls
hxxp://www.topmoxie.com/external/builds/downloads/build5updates.dls
hxxp://www.google.com/adsense/domains/caf.js
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.7&utms=1&utmn=290033122&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=1886333531&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&utmht=1410993257858&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~
hxxp://b.rmgserving.com/rmgpsc/7867/header-bg.jpg 184.84.243.210
hxxp://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js 64.233.171.95
hxxp://www.google-analytics.com/ga.js
hxxp://www.topmoxie.com/external/builds/common/equivalent_domains.htm
hxxp://www.bluehavenmedia.com/css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com
hxxp://ms107cfg.mysearch.com/ms107cfg.jsp?v=1.0.3.6&a=042CC084-DC22-4304-9495-E01E3907CC79&b=1 74.113.233.58
hxxp://www.bluehavenmedia.com/thankyou.php?campaign="C:Program FilesInternet Exploreriexplore.exe" -nohome&ai=1
hxxp://www.gstatic.com/domainads/tracking/caf.gif?ts=1410993259077&rid=2427752
hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821
hxxp://www.google.com/images/cleardot.gif
hxxp://fonts.googleapis.com/css?family=Libre Baskerville 64.233.171.95
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.7&utms=2&utmn=1646000713&utmhn=www.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=424774016&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&ai=1&utmht=1410993261530&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~
hxxp://www.topmoxie.com/external/builds/images/moe_question.gif
hxxp://d.rmgserving.com/rmgpsc/7867/logo1.png 184.84.243.210


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET MALWARE MySearch Products Spyware User-Agent (MySearch)
ET MALWARE My Search Spyware Config Download
ET MALWARE MyGlobalSearch Spyware bar update 2
ET MALWARE MyGlobalSearch Spyware bar update

Traffic

GET /jquery-latest.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: code.jquery.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:10 GMT
Content-Type: application/x-javascript
Content-Length: 95786
Connection: keep-alive
Last-Modified: Thu, 03 Jul 2014 13:54:44 GMT
Vary: Accept-Encoding
ETag: "53b560a4-1762a"
Expires: Thu, 18 Sep 2014 23:10:58 GMT
Cache-Control: max-age=86400
Cache-Control: public
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes
/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.o
rg/license */.!function(a,b){"object"==typeof module&&"object"==typeof
 module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.do
cument)throw new Error("jQuery requires a window with a document");ret
urn b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){v
ar c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=
h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(
a,b)},n=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,o=/^-ms-/,p=/-([\da-z])/g
i,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,c
onstructor:m,selector:"",length:0,toArray:function(){return d.call(thi
s)},get:function(a){return null!=a?0>a?this[a this.length]:this[a]:
d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a
);return b.prevObject=this,b.context=this.context,b},each:function(a,b
){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map
(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return t
his.pushStack(d.apply(this,arguments))},first:function(){return this.e
q(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.le
ngth,c= a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]
:[])},end:function(){return this.prevObject||this.constructor(null)},p
ush:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var
 a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boole
an"==typeof g&&(j=g,g=arguments[h]||{},h  ),"object"==typeof g||m.
<<< skipped >>>


GET /ajax/libs/webfont/1/webfont.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Thu, 08 May 2014 18:18:52 GMT
Date: Thu, 18 Sep 2014 02:45:47 GMT
Expires: Thu, 18 Sep 2014 03:45:47 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 6759
X-XSS-Protection: 1; mode=block
Age: 3023
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Alternate-Protocol: 80:quic,p=0.002
...........;.{.H....@../.J.VwW(o..V..m.V]7.>....@..........!M......
...3g....'[...8...I<.....S.rB.T;"U0...,.....&..J.j.,..V..v8%....K.H
.2.3m..i....K7].>.i.r.ey...J.s$..%)..]@...dZ.O.iB..j....u.,..Y.....
X..S.E8....J =.......s.0d....). .oO.O..Ov.a1.C......m...Y.^#S@( >..
........}U.....J....<....8M..U....E/...Z....L../..K];:.<...O.W..
?\.d....?<.:=....k..g/N.N....R;<...9={ai......i.;.4..$.m.."..r.Z
.s..)..(.`kY<#1.......H..b..x.% .ji2I*R.:.....S.[]@....<...9....
...}mG3.S;.s.j..eE'.....8...s8....`6..fY.k..$......lB..B..$..........g
.^[email protected]@..%N...j3.0.......%..2t[7....>2.Ao.<
;.....M.hp....j.......6]...u..vJ...mo....r.D.a........P.=.<........
...9...rY.K."l......8......}..E..Q.4.[.H...D.#bV.".k'E..........v...wX
.....y.W.Sj.(_l]..b....#.t.'.Mw.j.1....VX/@D..f..x...B.....G...m..H...
..G.:.*....b...J..#C.@zn)h..Tb...'.i..T...3.^...Y>_,.l........go9."
#..<...../.....M......|PP..$.... .b.>.{....Y.7%s...}..G.<.g.E
....7PP....S.{^...........<....h..a%...Z..r.lo.3.Yx<J..h.......c
.NP.2o.@`PL .|yt.E.32....Q.,...$qj*.p.%.GJ..a...4WQ.Q.>.o)....I.|&l
t;........T....Z"2B.t..N....s../$...o..!...... :.%@..x$.!...hh......b.
..b...Y9b......|......:.....!_#x.........<......5...:[email protected]........
[email protected]... .......6.....x..>[email protected].......*.
....F.W..$G....../.. 8z.....N[..4..... u.(.#J ...4r.%.x..%.R0...3B`...
1....n_.....(.uT..1.s......%..f.....>~...YH.MY....p.%.X.........G.*
.h."..#....%B..:..!..a.s1iE.v.f..X.g.#5....Z.....0IlO...... N..m..
<<< skipped >>>


GET /domainads/tracking/caf.gif?ts=1410993259077&rid=2427752 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gstatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Fri, 01 Jun 2012 22:49:22 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,[email protected]..;..



GET /css?family=Libre Baskerville HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Timing-Allow-Origin: *
Expires: Thu, 18 Sep 2014 03:36:11 GMT
Date: Thu, 18 Sep 2014 03:36:11 GMT
Cache-Control: private, max-age=86400
Content-Encoding: gzip
Content-Length: 265
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=0.002
[email protected].&.jD..M..>.F...L&7..If..m...n..*.......\..B
/g...G..*.l"..Dj...n.....\~u,6."R)S2ypk...#..A.Y.#.5.]#....c.."C.}.Jj.
.6.....R..6^,.s0Y....^Gv:..?...7!c...j...........T.I.......[.%Pl%3]..P
.....u.L!. ........p....4....=.....-..Z....SN..{....Q.......



GET /images/mysearchbar/highlight4.bmp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (Compatible; MySearch)
Host: imgfarm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:15 GMT
Server: Apache
Last-Modified: Mon, 02 Dec 2002 23:11:05 GMT
ETag: "2aeeaf-528-3b0d8ecf47440"
Accept-Ranges: bytes
Content-Length: 1320
Cache-Control: max-age=0
Expires: Thu, 18 Sep 2014 03:36:15 GMT
Connection: close
Content-Type: image/bmp
BM(...........(...T...................................................
.D........5......................@...f..........................aaa...
......................................................................
......................................................................
......................................................................
..................



GET /templates/t1020/images/btn-blacklime.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rte-img.nuseek.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 1773
Content-Type: image/png
Last-Modified: Tue, 12 Aug 2014 20:29:51 GMT
Accept-Ranges: bytes
ETag: "e89c3b2b6cb6cf1:3ac"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
.PNG........IHDR...F.........J~.A....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:246E21A3257511E39B81EA5D
E5296AE8" xmpMM:DocumentID="xmp.did:246E21A4257511E39B81EA5DE5296AE8"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:246E21A1257511E39B
81EA5DE5296AE8" stRef:documentID="xmp.did:246E21A2257511E39B81EA5DE529
6AE8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>........PLTE#$''( . " -/.13........f..a..]q
.D..V~.O..\09)..R\x9..f..c..S..dYq?..g..`..Y..T[x8p.C]y;..Z..a5E#..bBK
?b}A..Yc.Du.K;E8f.He.FRk5..^-6%m.H..Po.L..SDY,s.G_{=ET9`|?[sB%/.r.Fw.N
..S}.Mx.O7F%6>0..T..ZFZ/z.J'1.t.I..X]uDv.LVm:M[Bf.>Qi3..U..W*3"l
.FO^F..V.._JY@..^;J,..Xn.JNb:ENB..Qh.A..`y.RL`8|.L3;-k.O?H<..X{.K..
NCX ..^..Z{.Sz.Is.PQd=..W9B4H\2@O2..[..TGW<..]..UJ^4......9<?68;
248AEIDGK......EIM...?BF<[email protected]:K2....
...N...{'...{..0i....'.9.............D?.@_.@_.@?.@..@[5...........z..1
/..Z.>_8Vm.9t....34........._o....Tr....d..#...e.b.8l.....k..@~
<<< skipped >>>


GET /external/builds/images/moe_question.gif HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:09 GMT
Content-Length: 350
Age: 1
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><ifra
me src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.t
opmoxie.com:80/external/builds/images/moe_question.gif" style="visibil
ity: visible;height: 2000px;" allowtransparency="true" marginheight="0
" marginwidth="0" frameborder="0" scrolling="no" width="100%"></
iframe></body></html>....


GET /external/builds/downloads/ebatesver2updates.dls HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:11 GMT
Content-Length: 358
Age: 0
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><ifra
me src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.t
opmoxie.com:80/external/builds/downloads/ebatesver2updates.dls" style=
"visibility: visible;height: 2000px;" allowtransparency="true" marginh
eight="0" marginwidth="0" frameborder="0" scrolling="no" width="100%"&
gt;</iframe></body></html>....


GET /external/builds/downloads/build5updates.dls HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
Content-Length: 354
Age: 1
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><ifra
me src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.t
opmoxie.com:80/external/builds/downloads/build5updates.dls" style="vis
ibility: visible;height: 2000px;" allowtransparency="true" marginheigh
t="0" marginwidth="0" frameborder="0" scrolling="no" width="100%">&
lt;/iframe></body></html>..



