Gen.Variant.Strictor.10548_0f99736578

by malwarelabrobot on August 19th, 2014 in Malware Descriptions.

Gen:Variant.Strictor.10548 (B) (Emsisoft), Gen:Variant.Strictor.10548 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0f9973657874e53d1c3a1f4519acc314
SHA1: ec943d3a94a722c0a71fbdeb23a018fd49c1fcf4
SHA256: 0e1f30a219675ba3ffdc197d41eeb05f4715a504ffb10037ddee5793037be442
SSDeep: 12288:zC4IG4Uzn4FHVSEUNeDUZ7l290ma6Dz5852aFxZRC:OKPn4FoXkUe9ba2z58oaXjC
Size: 453722 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: AirInstaller
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

0f9973657874e53:1696

The Trojan injects its code into the following process(es):

tmp7d.exe:1848
iexplore.exe:1764

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 0f9973657874e53:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Instant Buzz\InstantBuzz1408360070.dll (8581 bytes)
%Program Files%\Instant Buzz\Dist.exe (4781 bytes)

The process tmp7d.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Instant Buzz\IBBar.dll (8581 bytes)
%Program Files%\Instant Buzz\IBSetup.exe (9421 bytes)
%Program Files%\Instant Buzz\IBMH.dll (1821 bytes)
%Program Files%\Instant Buzz\IBDaemon.exe (9965 bytes)

Registry activity

The process 0f9973657874e53:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Instant Buzz]
"Invitation" = "11811.0d51bd40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"HotIcon" = "%Program Files%\Instant Buzz\InstantBuzz1408360070.dll,1"

[HKCR\CLSID\{B8D60EBB-5565-4392-957B-7164BA087AD4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7475D3FD-5D85-49DB-8B9B-6968467B2D80}" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7475D3FD-5D85-49DB-8B9B-6968467B2D80}]
"(Default)" = ""

[HKCR\CLSID\{B8D60EBB-5565-4392-957B-7164BA087AD4}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"BandClsid" = "{7475D3FD-5D85-49DB-8B9B-6968467B2D80}"
"CLSID" = "{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Buzz]
"DisplayName" = "Instant Buzz Toolbar (remove only)"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"Default Visible" = "Yes"

[HKLM\SOFTWARE\Instant Buzz]
"Track" = "inv:taf16:idx6:head7:seal1:audioplay2"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"Icon" = "%Program Files%\Instant Buzz\InstantBuzz1408360070.dll,1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Buzz]
"UninstallString" = "%Program Files%\Instant Buzz\Dist.exe uninstall"

[HKCR\CLSID\{B8D60EBB-5565-4392-957B-7164BA087AD4}\InprocServer32]
"(Default)" = "C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 8E 3C E2 18 9E AB E4 AD 28 47 E2 F6 6B 7A FA"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"ButtonText" = "Instant Buzz"

[HKCR\CLSID\{7475D3FD-5D85-49DB-8B9B-6968467B2D80}\InprocServer32]
"(Default)" = "C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCR\CLSID\{7475D3FD-5D85-49DB-8B9B-6968467B2D80}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Instant Buzz]
"DirectSponsor" = "3258"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process tmp7d.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 21 BD D9 5D DC 46 F4 35 20 55 B9 91 03 9F DC"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"ButtonText" = "Instant Buzz"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Buzz]
"DisplayName" = "Instant Buzz (remove only)"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"Default Visible" = "Yes"

[HKCR\CLSID\{7475D3FD-5D85-49DB-8B9B-6968467B2D80}\InprocServer32]
"(Default)" = "C:\PROGRA~1\INSTAN~1\IBBar.dll"

[HKCR\CLSID\{7475D3FD-5D85-49DB-8B9B-6968467B2D80}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Buzz]
"UninstallString" = "%Program Files%\Instant Buzz\IBSetup.exe uninstall"

[HKCR\CLSID\{B8D60EBB-5565-4392-957B-7164BA087AD4}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7475D3FD-5D85-49DB-8B9B-6968467B2D80}" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"CLSID" = "{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"
"Icon" = "%Program Files%\Instant Buzz\IBBar.dll,1"