GET /__utm.gif?utmwv=5.5.7&utms=1&utmn=290033122&utmhn=VVV.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=1886333531&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&utmht=1410993257858&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 11 Sep 2014 03:20:32 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 605736
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 11 Sep 2014 03:20:32 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 605736..Alternate-Protocol: 80:quic,p=0.002..GIF89a....
.........,...........D..;....


GET /ga.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 08 Sep 2014 18:50:13 GMT; length=40903
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 304 Not Modified
Date: Thu, 18 Sep 2014 03:15:18 GMT
Expires: Thu, 18 Sep 2014 05:15:18 GMT
Age: 1251
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.002
....


GET /__utm.gif?utmwv=5.5.7&utms=1&utmn=1517658899&utmhn=VVV.ignkeywords.com&utmcs=utf-8&utmsr=1024x768&utmvp=788x438&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=ignkeywords.com&utmhid=678486429&utmr=0&utmp=/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&utmht=1410993258967&utmac=UA-33908493-1&utmcc=__utma=1.780670961.1410993259.1410993259.1410993259.1;+__utmz=1.1410993259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~ HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 11 Sep 2014 03:20:32 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 605737
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............,...........D..;....


GET /__utm.gif?utmwv=5.5.7&utms=2&utmn=1646000713&utmhn=VVV.bluehavenmedia.com&utmcs=utf-8&utmsr=1024x768&utmvp=1008x603&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Bluehavenmedia.com&utmhid=424774016&utmr=-&utmp=/thankyou.php?campaign=%22C:%5CProgram%2520Files%5CInternet%2520Explorer%5Ciexplore.exe%22%2520-nohome&ai=1&utmht=1410993261530&utmac=UA-2249740-15&utmcc=__utma=239202256.154564223.1410993233.1410993233.1410993233.1;+__utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=H~ HTTP/1.1


Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 11 Sep 2014 03:20:32 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 605740
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............,...........D..;..



GET /thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 9802
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; path=/
Set-Cookie: VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; expires=Mon, 18-Sep-2017 03:35:37 GMT; path=/
Set-Cookie: __utma=239202256.154564223.1410993233.1410993233.1410993233.1; path=/
Set-Cookie: __utmb=239202256.1.10.1410993233; path=/
Set-Cookie: __utmc=239202256; path=/
Set-Cookie: __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); path=/
Set-Cookie: yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; path=/
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:11 GMT
<!doctype html>..<html>.....<head>...<meta charse
t="utf-8"/>...<meta http-equiv="X-UA-Compatible" content="IE=edg
e,chrome=1"/>...<meta name="viewport" content="width=device-widt
h, initial-scale=1"/>..    ..<title>Bluehavenmedia.com</ti
tle>..<meta name="keywords" content="blue haven pool blue haven 
houston pool texas blue haven hotel bluehavenmedia.com" />..<met
a name="description" content="Find Blue Haven Pool, Blue Haven Houston
 Pool Texas and more at Bluehavenmedia.com. Get the best of Blue Haven
 Hotel or Media Marketing, browse our section on Media Advertising or 
learn about Media Buyer. Bluehavenmedia.com is the site for Blue Haven
 Pool." />..<script src='hXXp://code.jquery.com/jquery-latest.mi
n.js' type='text/javascript'></script>..<script language='
JavaScript' src='/js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=
1020'></script>.........<title></title>....    &l
t;link href="/css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&
def=Akamai:HostingURL=http://i.nuseek.com" rel="stylesheet" 
type="text/css" />...</head>.....<body id="lander"  class=
'standard'>..<form id="parking_form" method="get" action="/defau
lt.php">....<!--..==============================================
===..** START DEBUG OUTPUT                          **..==============
===================================..             Version: 3.7.169.18.
.     Logging_Version: 3.6..           Webserver: 5604D..         
<<< skipped >>>

GET /js/standard.js?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1297
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
function getPage()..{..    var c = 'i';..    var b = 'l';..    var y =
 'k';..    var x = 'c';..    var a = 'c';..    ..    return a   b   c 
  x   y;..}..function pcNav(url) ..{..    var x = '/'   getPage()   ur
l;..    window.parent.location.href = x;..}..function slNav(url) {..  
  window.parent.location.href = url;..}..function dtNav(url) {..    wi
ndow.scroll(0, 0);    ..    window.open(url);..}..function trackClick(
logUrl)..{..    var rand = Math.floor(Math.random() * 1000000);..    i
f (logUrl.indexOf("?") == -1)..        logUrl  = "?rnd="   rand;..    
else..        logUrl  = "&rnd="   rand;..    if (document.images)..   
 {..        (new Image()).src = logUrl;..    }..    return true;..}..f
unction addLoadEvent(func)..{..    var oldonload = window.onload;..   
 if (typeof window.onload != 'function')..    {..        window.onload
 = func;..    } ..    else..    {..        window.onload = function ()
..        {..            if (oldonload)..            {..              
  oldonload();..            }..            func();..        }..    }..
}..function manualSearch(boxName)..{..    var searchText = encodeURICo
mponent($("#"   boxName).val().replace(" ", "-").toLowerCase());..    
var newUrl = "/manual/"   searchText;..    window.parent.location.href
 = newUrl;..}..........


GET /css/style.css?rte=1&tm=2&dn=bluehavenmedia.com&tid=1020&def=Akamai:HostingURL=http://i.nuseek.com HTTP/1.1


Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 8410
Content-Type: text/css; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
/*********************************************************************
*****************..T1020 Slime..v20130925..Update:..4/11/04 - UI optim
izations for non-caf networks..***************************************
************************************************/../* Reset..---------
----------------------------------------------------------------------
---------------------*/...html, body, div, span, applet, object, ifram
e,..h1, h2, h3, h4, h5, h6, p, blockquote, pre,..a, abbr, acronym, add
ress, big, cite, code,..del, dfn, em, img, ins, kbd, q, s, samp,..smal
l, strike, strong, sub, sup, tt, var,..b, u, i, center,..dl, dt, dd, o
l, ul, li,..fieldset, form, label, legend,..table, caption, tbody, tfo
ot, thead, tr, th, td,..article, aside, canvas, details, embed, ..figu
re, figcaption, footer, header, hgroup, ..menu, nav, output, ruby, sec
tion, summary,..time, mark, audio, video {...margin: 0;...padding: 0;.
..border: 0;...font-size: 100%;...font: inherit;...vertical-align: bas
eline;}../* HTML5 display-role reset for older browsers */..article, a
side, details, figcaption, figure, ..footer, header, hgroup, menu, nav
, section {...display: block;}..body { line-height: 1;}..ol, ul { list
-style: none;}..blockquote, q {.quotes: none;}..blockquote:before, blo
ckquote:after,..q:before, q:after {...content: '';...content: none;}..
table {border-collapse: collapse;border-spacing: 0;}..../* Defaults *.
.---------------------------------------------------------------------
-------------------------------*/...body {background:#666;font-fam
<<< skipped >>>

GET /3205bb82-0660-4d81-8c21-0609eb24aafd.ippi?g=3205bb82-0660-4d81-8c21-0609eb24aafd HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bluehavenmedia.com
Connection: Keep-Alive
Cookie: SessionID=691616b8-f5bb-4b33-8c72-2ea72726dd65; VisitorID=9bac8186-7d5c-4262-a8ff-57882182354a&Exp=9/17/2017 8:35:37 PM; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); yahooToken=qs=06oENya4ZG1YS6vOLJwpLiFdjGd_RjrHWUojtMt3jtsze6zJInGqCCGOHNTPQD2wDDDKoYmTKhR_1PPHSNUC8BJb_tdavNLGM-fHdcTBwFRZRBn4UEiuAX1hhOngpdwcVqoCOwG2TdHLVYe2-nfz4C1jGnXLs6Ulawaa2aZ468s4A8YvZQxyBZEis4nkvhya4hHTy5-Sd1gKkFEY-D6e3Q93fcrFeDRhIgLsU6Rt-sLCBx0RCURlKxYO_9xHCBwaskebGNl3TvstqLA8EPn0_VwzwPtfTXIQBW2YRM6h7AnyHOUHtDZe8.,YT0zO2s9MjA7aD04ZjlmOWJmNTg0NjNiMGYx; __utma=239202256.154564223.1410993233.1410993233.1410993233.1; __utmb=239202256.1.10.1410993233; __utmc=239202256; __utmz=239202256.1410993233.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT



GET /rmgpsc/7867/logo1.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.rmgserving.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.4
Content-Type: image/png
Content-Length: 5019
Last-Modified: Wed, 17 Jul 2013 12:37:08 GMT
ETag: "51e68ff4-139b"
Accept-Ranges: bytes
Cache-Control: public, max-age=76642
Expires: Fri, 19 Sep 2014 00:53:32 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Connection: keep-alive
.PNG........IHDR...6...6......Ej.....tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:908DB294EEDD11E2BA2BC48140
EEA04B" xmpMM:DocumentID="xmp.did:908DB295EEDD11E2BA2BC48140EEA04B">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:908DB292EEDD11E2BA2B
C48140EEA04B" stRef:documentID="xmp.did:908DB293EEDD11E2BA2BC48140EEA0
4B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>RN.'....IDATx...i.].y..s.............b......X
N.$$jD.%.HI.Tm.*RS.J."U.m.....|...j.6.DZ.......6..l......Y..{O..;..>
;s|....Wz......<..Y..=...Jr.$#[email protected]....}_..1.....d.....U..5.=O..a..
.*e.Y.?s.T....{^}.......L&..[NWjw[..(. .V....W.......n.I..Efx^...y....
...;w...p....[......&...A....(.^....R.G.L.*.=.q..l...O..r.../.....O...
.]..G.Jkk..a*...m.........vG..?...0..N..^.......s...-E.e.Z%..JWW.....7
...D..J..~..^......LX...3...........c.......j.....&-.n{#.%.?..Y....5.f
.#..W..y...A........9..2....F}..9.X. .a.8..........J(...U.......JC..`.
P.2....|w .....C.I NR...I....r...#A.8..fddD.^..bpppP.h.R.8.qa.M..J
<<< skipped >>>