[HKCR\CLSID\{B8D60EBB-5565-4392-957B-7164BA087AD4}\InprocServer32]
"(Default)" = "C:\PROGRA~1\INSTAN~1\IBBar.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"HotIcon" = "%Program Files%\Instant Buzz\IBBar.dll,1"

[HKCR\CLSID\{B8D60EBB-5565-4392-957B-7164BA087AD4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{7475D3FD-5D85-49DB-8B9B-6968467B2D80}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{066040F0-5018-4E15-8AA0-81D36136D989}]
"BandClsid" = "{7475D3FD-5D85-49DB-8B9B-6968467B2D80}"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Instant Buzz Daemon" = "%Program Files%\Instant Buzz\IBDaemon.exe"

Dropped PE files

MD5 File path
5637bd7c1f4345d69c5a7ee6cec1009d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp7d.exe
2c2d7997cddfa395da3e8b9e7582a228 c:\Program Files\Instant Buzz\IBBar.dll
2d48a66895fde9fd4b21cb9bcbd64b27 c:\Program Files\Instant Buzz\IBDaemon.exe
7422b7b41e7480e04d0d4cc57bccf81f c:\Program Files\Instant Buzz\IBMH.dll
5637bd7c1f4345d69c5a7ee6cec1009d c:\Program Files\Instant Buzz\IBSetup.exe
a48702266a1627e5d219e5a4ae590adf c:\Program Files\Instant Buzz\InstantBuzz1408360070.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 790528 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 794624 450560 449024 5.48387 b346736bc3f66ba1ae1032a6ae1f82a2
.rsrc 1245184 4096 3584 2.36367 a52178043d8263a78b0f08fb1a7b5164

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1764:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_1764_rwx_00EE0000_00001000:

Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\

iexplore.exe_1764_rwx_00F11000_00001000:

An error has occurred during program execution.
Operating System
SMTP.
Connecting with SMTP server...
Connected with SMTP server.
[email protected]
Intraweb

tmp7d.exe_1848:

.rsrc
K.GnFD
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
USER32.DLL
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
comctl32.dll
uxtheme.dll
UrlMon
MAPI32.DLL
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
UhV%D
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
hXXp://VVV.safer-networking.org/
hXXp://www2.instantbuzz.com/
WinInetHTTP
shell32.dll
hhctrl.ocx
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowser
TWebBrowser
ErrorUrl
CmdID
TGetOverrideKeyPathEvent
pchKey
pcmdtReserved
lpMsg
PMsg
pguidCmdGroup
nCmdID
TGetOptionKeyPathEvent
TTranslateUrlEvent
pchURLIn
ppchURLOut
DLCTL_URL_ENCODING_DISABLE_UTF8
DLCTL_URL_ENCODING_ENABLE_UTF8
URL_ENCODING_DISABLE_UTF8
URL_ENCODING_ENABLE_UTF8
poPortrait
OnGetOverrideKeyPath0
OnGetOptionKeyPath
OnTranslateUrl(
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
htmlfile\shell\open\ddeexec\application
htmlfile\shell\open\ddeexec\topic
Folder\shell\open\ddeexec\application
Folder\shell\open\ddeexec\topic
Folder\shell\open\ddeexec
Folder\shell\explore\ddeexec
Directory\shell\find\ddeexec
3333333
'%s' not supported.
afteruninstall.php?username=
\SOFTWARE\Microsoft\Windows\CurrentVersion
\*.ibq
\IBSetup.exe
\IBBar.dll
\IBMH.dll
\IBDaemon.exe
In order to install Instant Buzz on your computer, we must restart Windows now. Before continuing, please ensure that you have saved all data in any running applications. Do you wish to reboot and install now?
In order to uninstall Instant Buzz from your computer, we must restart Windows now. Before continuing, please ensure that you have saved all data in any running applications. Do you wish to reboot and uninstall now?
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IBDaemon_exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Buzz
\Software\Microsoft\Internet Explorer\New Windows\Allow
*.instantbuzz.com
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths
IEXPLORE.EXE
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
.idata
.edata
P.reloc
P.rsrc
user32.dll
;!199{199
;0!8&2{199
Windows 95
Windows 95 OSR-2
Windows 98
Windows 98 SE
Windows ME
Windows 9x New
Windows NT 3
Windows NT 4
Windows 2000
Windows XP
Windows 2003
Windows NT New
user.exe
TMsgHandlers
madToolsMsgHandlerMutex
madToolsMsgHandlerWindow
cmovÌ
setÌ
pop %seg
push %seg
VVV.madshi.net
bugReport
eaMailBugReport
eaSaveBugReport
eaPrintBugReport
eaShowBugReport
ntdll.dll
The import table is invalid.
%exceptMsg%
screenShot.png
*.txt
wininet.dll
SMTP:
mapi32.dll
Tcpip\Parameters
VxD\MSTCP
IpHlpApi.dll
A.ROOT-SERVERS.NET
K.ROOT-SERVERS.NET
LOGIN
--VVV.madshi.net_SMTP_Boundary
AUTH LOGIN
Content-Type: multipart/mixed; boundary="VVV.madshi.net_SMTP_Boundary"
--VVV.madshi.net_SMTP_Boundary--
<tr><td><button onClick="history.back();" style="height:19.5pt;"> 
<button onClick="document.getElementById('bugReport').style.visibility='visible';this.style.visibility='hidden';" style="height:19.5pt;"> 
<textarea id="bugReport" readonly cols="80" rows="20" style="width:100%;height:100%;
operating system :
idapi32.dll
GetThreadReport
An exception occurred during composing the bug report.
wtsapi32.dll
HardWareKey
setupapi.dll
GetModuleReport
internal error. please notify [email protected]
vcl70.bpl
rtl70.bpl
visualclx70.bpl
@System@@StartExe$qqrp23System@PackageInfoTablep17System@TLibModule
OLEAUT32.DLL
Uh.ED
%s[%d]
Uh.SD
AutoHotkeys`&G
KeyPreviewT-G
Uh.hH
IWebBrowser
IWebBrowser20
IWebBrowserAppp
OnGetOverrideKeyPath
OnGetOptionKeyPath`
OnTranslateUrlx
c:\x\a\source\delphi7\lib\gr32\GR32_Transforms.pas
c:\x\a\source\delphi7\lib\gr32\GR32.pas
Unpaired TThreadPersistent.EndUpdate
c:\x\a\source\delphi7\lib\gr32\GR32_Image.pas
c:\x\a\source\delphi7\lib\gr32\GR32_Layers.pas
TssIPCTextMsgRecieved
MsgBuf
TssIPCBinMsgRecieved
MsgSize
OnTextMsgRecieved
OnBinMsgRecieved
madExceptWizard_.bpl
'<#<9020
{00021492-0000-0000-C000-000000000046}
{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}
Component Categories\{00021492-0000-0000-C000-000000000046}\Enum
LoginMenuItem
LoginMenuItemClick
IBIPCTextMsgRecieved
redirect.php
hXXp://
&url=
dologin
members.php?
C:\x\a\source\delphi7\InstantBuzz\Bar\_IEBrowserHelper.pas
Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
6666666666666666
[email protected]
2.005 BAR BUG REPORT
www2.instantbuzz.com
smtp
bugreport.txt
mail bug report
save bug report
print bug report
show bug report
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetCPInfo
CreatePipe
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
ShellExecuteExA
URLMON.DLL
comdlg32.dll
wsock32.dll
IBBar.dll
0#02090[0
;&;.;6;^;
5l6
3 3$3(3,3034383<3@3
: :0:5:^:
3 3$3(3,303
4F4C4I4P4V4[4a4h4r4y4~4
5!5X5D5H5T5X5`5d5h5l5p5t5x5|5
2*2.2@2\2
0 0$0(0,0004080<0@0
> >$>(>,>0>4>8><>@>
0"0&0*0.02060
>%?)?-?1?8?
: :$:(:6:>:
6$6.646<6
4M4V4
2 2-2N2
?!?'?/?6?=?\?
.UUVP
-kp}@t
KWindows
.SHDocVw_TLB
DzURL
gWinInetHTTP
WebCommandUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
PrintOptions.Margins.Left
PrintOptions.Margins.Right
PrintOptions.Margins.Top
PrintOptions.Margins.Bottom
PrintOptions.Header
PrintOptions.HTMLHeader.Strings
PrintOptions.Footer
PrintOptions.Orientation
Bitmap.DrawMode
Bitmap.Data
BitmapHot.DrawMode
BitmapHot.Data
BitmapDown.DrawMode
BitmapDown.Data
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<a href="hXXp://VVV.yahoo.com/">Yahoo</a> or <a href="hXXp://VVV.google.com/">
if (document.all.yesradio.checked) {
document.all.maindiv.style.display = 'none';
document.all.yesdiv.style.display = 'block';
} else if (document.all.noradio.checked) {
document.all.nodiv.style.display = 'block';
<a href="hXXp://VVV.instantbuzz.com/desk">contact
P.tls
.rdata
Uh.qC
.Owner
Proportional
PasswordChar
OnKeyPress<
OnKeyUp`
OnKeyUpT(F
Uh.kF
HelpKeyword,
TWinInetHTTP2StringBgThread
Password
TLoginForm
LoginFormUnit
Please enter your password.
login.php?username=
&password=
We were unable to authenticate your username and password combination. Please check that they are correct and try again.
We were unable to connect to InstantBuzz.com to log you in. Please ensure that you are connected to the Internet, and that all your firewall settings allow this program to connect to the Internet.
We received an unexpected response from the InstantBuzz.com server. Please contact support immediately.
OnTranslateUrl
#%s%s%s
id="%s"
bgcolor="%s"
text="%s"
link="%s"
vlink="%s"
alink="%s"
face="%s"
size="%s"
color="%s"
align="%s"
href="%s"
type="%s"
name="%s"
method="%s"
<img src="%s"
width="%d"
height="%d"
size="%d"
value="%s"
var1="%s"
var2="%s"
var3="%s"
Password,
Password2
Please make sure you email address is valid (e.g. [email protected]).
Please select a password.
The two passwords you entered don't seem to match.
signuptaf.php?username=
signup.php?username=
We were unable to connect to InstantBuzz.com to register your account. Please ensure that you are connected to the Internet, and that all your firewall settings allow this program to connect to the Internet.
At this time, an invitation is required to join Instant Buzz. Please get an invitation from a current member, and then re-download and install Instant Buzz from that link.
members.php?username=
signupsigads.php?username=
::9=09%fg
;3:'84!<:;
can contact me at "[email protected]".
U4U%FUE
0'030'0;60
'02<&!',
hXXp://VVV.instantbuzz.com/whatissigad.php
setprefs.php?username=
IBSetup.exe
upgradefrom1x.php?username=
members.php?page=actionplan&username=
AdURL
WebCookieSetter|
WebCookieResetter
WebCookieResetterTimer
WebCookieSetterDocumentComplete
forgotlogin.php
aftersignup.php?
getprefs.php?username=
{ADURL}
IBMH.dll
sigads2.php?r=1&username=
/barads2.php?username=
newibq.php?username=
version2.php?version=
oneadaycaller.php?localtime=
setcookies.php?username=
2.005 DAEMON BUG REPORT
ShellExecuteA
InternetOpenUrlA
HttpQueryInfoA
ibdaemon.exe
5 5$5(5,50545
3!373`3~3
9!:):-<:<~<
11e1t1
? ?$?(?<?
= =$=(=,=0=4=8=<=@=
4%5s5
? ?$?(?,?0?4?8?<?@?
= =$=(=,=<=[=
=)>->1>5><>{>
; ;$;(;,;0;4;8;<;@;
<,<9<@<_<
> >$>(>,>0>4>8>
8!9%9)909
>$?1?8?}?
=!=%=)=-=1=8=
? ?3?@?\?
0 0$0(0,0004080>0~0
353[3`3{3
VVV.madshi.netX
Un&%Cj
Zi%f"!
 6D-.fL
<.ehx
Z.yX`oqp/
%u_@I
Icon.Data
Lines.Strings
WebCookieSetter
LoginForm
InstantBuzz.com Log In
Password:
&Click here if you forgot your password
This will turn on MailSpace Ads for your personal email client if you have use a client-side email application (Outlook, Outlook Express, Eudora, Incredimail, etc). If you do not, you may <a href="hXXp://VVV.microsoft.com/windows/ie/">download Outlook Express</a> for free (download the latest version of Internet Explorer and when prompted indicate that you would also like to install Outlook Express).
Yes, I have read, understand, and will abide by <a href="hXXp://VVV.instantbuzz.com/aup.php">Acceptable Use Policy</a> including (but not limited to) the rule that I will now only use my email client for one-to-one email communications and will not use it for mass email of any form. I understand that if my recipients perceive any of my SigAd email messages as spam I am responsible for any consequences.
ButtonStart.Caption
ButtonStart.NumGlyphs
ButtonStart.Layout
ButtonStart.ModalResult
ButtonStart.Width
ButtonLast.Caption
ButtonLast.NumGlyphs
ButtonLast.Layout
ButtonLast.ModalResult
ButtonLast.Width
ButtonBack.Caption
ButtonBack.NumGlyphs
ButtonBack.Layout
ButtonBack.ModalResult
ButtonBack.Width
ButtonNext.Caption
ButtonNext.NumGlyphs
ButtonNext.Layout
ButtonNext.ModalResult
ButtonNext.Width
ButtonFinish.Caption
ButtonFinish.NumGlyphs
ButtonFinish.Layout
ButtonFinish.ModalResult
ButtonFinish.Width
ButtonCancel.Caption
ButtonCancel.NumGlyphs
ButtonCancel.Layout
ButtonCancel.ModalResult
ButtonCancel.Width
ButtonHelp.Caption
ButtonHelp.NumGlyphs
ButtonHelp.Layout
ButtonHelp.ModalResult