GET /s/librebaskerville/v3/pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg.eot HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.gstatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: font/eot
Last-Modified: Wed, 23 Jul 2014 21:30:21 GMT
Date: Wed, 17 Sep 2014 22:35:05 GMT
Expires: Thu, 17 Sep 2015 22:35:05 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Content-Length: 29383
Age: 18066
Alternate-Protocol: 80:quic,p=0.002
...........vSp%P..9..m....5.m..m.......v&v2...}u..{_nwU.............j'
.........5  ....S....u........\J./..?F...X.....3.1@.`.p...............
....-.n.r..5. ..._..?.....]..#...../s.....n...`.Oe.......e......h....:
.......E....p........y..?.....H..N..==. ."[email protected] .8M..
OP..r.....:.[[email protected]....<O\`3...o.A.^.D.....~
[email protected]?.B..[...m._..J...W..".&..IPG.....H."..r....
......7.......ZRN-.[.^....w...\..d...h..x..K{78.U...|H.(....Y..8..c[ .
iI-.&Xx. ..........U..?...~" Q...z..^^..f......p.|.h.Y.......)gg......
 ..SO.Z.[...K..p..>.L.....!fu...`.0....Sa..@.....(......z..,.^..#w.
/<L .ZK..O;..8!b."\9.......s.<n{.Fa.!MFw.\3.......V........i,.k.
{.{...ec.d'...d.....(.s._DF2.1..L...U..W....E..s....n.D..F.....N..O,5.
C.....Z./V7i.J.~a...".3.........O.hS..|/..RS.R..Y..!:...c.e...`..@.. =
...A]s...Y[8.........Mw.6S..qF...@..........;1..>CUC.......',.....i
.W^..mu..s.%..7.VY..._u.PM0..w....s..(T...Y... ....1P...u...B`.a..9...
<:;...>.h.rL...T-..$...rPW.`.......ql~%..X..#..@......:.o(..[G.{
{i...>~......o7z.;..i..y...W5k.....P...r....R..kN>[email protected]
.....l^..iT)....Q*.(j.!.8.wn.OQf.....U...2....&.......c.Kk.....A.j....
..U.u.I..l.z....B...C=".[...._o.l..b(.:.2..9.H=........D.P.|wl.....o..
.y(..........U.}W.1]..SV...........;jaF.g.ZE.5y....\.x..S.q]...v....K.
....K.....}.3.......>1....._  .v$....S.S...^N.-.....F......<~...
..2.....y......n,H......}.<rY..P.>!.]......."|!.2.......Zz..#.;,
.B.LB.f.d.9.....-4T#YDk};.......j....[..I..m..5...T..P{......Y.`.@
<<< skipped >>>


GET /css/mobile/15009.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.cdncomputer.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.0.52 (CentOS)
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Cache-Control: max-age=86400
nnCoection: close
Content-Type: text/css
Age: 18531
Date: Thu, 18 Sep 2014 03:36:09 GMT
Last-Modified: Mon, 25 Aug 2014 22:56:35 GMT
Expires: Thu, 18 Sep 2014 22:27:18 GMT
Content-Length: 1624
Connection: keep-alive
...........X[o.6.~..p5Zmw.0.L..S..U...".......I:......e....J..........
Z....)...e..N..]...k.k.......>.I....p.D.g.....u..yl.. FV..?..S..s..
..e..B4..:........S^...........]/)....P.WK...Z.A....S..I..(...'..~.|..
E...........*..1.Ik..g....Dy............0,.3....L....Z.JB.R....fP.{Ai.
2.......A).......t.{[email protected]{.#.L
...aF..M./.a.TI."..RL._.....f....v.5j3........2..%...O.j^ ........F:VO
D....'N...iS.9R....<.c$..&h...p7....-|...tw.N.d.......M.i#U-.M.8...
.......['[email protected]?..y.S.G..[[email protected].[.^=...o..kx#}..\..d6.L..l
..7........*.\."g.C....K-pm.IJ.d$.~S...O.MKd.../h..w...^.A..-z.x..0-'7
........p...).q.l.?..cA4oqE.Bu.....eY...Q.....W.nm...}.....2Yw.e.*.Y7.
.....q..J.oZ.....Ztx..$...C.z......>I.y..x..#..@nk.".....B..8o(!?=w
..^..^..6......h.J o...oQ...$9.v2-M......a....x........tA.A.3.4...^u4#
..>...0. p?.]...EB.R.y.!....EnK..mW$..O..7.r......`(....i/..?....6u
..O.6.....S./f.#<..i].."6L`o...'M..sJX......6..........._..'g ..Y..
.!|..i.?..F........Y.\...u....?..... &.M[..{(/.....I..1z...3.......I.(
Xb............y..C.........&b.f..V.:)....>....N..fx...:...(....6...
B..L.U.G?s.F.~..7.:nn}...u.I...s9..f..g.v...L..G.b..6N.j.D.`....#.~...
.b.6C..amI..:].(..?........i.nL..A..l.....Q.{.*./Sc.le?.......y .9$...
G"pNO.3.....(.g.F;a..4...6.;...`..........k9..HF.:a....O......P...j.O\
[email protected]>=.#.s.IqC.`.7.....3..bS.-:3.........Yb...t.........T
..0.-..}...>....}ZK...W..........aPg;[email protected].(.....\....
I.K.~.S....l..:..!...)d.}5......7.`Q..F.....p.-2.$..W.....5.3/l...
<<< skipped >>>

GET /js/main.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.cdncomputer.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.0.52 (CentOS)
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Cache-Control: max-age=86400
nnCoection: close
Content-Type: application/x-javascript
Age: 18540
Date: Thu, 18 Sep 2014 03:36:10 GMT
Last-Modified: Mon, 28 Jul 2014 18:45:36 GMT
Expires: Thu, 18 Sep 2014 22:27:10 GMT
Content-Length: 7433
Connection: keep-alive
...........<ks.F...W.H..D.....-`....v...".e.H*............o.~.. H..
.....,.3=.===.===..v:...(.l.)..u..*..)n#...?._.`...].*.:.*ZGI...M.\w..
.ts....p:.F........K..L...u..Y.'..O...........2.\...*.,..p3..~....._..
m.(.4....0..Q`'...:,.l.n6?..(..w."[email protected]
x.y..,M.g'_;..h...V......uT< .,.o....he9.V.k...g..&0&A.3......n....
..b./>[..o.....|.G....O...].\..-.4y.....tTU..k...Y..if.%...Vy...1_.
.....*J...?~...~_./...Aq.A..a.. ..]A..x.}.~...L.hl...%c...a.\.f.j.-...
G..df..`....`0O.w....}9.$.....[{.n.AG{C.68K..............'..q.r.qlH...
.5..8.U.........<L...`...W..~G<dv..6a........,...h".fQ.....W.(..
Wy$.o2.}.]..Ua;...&..XG.M.t.......Mw.~n......!B#.c..v.A./.?..?.l.zi...
^..ek9.....[|.9.m........&..,.mD..e0.M..l!p.....(\F.m=Oa.&..N..Z..AtB.
...........t.%.9..S..E;(....?.X....W.5..'#g.......&.7y.lW ..M~..,*..MH
.S......."..w.&.0.ZGA..D ....?....D.g....W....(=C...l......E...'....G.
.uhk.j...#M....e[.....(Q.l.ryy._PniE...jji..q..`.....k.&!N.QE...Du..*.
w..o......n..Q..VM..z...=...o.g.2N%,*....P.<...:[email protected].*N....e.m
r.W`...dT...~...>......4..<.."w..........C./[email protected],Y.h....
.. ....7.y../....t.*....H4......-.(........!...`Za.yq......Ux.XI.D...`
.f..'t..$..........$.i.e.:..=..WKT.>i72...!N..,..(.h2&3..X..^..&.D.
...k..Ed..p........=.|............6..;w..\....}...U9n..7..-@A...#.../.
.,.x7vAk.I.q.K.....({........]>[email protected]....
....d.E7............#I.9..e..u...........i.h.....%.!......(.P.h.......
..cw.0. i......]......z.X}Q....*.x......p.K...9`.....i."...U....n.
<<< skipped >>>


GET /apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&domain_name=VVV.ignkeywords.com&client=dp-oversee16_3ph_xml&channel=000821&hl=en&adtest=off&optimize_terms=off&terms=halloween costumes, halloween party, masks, costumes for kids, download google chrome, facebook, minecraft, facebook com&drid=as-drid-2951000310068827&uiopt=false&oe=UTF-8&ie=UTF-8&format=s|r8&adrep=0&num=0&output=caf&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993259124&u_w=1024&u_h=768&biw=788&bih=438&isw=-1&ish=-1&psw=-1&psh=-1&frm=1&uio=uv3cs1ff4fa4sa13sl1sr1cc1--fa2st20sa12lt38&rurl=http://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&ref=http://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_A
HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Thu, 18 Sep 2014 03:36:11 GMT
Server: domainserver
Cache-Control: private
Content-Length: 621
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
Set-Cookie: id=228bccdb8a0200cb||t=1411011371|et=730|cs=002213fd48d53a4fd6eaabe840; expires=Sat, 17-Sep-2016 03:36:11 GMT; path=/; domain=.doubleclick.net
Set-Cookie: test_cookie=; expires=Mon, 21-Jul-2008 23:59:00 GMT; path=/; domain=.doubleclick.net
Expires: Thu, 18 Sep 2014 03:36:11 GMT
...........Tmo.0.......4.....B..K;$J*....)r..\.8./....g...1._.{r..sw.[
.zQ7.v.'3.Rr......6.{<.2..{.K|;$......G...bq..r.....6S.....`....H..
]iy......V....l..R-B..9B.....J...)./..5..qc........(r.AH.Q'....F.`....
.Qt.......D..cC..@....).3.C.k.d.Q..t.vb...oQ..DK.xMK.K..,r..........8B
.V......f.m9.-.m.../D*....K,..(.R.;..s.0..GP.BvkR...H..2..!...YpCv.N..
..\.^X?.....du........`6....H..}*O)xa.G..P.*1G..\.SzI..P'T..uv%.....Vv
..=0..:s.S..{`....Ke.<.;.On..f.O..........ux.cO..g...5..r.z1....A.O
........./iE.^RZ...s..]RL....J...>..o.$.r.....;.Xn.C..m..%8.gg.....
...!.&.....o....;....n........3.....&u.Un..........Z.o..........G.....
..



GET /images/mysearchbar/customize4a.bmp HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (Compatible; MySearch)
Host: imgfarm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:14 GMT
Server: Apache
Last-Modified: Mon, 20 Jan 2003 21:01:06 GMT
ETag: "4fa9c9-1198-3b4b0d2528880"
Accept-Ranges: bytes
Content-Length: 4504
Cache-Control: max-age=0
Expires: Thu, 18 Sep 2014 03:36:14 GMT
Connection: close
Content-Type: image/bmp
BM............(....................................................?*.
._*.......................................*...........................
..UUU.TTT.............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /adsense/domains/caf.js HTTP/1.1
Accept: */*
Referer: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?r=m&fexp=21404&client=dp-demandmedia01&channel=000001&hl=en&adtest=off&optimize_terms=on&drid=as-drid-oo-1750951074443211&oe=UTF-8&ie=UTF-8&format=s|r10&adrep=0&num=0&output=caf&domain_name=VVV.bluehavenmedia.com&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993229561&u_w=1024&u_h=768&biw=-1&bih=-1&psw=-1&psh=-1&frm=0&uio=uv3cs1sl1sr1cc1-wi300-ff2fa2st24sa18lt50&rurl=http://VVV.bluehavenmedia.com/thankyou.php?campaign="C:Program%20FilesInternet%20Exploreriexplore.exe"%20-nohome
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 18 Sep 2014 03:35:42 GMT
Expires: Thu, 18 Sep 2014 03:35:42 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....
z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x
.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. 
..b..._..........


GET /adsense/domains/caf.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 18 Sep 2014 03:36:09 GMT
Expires: Thu, 18 Sep 2014 03:36:09 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....
z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x
.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. 
..b..._..........


GET /adsense/domains/caf.js HTTP/1.1


Accept: */*
Referer: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&domain_name=VVV.ignkeywords.com&client=dp-oversee16_3ph_xml&channel=000821&hl=en&adtest=off&optimize_terms=off&terms=halloween costumes, halloween party, masks, costumes for kids, download google chrome, facebook, minecraft, facebook com&drid=as-drid-2951000310068827&uiopt=false&oe=UTF-8&ie=UTF-8&format=s|r8&adrep=0&num=0&output=caf&v=3&allwcallad=1&adext=as1,sr1,ctc1&u_his=0&u_tz=180&dt=1410993259124&u_w=1024&u_h=768&biw=788&bih=438&isw=-1&ish=-1&psw=-1&psh=-1&frm=1&uio=uv3cs1ff4fa4sa13sl1sr1cc1--fa2st20sa12lt38&rurl=http://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA&ref=http://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 18 Sep 2014 03:36:11 GMT
Expires: Thu, 18 Sep 2014 03:36:11 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: amfe
Content-Length: 217
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002
..........m..j.0.F_..b{.....8..2.N.J)....`IAR...wo.....q..z.7Q...)....
z<._.....u....$..E.f.g..8|.2[.....@r#....&.Xt.^e{/....;9..1.ELZ..=x
.N...x[.w....m..k..{Y.....n...Z..n.m95]%{0.V.e<..4..W..@....]...a. 
..b..._..........


GET /images/cleardot.gif HTTP/1.1


Accept: */*
Referer: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT
Date: Thu, 18 Sep 2014 03:36:14 GMT
Expires: Thu, 18 Sep 2014 03:36:14 GMT
Cache-Control: private, max-age=31536000
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 43
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
GIF89a.............!.......,...........D..;..



GET /static/caf/slave.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 18 Sep 2013 22:34:18 GMT; length=1646
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission


HTTP/1.1 304 Not Modified
Date: Thu, 18 Sep 2014 02:44:56 GMT
Expires: Thu, 18 Sep 2014 03:44:56 GMT
Age: 3075
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.002
X-Google-Cookies-Blocked: test_cookie=
....


GET /apps/domainpark/domainpark.cgi?client=ca-dp-oversee16_3ph_xml&domain_name=ignkeywords.com&output=html&drid=as-drid-2951000310068827&adsafe=medium&hl=en&channel=000821 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dp.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=228bccdb8a0200cb||t=1411011371|et=730|cs=002213fd48d53a4fd6eaabe840


HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Thu, 18 Sep 2014 03:36:14 GMT
Server: domainserver
Cache-Control: private
Content-Length: 7682
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic,p=0.002
.............r.H..oE..............$....G.H..hC.Bt..s%...E.....L.......
.............%3....o...,...Zw.../ P......C....B.U..b...'...M..B.-.Z...
...=..7BY......_$sw.......}.p'&..~...C..0..].%....S..V.Y.._..b.^o.py..
P.3[....WU.|u..?...r.L....W..W.X..AW.......e..v`..b...-\.>.. ..?.S3
...>.].O...n.3..m...=..../.....q.S...,.q..=.KG..>.$.....F3..[|.B
][..f...j...e........ .s....v.a...WF...pGI.*..|...Y..._.mao...eA$0..:.
.A.*.\^...[..up/A.v..p{..I...=u..q...w7>.CU.n...^>......K...u..!
e$..?.!...F...-..c....>..K.X.!`|O..q>.94......e7.J.~].V._1.....\
$..l..Q`...X...T.).......v..)[email protected]...=5...[.g.9Cz...
h$N;...8k7.. .}.c..}......j............u._<.....).h..... 7*9..#>
N...b}.....k..w.....e..q..G.=m....7.pw]G.f..{I..c..>...'.1/.'NO/.U7
5.s.....0.S.mk..&.^7...{[email protected].)M...;....o.[.....2&..x...#]C.....Ut5}..
 ....GB..5..ab}v=.Z..a..p!.9....T.C.|t....?.nE..`..2!.]...B....o.{.P..
...e0..'....a....>..?n......f....Q....K`@...=...8.t2...u.<~T..=.
L....K....m:sj2C..L.....>...rq....R.. . ...R.....x..m..r...w...>
.pM..{1..w....r..d.\.U,a..|. :t..;..[.ZZ,..:\.N.......<ce..B.C#..BM
.3S.OM..).T..[u.B..Yg!oM.p.BWU....E..$......_.....k..r..........$.. .)
.........p.'U..J...J.....N.W.K.2.....P .../.mj...M...aG..UaX.....*;F..
.....-.3.j8h..ia.. Q.<,0v.r..6.......:-zz.0.Mr.V.a......u.g.,......
......e,9.....,....S...b.$.f.Y#.iR_l.iv..9.....n...-4^.HB^. lg0..r.RGT
..j..t.}.[...-.ln.W...jH.w].`.>.o4.9.....X.4.\cBU.n..T.......!?..tD
....c...7.L.............V..|.G.Ql.|....$.l..U..;....}f.qm...k.e.eg
<<< skipped >>>


GET /rmgpsc/7867/header-bg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b.rmgserving.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Content-Type: image/jpeg
Content-Length: 12805
Last-Modified: Thu, 11 Jul 2013 12:19:08 GMT
ETag: "51dea2bc-3205"
Accept-Ranges: bytes
Cache-Control: public, max-age=76591
Expires: Fri, 19 Sep 2014 00:52:41 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Connection: keep-alive
......Exif..II*.................Ducky.......<.....)hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xm
pMM:InstanceID="xmp.iid:623E4CEAEA0D11E28B67CBB4E0608185" xmpMM:Docume
ntID="xmp.did:623E4CEBEA0D11E28B67CBB4E0608185"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:623E4CE8EA0D11E28B67CBB4E0608185" stRef:
documentID="xmp.did:623E4CE9EA0D11E28B67CBB4E0608185"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.....................d................................................
..........................................s.......!.1AQ..a"q..2.....B#
.R..3.b.$r..ÄS...cs.5D'...6.Tdt....&.......EF..V.U(........eu.......
.fv........7GWgw........8HXhx........)9IYiy........*:JZjz.............
...........m......!.1A.Q.a".q..2.......#B.Rbr.3$4C...S%.c...s.5.D..T..
....&6E.'dtU7....()...........eu........FVfv........GWgw........8HXhx.
.......9IYiy........*:JZjz....................?.....M....|U.....v.
<<< skipped >>>


GET /ms107cfg.jsp?v=1.0.3.6&a=042CC084-DC22-4304-9495-E01E3907CC79&b=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (Compatible; MySearch)
Host: ms107cfg.mysearch.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 03:36:14 GMT
Server: Apache/1.3.27 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: max-age=0, must-revalidate
Expires: Sat 02 Apr 1977 17:15:00 GMT
Content-Length: 4184
Set-Cookie: UID=042CC084-DC22-4304-9495-E01E3907CC79; Domain=.mysearch.com; Path=/; Expires=Tue, 10-Sep-2024 23:36:14 GMT
Set-Cookie: brgg=1; Domain=.mysearch.com; Path=/; Expires=Tue, 10-Sep-2024 23:36:14 GMT
Connection: close
Content-Type: text/html
........<html>..[general]..version=3..minversion=1, 0, 3, 0..cur
version=1, 0, 3, 0..updateurl=..flags=18..signinurl=..uninstallurl=..h
omeurl=..baseurl=..textinput=#11#..urlinput=#12#..titleinput=#13#..idi
nput=#14#..tburl=..edittburl=..cfgchangedtag=..children=buttons..partn
ers=partners..macros=macros......[partners]..n=0..[macros]..m=#..n=22.
.0=hXXp://..1=...2=ms107..3=...4=...5=...6=...7=...8=...9=...10=PG=BAR
&SEC=x..11=<!-- S4_TEXT_INPUT -->..12=<!-- S4_URL_INPUT -->
;..13=<!-- S4_TITLE_INPUT -->..14=<!-- S4_ID_INPUT -->..15
=.mysearch.com/..16=#0##2##15#jsp/..17=#16#al.jsp..18=st=bar&searchfor
=#11#..19=#0#imgfarm.com/images/mysearchbar/..20=#16#bardef.jsp?search
for=#11#&l=9..21=#16#baredit.jsp....[buttons]..n=1..t=0..c=customButto
ns..d=defaultButtons..b0=109..c0=EditMenu..s0=0x2800..t0=My Search..u0
=#0##2##15#..[defaultButtons]..n=7..t=1..d0=AskjeevesDefEdt..d1=Askjee
vesDefBtn..d2=MywayBtn..d3=AllthewebBtn..d4=LooksmartBtn..d5=Customize
Btn..d6=HighlightBtn..[MywayBtn]..b0=..c0=MywayMenu..s0=..t0=Google..a
0=Search with Google..u0=#16#GGmain.jsp?#18#..[MywayDefEdt]..s0=3..u0=
#16#GGmain.jsp?#18#..[MywayDefBtn]..b0=..c0=MywayMenu..s0=0x4000..t0=G
oogle..a0=Search with Google..u0=#16#GGmain.jsp?#18#..[MywayMenu]..n=3
..t0=Image Search..u0=#16#GGimg.jsp?#18#..t1=Directory Search..u1=#16#
GGdirs.jsp?#18#..t2=Directory Categories..u2=#16#GGdir.jsp?#18#..[Alta
vistaBtn]..b0=..c0=..s0=7..t0=..a0=..u0=..[AltavistaDefEdt]..s0=3..u0=
#16#AVmain.jsp?#18#..[AltavistaDefBtn]..b0=..c0=AltavistaMenu..s0=
<<< skipped >>>