ButtonHelp.Width
Header.Color
Header.Visible
Header.ImageIndex
Header.ImageOffset
Header.ImageAlignment
Header.Height
Header.ParentFont
Header.Title.Color
Header.Title.Visible
Header.Title.Text
Header.Title.Anchors
Header.Title.AnchorPlacement
Header.Title.Indent
Header.Title.Alignment
Header.Title.Font.Charset
Header.Title.Font.Color
Header.Title.Font.Height
Header.Title.Font.Name
Header.Title.Font.Style
Header.Subtitle.Color
Header.Subtitle.Visible
Header.Subtitle.Text
Header.Subtitle.Anchors
Header.Subtitle.AnchorPlacement
Header.Subtitle.Indent
Header.Subtitle.Alignment
Header.Subtitle.Font.Charset
Header.Subtitle.Font.Color
Header.Subtitle.Font.Height
Header.Subtitle.Font.Name
Header.Subtitle.Font.Style
Header.ShowDivider
Image.Alignment
Image.Layout
Image.Transparent
Panel.Color
Panel.Visible
Panel.BorderWidth
InstantBuzz.com Set Up Process
Select A Password:
Repeat Password:
If you choose to participate, the sites you visit will be reported back to InstantBuzz.com, but this information will NEVER be associated with your username.
.Yes, send anonymous data to help Instant Buzz.
Items.Strings
Yahoo! Webmail
Other Webmail
-Now, stay tuned for a very important message!
&Instant Buzz - Important - Please Read
.Show me the next tip next time I send an email
<font name="Arial" size=9>Please acknowledge that you have read and accept our new <a href="hXXp://VVV.instantbuzz.com/tos.php">Terms of Service</a> and our new <a href="hXXp://VVV.instantbuzz.com/aup.php">Acceptable Use Policy</a>.
After you have completed the Set Up Wizard you'll be given the opportunity to take a detailed tutorial that will explain all of this in detail.
<p>The following types of products, services or websites are
Abusive Websites<br>
be stated so clearly and obviously on your website.</p>
verified by a third party on your website.</p>
<p>If you state that your website has a particular type of content,
aided, abetted, or assisted in the spoofing operation.</td>
3-Cj}
jdu%s
.KB/r
i#'%c
.wix%
8TcPl
C( (%c' dT
KiIC.uV
.UVeY
t-n}N
<title>Important - Please Read</title>
<p align="center"><font size="5"><u><b>Important - Please Read:</b></u><br>
important information about MailSpace Ads you need to know.</p>
<p align="left">We have two more important tips for you that will
through the <a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>InstantBuzz
<b><a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>InstantBuzz Action Plan</a></b>. 
the <b><a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>Action Plan</a></b> are 8 times
<a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>Infinity Streams</a></b>
<a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>Action Plan</a></b> right
'.Gp3
.IltQ
<meta name="ProgId" content="FrontPage.Editor.Document">
<p><u><b>IMPORTANT:</b> If you do not agree to
will not hold InstantBuzz.com, it's principals,
hereby agree to indemnify InstantBuzz.com, it's
knowingly do so, I agree to pay InstantBuzz.com
Instant Buzz a fine of $10 per webpage surfed
given the opportunity to read as appropriate).</p>
InstantBuzz.com, InstantBuzz users, or
agree to pay InstantBuzz.com a fine of
.reloc
ws2_32.dll
< <$<(<,<0<4<8<<<%=?=
7)7/777<7
1#1-121<1
3 3%3S3j3
IMPORTANT
=IMPORTANT: Enabling 3rd Party Extensions in Internet Explorer
Chances are low that this will happen to you, but in the event it does, most spyware can be eliminated using a freeware removal tool such as the great one that can be found at hXXp://VVV.safer-networking.org/ .
hXXp://VVV.safer-networking.org/
7Check your email for details. Thanks for your support!
ExitWindowsEx
KERNEL32.DLL
errorUrl
IBDAEMON_EXE
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
66006666
Window Text=This control requires version 4.70 or greater of COMCTL32.DLL
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Invalid pixel format!Cannot change the size of an icon Invalid operation on TOleGraphic
#A component named %s already exists%String list does not allow duplicates
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
A class named %s already exists%List does not allow duplicates ($0%x)
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
'%s' is not a valid GUID value
TLOGINFORM
JPEG error #%d
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE error %.8x.Method '%s' not supported by automation object
Unable to insert a line Clipboard does not support Icons
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
Thread creation error: %s
Thread Error: %s (%d)
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic$Unknown picture file extension (.%s)
Invalid floating point operation
InstantBuzz.com
2.0.0.0
List index out of bounds (%d)
%s.Seek not implemented$Operation not allowed on sorted list
Cannot assign a %s to a %s%String list does not allow duplicates
Invalid property value List capacity out of bounds (%d)