GET /rmgpsc/7867/body-bg.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.rmgserving.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.4
Content-Type: image/gif
Content-Length: 1330
Last-Modified: Thu, 11 Jul 2013 12:19:05 GMT
ETag: "51dea2b9-532"
Accept-Ranges: bytes
Cache-Control: public, max-age=76536
Expires: Fri, 19 Sep 2014 00:51:46 GMT
Date: Thu, 18 Sep 2014 03:36:10 GMT
Connection: keep-alive
GIF89a.......***...---...000...333   ...(((,,,'''...%%%""")))......&&&
$$$###!!!   ...........................!..XMP DataXMP<?xpacket begi
n="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adob
e:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:
32:00        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22
-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http:
//ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
 xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:Crea
torTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:EE02D9
B4EA0D11E284B6B70D9CAB478B" xmpMM:DocumentID="xmp.did:EE02D9B5EA0D11E2
84B6B70D9CAB478B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:
EE02D9B2EA0D11E284B6B70D9CAB478B" stRef:documentID="xmp.did:EE02D9B3EA
0D11E284B6B70D9CAB478B"/> </rdf:Description> </rdf:RDF>
 </x:xmpmeta> <?xpacket end="r"?>.........................
......................................................................
...................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\
[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ....
.............................!.......,........@....<...I.H.t,.2J.sH
..9.C9....9<....b.Q..K.Q....a.p.T..I#hA,(.....N....\[email protected].$iO
J..x[......|..............i...E.....AQ...VpI^..Q.^.h...........!.;..
<<< skipped >>>


GET /external/builds/common/equivalent_domains.htm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: VVV.topmoxie.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:35:57 GMT
Content-Length: 356
Age: 0
Connection: keep-alive
<!DOCTYPE html><body style="padding:0; margin:0;"><ifra
me src="hXXp://mcc.godaddy.com/park/M2WwrzWeqaVhpTW6?=404;hXXp://VVV.t
opmoxie.com:80/external/builds/common/equivalent_domains.htm" style="v
isibility: visible;height: 2000px;" allowtransparency="true" marginhei
ght="0" marginwidth="0" frameborder="0" scrolling="no" width="100%">
;</iframe></body></html>..



GET /guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ignkeywords.com
Connection: Keep-Alive


HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Encoding: gzip
Content-Length: 706
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=96
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.ignkeywords.com; path=/; expires=Fri, 19-Sep-2014 03:35:44 GMT
...........T...@.}._1KU^R.x.[.H!"..]...-.F....At.>...7.....j......=
#..^T.....9..c..tU...0....2[.F.\..6.|.#&......X.U..4-..2..`N...^CX.".6
.9.$..<`......$f.........#D.. .....l.#f.c..E..I.J.......q....1.gy.g
.].f)....G..r..b.yH.N.E..P;.C..B....dG..s.E. hN}..Q.)..&.?")Y..[..F.[.
&.G.?C......:...Y..e...0JCB.El.m.Jv.........a..chyH..s:p. H.*...p..c..
...'..&0..,Y.d.......T........$.............../....LCD%. .8. ..8.`6YG.
I...b...!...7.z.......W&v8\<.]3ma..U..v..pKw.%.F.U....6.....;N. =.w
...... I.......r....s.N.x.W.~..g.y...[.V.......6......T..]o...K..?Y.j.
....z]5.9...T.......`..)..Q........U...F4.4EU.z..)J.Y.3E.Te...2D.O....
\.M.f.C5R..P..p\.i...78..R.r...".A...I......WV=...E..F.C.....%.E!.4...
.b...?.}=..........


GET /?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ignkeywords.com/guid/reportnewinstall.aspx?UserGuid=24C3F941-F839-4814-9F8C-BFB78B32F27B&pid=&v=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ignkeywords.com
Connection: Keep-Alive
Cookie: parkinglot=1


HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Encoding: gzip
Content-Length: 18249
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: ignkeywords.com=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0; path=/; expires=Fri, 19-Sep-2014 03:36:08 GMT
Set-Cookie: ident=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0|token:yzsuqvsxsvpqprvx; path=/; expires=Fri, 19-Sep-2014 03:36:08 GMT
Set-Cookie: Spusr=120a15acf70541a5328a742; path=/; expires=Sat, 17-Sep-2016 03:36:08 GMT
.................(.\......wfM.2I..U....EQ.)."%Q=}...x...Q..../........
>..l... ..0..p.IIT..jw....*3... VD.k.....q..'DI...4....)........c..
..}.................H07..=......$yH..^.=.....Ba..k9*.|P"...?}...r.....
j ...H.V~.).r.......=...Mi..n..J}h....I.....\....T..eu.......F........
....&R..#,.Y.. T..8..[7...K9.Wr.....&..D....D.....Y-...%.....r(K...:-.
..C.|[email protected].../.?A.*.8_.T.P.....s.._l..J.j?..:h..G%C..
z.n..* ....D.1..H..F.A.G.X._....R.z...p$M}..3d............S.<:.j..j
..5.a..xk.V..:[email protected].$.~.=..rvJ ~^.gH..3...wZ.A.<..?HJ
:0%.....d.C...TB.....[E.8<.G.....E.......*..(S.......Qy]..)..*...]d
..|........1e...!^.I..iC.__2q*2.)..,.*...>....I..Fs.U...T.]E....T.y
...i6..<....@:.}..W...f.q. .C?....6.*T.@...;H....w..7...| .Ue...sv.
c.....`..J..,....V..;...f8*,.P....X......26.......P..srVB..W.O... ;.aW
...g..".a..H.^.U.Yi]r....E..G!..e..|..|.}Q.....Y...j;..... :1%...@>
.2...;..f.=..m..H%O.mO..O..)j.rn....T......J"/.l..,.QUEU.t..>[email protected]
..{~lKAG.T...5..8....$ ..=.r$.....~.c)...-.B....$d.......-L.J.......eg
..Z>........`.t...p.......#....H..o....!2...an..S9..).N..@i /.Y.R .
.....p......o?.-(.-/R,Q.>.....U.........K.R._^K.....[K.5...........
.b..... .....ol.8\9! ....M.....K../....~.......-.d...1... ..>....U2
...RV..."Y.{..}..O.@k. V......K..i..L9..r.T..@.?/..s^....o....../.....
..O...!.xI..w.~.~.S...~*...R.P.[gy...~-..C).-==.r..S.... T..3P.wY.....
C/.d.>3...r.........D.0.......0G.<}>._J][.. ..Q..q... f.n..b.
W.e.>@.....(O...\.:.~..Z.C......?H..(..:L.1f..........0.|...~..
<<< skipped >>>

GET /?epl=kTfFgYP5ZwKXEtIYM403DOCiF_IbEgqnSO7in6JFTuQb8agcGurtJRBMr6yXxe5jX3X0jKFFmEEnzVTvSgXz4DiUrvROSZRWWT8mmciaMIviKz_UXhuvEicUixVEKhf1zuSm1ma2v01E8ovntWbEUUcwIgtTGsKI9haCLtnNLVi7WmQVcFXmDNqLDLUWEQdHxiUGE7SUgmZBoVDGRcwuFNiXDsaeukYb_FwFsxvJRoeCpLAlnDXSsFEMsD9_qQyD_vBAzG2Vs1guTckRM6ZyLRwgG99I8UNA7aUaNdZ8YBC5KccT1SdJmfU69HISYsWtkmY614YzTyk1B79cIW6fXfxJjHAUx2nYzajLt_yMFQzeBlfwnedcrrQxMIzqqEYI3R8A6-VdH_fVTnXH3q502Qa5kFACYWGjdlbYk_YAk4GuTaQ37pidwG6QpFSZZUk2uR6BOpEiEIiDnkbpjXOiNCui14mzQz6OosQibZrjbokhclaENUdn1DUTpIaPI6LpxsM4Gcjfzvg78L0QUkgvFeNk23Myn59EXi3n8V06hYTNHE8e1XD8vocft-tJfo0GoB6NDPUoE82kCdGUgGmgacRoyGSARqMxAGgAkGlEnjIFRg006qkHmvTU1NOkAY2A6KlhW5NtxwFA8N__vwAAAAXgfwdAAEiA3zcAABe9kN9ZUyZZQTE2aFpC_AIAAPA HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ignkeywords.com
Connection: Keep-Alive
Cookie: parkinglot=1; ignkeywords.com=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0; ident=search:0|exitpop:0|lload:0|lvisit:1411011368|click:0|blocked:0|token:yzsuqvsxsvpqprvx; Spusr=120a15
HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 0
Content-Type: image/jpeg
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=93
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: ignkeywords.com=search:0|exitpop:0|lload:1411011372|lvisit:1411011368|click:0|blocked:0; path=/; expires=Fri, 19-Sep-2014 03:36:12 GMT
Set-Cookie: ident=search:0|exitpop:0|lload:1411011372|lvisit:1411011368|click:0|blocked:0|token:rpzxvytwsxwyqrpv; path=/; expires=Fri, 19-Sep-2014 03:36:12 GMT
Set-Cookie: Spusr=120a15acf70541a5328a742; path=/; expires=Sat, 17-Sep-2016 03:36:12 GMT



GET /cdn/img/bg_grey_arrows.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ignkeywords.com/?epl=MyGyumNs0RdpMX9nITwDiTiG1cSFhMIpkrv4ZcIqDbKgG9tEQlqN8NiggnGAJixg8Fk7QPGAuKYEqsQL9ZNcBAt5hnHHPSpbR-RCxVxWHOihkeC1cbBB335eEWGgjGJmtcCTpzGBMlItwKPmRX22RUXI7hlICu2gzknTAKAe1FMbNLXJVANKP2V6pJ5Rj6D2UJP4qRqEACCw3q-_AADgfwVAAECAWwwAAMewmrhZUyZZQTE2aFpCqAAAAPA
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mobileoversee.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Tue, 27 May 2014 21:25:02 GMT
Accept-Ranges: bytes
ETag: "a651dd1ef279cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:09 GMT
Connection: close
Content-Length: 12553
......Exif..II*.................Ducky.......F.....-hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh" x
mpMM:InstanceID="xmp.iid:A543C1E5DE0911E381AABAE80945A23E" xmpMM:Docum
entID="xmp.did:A543C1E6DE0911E381AABAE80945A23E"> <xmpMM:Derived
From stRef:instanceID="xmp.iid:A543C1E3DE0911E381AABAE80945A23E" stRef
:documentID="xmp.did:A543C1E4DE0911E381AABAE80945A23E"/> </rdf:D
escription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r
"?>....Adobe.d.....................................................
......................................................................
......................{...............................................
...................................!1AQa..q."2.#....B...b.3.R.Cc$d....
S.r.D4..............................?.....j......T.2...l..k. |........
oH.....zm...^...x.....G...w....v................o.?P.G...l~.C81.......
..........!..D..i<bu......g.|.m.....g.|.m.....g.|.m.....g.|.m...'.v
.N.2k..t.. ..0[o..o...................................................
............6...o......@;.....<y2x..........v..2..j?P..;O......
<<< skipped >>>


GET /templates/t1020/images/blt-greenarrow.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bluehavenmedia.com/thankyou.php?campaign="C:\Program Files\Internet Explorer\iexplore.exe" -nohome&ai=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rte-img.nuseek.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 1148
Content-Type: image/png
Last-Modified: Tue, 12 Aug 2014 20:29:51 GMT
Accept-Ranges: bytes
ETag: "7241382b6cb6cf1:2fc"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 03:36:13 GMT
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:5C315179257C11E3A2A69344
69598382" xmpMM:DocumentID="xmp.did:5C31517A257C11E3A2A6934469598382"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5C1F4FAC257C11E3A2
A6934469598382" stRef:documentID="xmp.did:5C1F4FAD257C11E3A2A693446959
8382"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>M.......IDATx.b...?.5...0p..FB...x..3..w ..
....Bd.30.i.: [email protected]&.|.......F\@....(1....q..P~ ........S....
[email protected]......(.P{ ..3...."......f.Y2........q<..MH4...W.....
]r#%......P.....I@<.....#.{..Er.M$.......}.........#.e? >2...Am 
@....z?.,TQ.....IEND.B`...







The Adware connects to the servers at the folowing location(s):







msbb.exe_380:




.text
`.rdata
@.data
.rsrc
PSShD
PSSh<
;%uUS
SSSh8
inflate 1.1.4 Copyright 1995-2002 Mark Adler
F%D,3
mscoree.dll
Please contact the application's support team for more information.
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
GetProcessWindowStation
user32.dll
Main Web thread started
keyword=
No need to rebuild global dictionary - neither got new compressed file nor new dynamic keywords.
No new dynamic keywords downloaded.
Replacing .old file:
Deleting .old file:
Deleting previous .old file:
ERROR: GetAndWriteFile couldn't lock keyword file:
kernel32.dll
(keywords)
shdocvw.dll
LoginSessionDisable
Software\Microsoft\Windows\CurrentVersion\Internet Settings
System\CurrentControlSet\Control\Windows
snmpapi.dll
inetmib1.dll
ws2_32.dll
iphlpapi.dll
FAILURE : Could not load library Shell32.dll. No special paths will be found.
Shell32.dll
favorites2_url
favorites_url
startup_url
desktop_url
WWW_UnRegisterURLEcho
WWW_RegisterURLEcho
MonSetKeyWords exiting. Keyword count:
MonSetKeyWords entering keyword algorithm with byte count:
ERROR : couldn't allocate memory for keyword file:
ERROR : couldn't read keyword file:
MonSetKeywords couldn't find keyword file:
ERROR : MonSetKeyWords couldn't lock keyword file for writing.
No keywords in multimap. Size:
UrlToBufThread sending show ad message.
Received new url and adjusted to server time:
Received new url but no DUID, or not initialized:
Software\Microsoft\Windows\CurrentVersion\Uninstall
ncmyb.dll
MSBB.EXE
"%s" PID:%d EXE:"%s"
key_file
|cplurl=
Last keyword ad shown:
key_int_low
key_int_high
Software\Microsoft\Windows\CurrentVersion\Run
msbb.exe
key_sz
key_url
cpl_url
hta_url
|email=Software\Microsoft\Windows\CurrentVersion\Internet Settings\emailname Software\FerretSoft\NetFerret\CurrentVersion\Updates\email Software\Microsoft\Microsoft Comic Chat\email Software\GameSpy\GameSpy 3D\Registration\email |first=Software\Netscape\Netscape Navigator\biff\CurrentUser Software\Microsoft\Office\9.0\Outlook\Preferences\AnnotationText |fullname=Software\eFax.com\HotSend\UserName Software\EFAX.COM\HOTSEND\UserName Software\Microsoft\Fax\UserInfo\FullName Software\Microsoft\MS Setup (ACME)\User Info\DefName Software\Adobe\Acrobat Reader\4.0\AdobeViewer\notelabel Software\Adobe\Adobe Acrobat\4.0\AdobeViewer\NoteLabel Software\Microsoft\Office\9.0\MS Project\Options\General\User Name Software\Microsoft\Office\9.0\Outlook\Preferences\AnnotationText Software\Microsoft\Office\9.0\Word\Options\ReplyMessageComment |zip=\Software\RealNetworks\Preferences\RegionData Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Location\ZipCode|
MozillaWindowClass AOL Frame25 MSN6 Window
hXXp://bis.180solutions.com/Downloads/DLL/1.0/ncmyb.dll
key_word_int
key_words
hXXp://ping.180solutions.com
ping_url
bis.180solutions.com adforce.imgis.com ads.admonitor.net media.admonitor.net pbid.pro-market.net
bis.180solutions.com
Are you sure you want to remove n-CASE from your computer? n-CASE supports many free software products through its ad delivery and PAD lookup technologies. To disable the display of interstitial advertising, please see the add/remove programs entry titled Interstitial Ad Delivery by n-CASE. If you remove n-CASE completely from your system, certain free software may no longer function properly.
new_ver_url
hXXp://bis.180solutions.com/ads.aspx
ad_url
hXXp://bis.180solutions.com/config.asp
config_url
ncase.ini
An application you've recently installed has also installed n-CASE, a tool that helps to deliver to you more relevant web content. More information can be found at hXXp://VVV.180solutions.com/. Before operation, we'd like to give you this chance to confirm it's operation. Click yes to continue.
ncase_ad_Url
AdThread: New keyword exclusion list received from ads.asp:
AdThread: Not resetting ad shown time. 'n' received from ads.asp, or request timed out.
AdThread: Reset ad shown time. No 'n' received from ads.asp.
c:\program files\flt\flt.dll
c:\program files\ftapp\ftapp.dll
c:\Data\Projects\C\nCASE\Release\nCASE.pdb
InternetOpenUrlA
HttpOpenRequestA
HttpSendRequestA
WININET.dll
KERNEL32.dll
MsgWaitForMultipleObjects
EnumChildWindows
USER32.dll
GDI32.dll
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
RegDeleteKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
1.1.4
zcÁ
%Program Files%\Blue Haven Media\Value Added Software\msbb.exe
Web Traffic
Show Keywords
Key Words

javaw.exe_744:




.text
`.rdata
@.data
.rsrc
/Xusage.txt
-Djava.class.path=%s
Unable to locate JRE meeting specification "%s"
1.6.0_18-b07
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
Syntax error in version specification "%s"
Invalid or corrupt jarfile %s
Unable to access jarfile %s
-Djava.awt.headless=
-Djava.awt.headless=true
option[-] = '%s'
ignoreUnrecognized is %s,
sun.jnu.encoding
isSupported
-Dsun.java.command=
-Dsun.java.launcher=SUN_STANDARD
A %c separated list of directories, JAR archives,
load Java programming language agent, see java.lang.instrument
The default VM is %s%s
is a synonym for the "%s" VM [deprecated]
to select the "%s" VM
Usage: %s [-options] class [args...]
(to execute a class)
or %s [-options] -jar jarfile [args...]
(to execute a jar file)
Can't open %s
Could not find the main class: %s. Program will exit.
Failed to load Main Class: %s
Could not find the main class: %s. Program will exit.
argv[-] = '%s'
Apps' argc is %d
Main-Class is '%s'
Warning: %s VM not supported; %s VM will be used
Error: %s VM not supported
Error: Unable to resolve VM alias %s
Error: Corrupt jvm.cfg file; cycle in alias list.
Default VM: %s
%s requires class path specification
%s full version "%s"
Warning: %s option is no longer supported.
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=%s
%ld micro seconds to parse jvm.cfg
name: %s vmType: %s alias: %s
name: %s vmType: %s server_class: %s
jvm.cfg[%d] = ->%s<-
Warning: unknown VM type on line %d of `%s'
Warning: missing server class VM on line %d of `%s'
Warning: missing VM alias on line %d of `%s'
Warning: missing VM type on line %d of `%s'
Warning: no leading - on line %d of `%s'
Error: could not open `%s'
\jvm.cfg
\bin\splashscreen.dll
%s\jvm.dll
%s\bin\%s\jvm.dll
Version major.minor.micro = %s.%s
Failed reading value of registry key:
Software\JavaSoft\Java Runtime Environment\%s\JavaHome
Error opening registry key 'Software\JavaSoft\Java Runtime Environment\%s'
Registry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion'
has value '%s', but '1.6' is required.
Error opening registry key 'Software\JavaSoft\Java Runtime Environment'
-Dsun.java2d.opengl
-Dsun.java2d.d3d
-Dsun.java2d.noddraw
-Dsun.awt.warmup
Unable to resolve path to current %s executable: %s
CreateProcess(%s, ...) failed: %s
ReExec Args: %s
ReExec Command: %s (%s)
ExecJRE: new: %s
ExecJRE: old: %s
Error: could not find java.dll
JRE path is %s
%s\jre\bin\java.dll
%s\bin\java.dll
Error loading: %s
CRT path is %s
\bin\msvcr71.dll
EnsureJreInstallation:%s:load failed
\bin\jkernel.dll
EnsureJreInstallation:<%s>:not found
EnsureJreInstallation:unsupported platform
Error: can't find JNI interfaces in: %s
JVM path is %s
\bin\awt.dll
\bin\java.dll
\bin\verify.dll
Error: no `%s' JVM at `%s'.
Error: no known VMs. (check for corrupt jvm.cfg file)
before: "%s"
after : "%s"
META-INF/MANIFEST.MF
1.1.3
inflate 1.1.3 Copyright 1995-1998 Mark Adler
mscoree.dll
Broken pipe
Inappropriate I/O control operation
Operation not permitted
kernel32.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
C:\BUILD_~1\jdk6_18\control\build\WINDOW~1\tmp\java\javaw\obj\javaw.pdb
RegCloseKey
RegOpenKeyExA
RegEnumKeyA
ADVAPI32.dll
USER32.dll
GetCPInfo
KERNEL32.dll
%System%\javaw.exe
<assemblyIdentity version="6.0.180.7"
name="javaw.exe"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
3333333333330
333333333307
PP%d(jjjjj
6.0.180.7
javaw.exe

bargains.exe_908:




.RichOl
.text
`.rdata
@.data
.rsrc
version=%d
type=%s
ad.dat
ub.dat
://(([^/] )\.)*([^/] \.[^/] )
Mozilla/4.0 (compatible)
MIN_COUNT_OF_URLS_BETWEEN_TWO_ADS
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
bbchk.exe -q %s
#%d,%s
^(. )=(. )$
%s;sz=%dx%d;ord=%u0%u
ad.doubleclick.net
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MSVCP60.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
KERNEL32.dll
MSVCRT.dll
_acmdln
ole32.dll
OLEAUT32.dll
USER32.dll
InternetOpenUrlA
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExA
WININET.dll
WS2_32.dll
bargains.exe
 ,%d,%s,%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d
CAD::init, invalid ad data, record=[%s] index=%d
CAD::can_be_shown(), index=%d
CAD::can_be_shown(), don't show the clicked ad again in 24 hour, current=%d, last_clicked=%d
CAD::can_be_shown(), don't reach starting time, current=%d, start=%d
CAD::can_be_shown(), the ad is over, current=%d, end=%d
CAD::can_be_shown(), reach daily_per_user_cap=%d,
CAD::can_be_shown(), reach total_per_user_cap=%d,
CAD::can_be_shown(), shown limit is less than matched hit, the ad can not be poped up per matched hit. total_shown_limit=%d, matched_hit=%d
Warning: implicit LoadString(%u) in CString failed
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
adp %d
_tWinMain, create mutex failed, aborted w/ error_no=%d
alltheweb.com
altavista.com
search.aol.com
askjeeves.com
directhit.com
search.dmoz.org
search.ebay.com
go2net.com
google.com
goto.com
half.com
ixquick.com
kanoodle.com
search.lycos.com
search.msn.com
mysimon.com
northernlight.com
overture.com
snap.com
search.yahoo.com
search.shopping.yahoo.com
CDataFileHandler::match, url=[%s]
CDataFileHandler::match, select an ad, index:%d.
CDataFileHandler::match, all match rules matched the url have not an ad which can be shown.
CDataFileHandler::on_match, ad index=[%d]
CDataFileHandler::on_pop_up, ad index=[%d]
CDataFileHandler::on_click, ad index=[%d]
CDataFileHandler::compose_user_behavior_data, data length=%d
CDataFileHandler::parse_ad_data_file, create file:%s
CDataFileHandler::parse_ad_data_file, can not read the file:%s
CDataFileHandler::parse_ad_data_file, read a new record[%s]
CDataFileHandler::parse_user_behavior_file, create file:%s
CDataFileHandler::parse_user_behavior_file, can not read the file:%s
CDataFileHandler::parse_user_behavior_file, read line=[%s]
CDataFileHandler::parse_user_behavior_file, recover ad[%d]
CDataFileHandler::parse_user_behavior_file, finished, client_activated_time=%d caught_url_count=%d
CDataFileHandler::save_ad_data, file name=[%s]
CDataFileHandler::save_user_behavior_data(), data length=%d
CDataFileHandler::check_global_rules, reach max daily cap per user=%d
CDataFileHandler::check_global_rules, status: urls_browsed=%d, ads_popped_up=%d, ads_with_same_domain=%d
CDataFileHandler::check_global_rules, count of url browsed is not enough.
CDataFileHandler::check_domain_rule, reach max domain cap = %d, domain=[%s].
CDataFileHandler::do_match, begin to match tht url with each match rule.
CDataFileHandler::do_match, a url from search engine.
CDataFileHandler::do_match, there is not any parameter at the url.
CDataFileHandler::do_match, normal url.
CDataFileHandler::do_match, matched pattern=[%s] correlation=%d
CDataFileHandler::do_match, ignored pattern=[%s] because of low correlation=%d
CDataFileHandler::do_match, there are %d match rules matched.
CDataFileHandler::select_ad, got a match rule with %d ads, pattern=[%s].
CDataFileHandler::select_ad, invalid ad, index=%d.
CDataFileHandler::parse_match_rule, patch match rule[%s]
CDataFileHandler::parse_match_rule, erase match rule[%s]
CDataFileHandler::parse_match_rule, add match rule[%s]
CDataFileHandler::parse_ad_data, replace ad[%d]
CDataFileHandler::parse_ad_data, add ad[%d]
CDataFileHandler::parse_ad_data, remove ad[%d]
CDownloader::on_inet_receive, received data:%d bytes
CDownloader::on_inet_complete, got data:%d bytes
CDownloader::download, begin to download a internet file, URL:%s.
logs/%s_%d.log
%m/%d/%Y %H:%M:%S
--- log enable at %s for [%s] -------------------
--- log disable at %s ------------------------------
Dumping 0x%X size %d
Dumped 0x%X done %d
%H:%M:%S
(%s.%u)
(%s.%u) %s
CIkenaInet::open_connection: open connection, URL:%s.
CIkenaInet::trans_proc: InternetOpenUrl: %s
CIkenaInet::trans_proc: exited. thread id:0x%X
CIkenaInet::is_connected: dest address:%s
CIkenaInet::is_connected: after gethostbyname(), host=%d, port=%d
CIkenaInet::is_connected, after connect(), ret_code=%d, last_error_no=%d
SoftwareUpdateQueryUrl
ADDataUpdateQueryUrl
ConfigUpdateQueryUrl
FirstHitUrl
MinCountOfUrlsBetweenTwoADs
ServerPort
77D08FB6-6DA6-43EB-83C7-5E51048711E4
apuc.dll
CMainWindow::on_inet_exception, error message: %s
CMainWindow::on_exception, exception, wait for next query, duraction: %d(s)
CMainWindow::on_create, init url handler failed
CMainWindow::on_create, last query time:%d
CMainWindow::on_status_msg, status=%d.
CMainWindow::on_status_msg, failed to upload data.
CMainWindow::on_status_msg, received a zip file.
CMainWindow::on_adp_new_url, url:%s
CMainWindow::on_adp_new_url, URL is empty, impossible!
CMainWindow::on_copy_data, URL=[%s]
CMainWindow::upgrade, got a invalid file, size:%d, expected size:%d
CMainWindow::upgrade, try to load installer:%s
CMainWindow::parse_response, a new version, number:%d
CMainWindow::init_download, begin to download configuration, URL:%s
CMainWindow::init_download, begin to download ad data, URL:%s
CMainWindow::init_download, begin to download software, URL:%s
CMainWindow::do_first_hit, first hit URL:%s
CMainWindow::query_new_config, query URL:%s
CMainWindow::query_new_ad_data, query URL:%s
CMainWindow::query_new_software, query URL:%s
CMainWindow::upload_user_behavior_data, begin... server=[%s], port=%d, path=[%s]
CMainWindow::upload_user_behavior_data, upload_data=[%s]
pid=%s
CMainWindow::verify_signature, can not find ikena certificate in the file.
http\shell\open\command
iexplore.exe
netscape.exe
netscp6.exe
 ,%d,%s,%d,%d,%s
CMatchRule::fill_in, fail to add ad, ad index=%d, match rule patter=[%s]
CMatchRule::add_ad, dupilicated ad, ad index=%d
CProfileParser::init, buffer length=[%d]
CProfileParser::has_next, try to find next key-value pair, buffer length=[%d]
CProfileParser::has_next, find a key-value pair.
CProfileParser::has_next, key=[%s], value=[%s]
CProfileParser::has_next, can not find key-value pair.
1.1.3
HttpSendRequestEx
CUploader::upload, failed to connect, server=[%s]
CUploader::upload, failed to open request handle, path=[%s]
CUploader::post_data, Error on HttpSendRequestEx %d
CUploader::post_data, %d bytes sent.
CUploader::post_data, Error on HttpEndRequest %d
CUrlHandler::on_catch_url, URL:%s
CUrlHandler::on_catch_url, An new ad, index=%d, is triggered by URL=[%s]
CUrlHandler::popup_IE, start IE return hr=[%d]
CUrlHandler::popup_IE, start IE in method 2 return hr=[%d]
CUrlHandler::popup_IE, new ad, URL=[%s], width=%d, height=%d
CUrlHandler::on_new_window, user clicked the ad, index:%d
CUrlHandler::on_quit
CZipUtils::extract_zip_file, error %d with zipfile in unzGetGlobalInfo
CZipUtils::extract_zip_file, error %d with zipfile in unzGoToNextFile
CZipUtils::extract_current_file, error %d with zipfile in unzGetCurrentFileInfo
CZipUtils::extract_current_file, error %d with zipfile in unzOpenCurrentFile
CZipUtils::extract_current_file, error opening %s

EbatesMoeMoneyMaker.exe_1836:




.text
`.rdata
@.data
SSSSSSh
VkKeyScanA
MapVirtualKeyA
GetKeyState
keybd_event
USER32.dll
RegCloseKey
RegDeleteKeyA
RegCreateKeyExA
RegEnumKeyA
ADVAPI32.dll
GetWindowsDirectoryA
KERNEL32.dll
WS2_32.dll
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
WININET.dll
ole32.dll
OLEAUT32.dll
ShellExecuteA
SHELL32.dll
VERSION.dll
MSVCRT.dll
_acmdln
kernel32.dll
user32.dll
windowsdesktop
%s %d
%s %d %I64Ld %I64Ld %I64Ld
%d %d %d %d %s
getwindowsdirectory
0.0.0.0;;0.0.0.0;;;;;;
%d.%d.%d.%d;;%d.%d.%d.%d;;
MTemp\lock.txt
MTemp\encryption.bin
createbrowser:svurl
{0002DF01-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{85CB6900-4D95-11CF-960C-0080C7F4EE85}
Windows
{13709620-C279-11CE-A49E-444553540000}
{D8F015C0-C278-11CE-A49E-444553540000}
tellproxypassword
MTemp\logfile.txt
%s "%s" "%s" %d %d %d %d
[miniMeRegistry.c:collectdata()] --> Failed #2 RegEnumValue, no more items for: %s
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_LOCAL_MACHINE
%s, port %d
miniMeAccept: accept() error %d
taskQ.mutex
proxypassword_mutex
HttpOpenRequest
HTTP/1.0
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
hXXp://
HttpQueryInfo -- 1
askforproxypassword
HttpSendRequest -- POST version
Content-Type: application/x-www-form-urlencoded
HttpSendRequest -- GET version

iexplore.exe_2188:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    BargainBuddy.exe:1732
    EbatesMoeMoneyMaker.exe:1836
    ebatesmoemoneymaker14.exe:1784
    s4Setp.exe:2116
    RegSvr32.exe:1068
    RegSvr32.exe:1336
    RegSvr32.exe:2020
    RegSvr32.exe:2012
    RegSvr32.exe:484
    RegSvr32.exe:480
    bargains.exe:908
    SuperBarInstall.exe:604
    %original file name%.exe:1560
    runonce.exe:1260
    Setup.exe:1872
    rundll32.exe:452
    NLNupgradeV4_6P28.exe:1520
    IKernel.exe:1292
    IKernel.exe:1596
    msbb.exe:380
    grpconv.exe:604
    iKernel.exe:1708
    

    2. 

  2. Delete the original Adware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Adware:
    

    %Program Files%\Bargain Buddy\bargains.exe (9744 bytes)
    %Program Files%\Bargain Buddy\bbchk.exe (12 bytes)
    %Program Files%\Bargain Buddy\bin\apuc.dll (601 bytes)
    %Program Files%\Bargain Buddy\apuc.dll (1718 bytes)
    %Program Files%\Bargain Buddy\bin\bargains.exe (1281 bytes)
    %Program Files%\Bargain Buddy\uninst.exe (388 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dz.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\da.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\be.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bk.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bb.class (5 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\c.class (7 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cn.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bg.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cu.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cx.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\by.class (6 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\j.class (261 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ct.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cc.class (710 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dp.class (5 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ec.class (533 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dh.class (534 bytes)
    %Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.inf (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiBA.tmp (7168 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bi.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ck.class (751 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\l.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\br.class (652 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cv.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bv.class (478 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\m.class (538 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bw.class (971 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\y.class (5 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dg.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\f.class (684 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dr.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\p.class (229 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bf.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\db.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bh.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bn.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cr.class (5 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ea.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\co.class (521 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dt.class (784 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ds.class (8 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cw.class (531 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_proxy.htm (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\x.class (619 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dx.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cp.class (6 bytes)
    %Program Files%\EbatesMoeMoneyMaker\ebates_README2.txt (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\w.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dc.class (339 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\topmoxie_conflicts2.htm (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\s.class (568 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cf.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ch.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bq.class (257 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cd.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bd.class (517 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cz.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dw.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bt.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\Main.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bm.class (753 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bs.class (379 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dd.class (15 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dm.class (698 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cl.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe (1552 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cb.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\g.class (451 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cj.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\Applications\ebatesver2.dls (11 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\de.class (4 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cq.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dl.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_preferences0.htm (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bc.class (707 bytes)
    %Program Files%\EbatesMoeMoneyMaker\Applications\eeid14.dls (568 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\v.class (119 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bp.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bo.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\n.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ba.class (535 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_script0.htm (43 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ce.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\Applications\sunclass.dls (263 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cm.class (522 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dj.class (755 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dk.class (518 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\q.class (484 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\System\loader.dls (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\di.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\a.class (373 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ed.class (651 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\t.class (286 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dn.class (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dv.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\d.class (687 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bu.class (938 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cg.class (544 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_autorediroffer0.htm (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\r.class (634 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\u.class (359 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\System\system.dls (5 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ci.class (541 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_memoffer0.htm (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dq.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\e.class (451 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_disable0.htm (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\i.class (555 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cy.class (449 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\du.class (182 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\ca.class (831 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\eb.class (531 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\df.class (3 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\dy.class (678 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bx.class (4 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bl.class (1 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Html\ebates_nonmemoffer0.htm (2 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bj.class (540 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\System\personality.dls (784 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\b.class (731 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\cs.class (5 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\k.class (532 bytes)
    %Program Files%\EbatesMoeMoneyMaker\System\Code\bz.class (1 bytes)
    %Program Files%\MySearch\bar\1.bin\NPMYSRCH.DLL (32 bytes)
    %Program Files%\MySearch\bar\1.bin\UNINSTALL.INF (1 bytes)
    %Program Files%\MySearch\bar\1.bin\S4BAR.DLL (184 bytes)
    %Program Files%\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS (327 bytes)
    %Program Files%\MySearch\bar\1.bin\PARTNER2.DAT (461 bytes)
    %Program Files%\MySearch\bar\1.bin\S42NS.EXE (24 bytes)
    %Program Files%\MySearch\bar\1.bin\PARTNER.BMP (1 bytes)
    %Program Files%\MySearch\bar\1.bin\PARTNER.DAT (922 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nstB7.tmp\IEManipulate.dll (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nstB8.tmp (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (13968 bytes)
    %Program Files%\SuperBar\settings.cfg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nstB9.tmp (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\pftw1.pkg (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\plfB2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.cab (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.ini (92 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.iss (169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\Setup.exe (1726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\extB3.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\ikernel.ex_ (6681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.inx (2401 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\layout.bin (435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data2.cab (20687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\data1.hdr (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IECB5.tmp (2105 bytes)
    %Program Files%\Common Files\InstallShield\Engine\6\Intel 32\temp.000 (11328 bytes)
    %WinDir%\inf\SETC0.tmp (1 bytes)
    %WinDir%\setupapi.log (1728 bytes)
    %WinDir%\SETBD.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rsp.dl_ (784 bytes)
    %WinDir%\system\RSP.dll (40 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bho.dll.dat (1568 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    %System%\drivers\etc\hosts (841 bytes)
    C:\t1fg (819 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bho.dl_ (588 bytes)
    %WinDir%\system\BHO.DLL (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rsp.dll.dat (1568 bytes)
    %WinDir%\system\WinStart.exe (601 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\msbb7fd0.rra (5294 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\711a.rra (1464 bytes)
    %Program Files%\Common Files\InstallShield\Engine\6\Intel 32\obje73d9.rra (798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\valu789c.rra (300 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\defa78ea.rra (1 bytes)
    %Program Files%\Common Files\InstallShield\Engine\6\Intel 32\ctor731e.rra (3404 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7dfb.rra (1568 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\Supe7fb1.rra (12762 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7ddc.rra (8368 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu7e49.rra (2712 bytes)
    %Program Files%\Common Files\InstallShield\Engine\6\Intel 32\core72df.rra (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\setu786d.rra (2712 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\NLNu7f91.rra (4314 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\lice7ee5.rra (4314 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\s4Se7eb7.rra (8760 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\Barg7f05.rra (6118 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setu7e2a.rra (92 bytes)
    %Program Files%\Common Files\InstallShield\IScript\iscr7531.rra (7348 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\data7dbd.rra (11 bytes)
    %System%\ipin7fef.rra (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\_IsR7909.rra (7348 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\layo7d40.rra (435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\isrt78cb.rra (10582 bytes)
    %System%\ipin800e.rra (8474 bytes)
    %Program Files%\Blue Haven Media\Value Added Software\ebat7f53.rra (7316 bytes)
    %Program Files%\InstallShield Installation Information\{AA7AA8B8-A13E-4F88-A9A1-1FE7DC32E8B8}\Setup.ini (362 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pftB4~tmp\Disk1\setup.log (139 bytes)
    %Program Files%\Common Files\InstallShield\Engine\6\Intel 32\iuse7437.rra (6134 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (5656 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Bargains" = "%Program Files%\Bargain Buddy\bin\bargains.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EbatesMoeMoneyMaker" = "javaw -cp %Program Files%\EbatesMoeMoneyMaker\System\Code Main lp: %Program Files%\EbatesMoeMoneyMaker"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv" = "grpconv -o"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Winstart" = "%WinDir%\System\WinStart.exe -boot"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msbb" = "%Program Files%\Blue Haven Media\Value Added Software\msbb.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now