tmp7d.exe_1848_rwx_00401000_002A3000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
USER32.DLL
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
comctl32.dll
uxtheme.dll
UrlMon
MAPI32.DLL
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
UhV%D
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
hXXp://VVV.safer-networking.org/
hXXp://www2.instantbuzz.com/
WinInetHTTP
shell32.dll
hhctrl.ocx
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowser
TWebBrowser
ErrorUrl
CmdID
TGetOverrideKeyPathEvent
pchKey
pcmdtReserved
lpMsg
PMsg
pguidCmdGroup
nCmdID
TGetOptionKeyPathEvent
TTranslateUrlEvent
pchURLIn
ppchURLOut
DLCTL_URL_ENCODING_DISABLE_UTF8
DLCTL_URL_ENCODING_ENABLE_UTF8
URL_ENCODING_DISABLE_UTF8
URL_ENCODING_ENABLE_UTF8
poPortrait
OnGetOverrideKeyPath0
OnGetOptionKeyPath
OnTranslateUrl(
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
htmlfile\shell\open\ddeexec\application
htmlfile\shell\open\ddeexec\topic
Folder\shell\open\ddeexec\application
Folder\shell\open\ddeexec\topic
Folder\shell\open\ddeexec
Folder\shell\explore\ddeexec
Directory\shell\find\ddeexec
3333333
'%s' not supported.
afteruninstall.php?username=
\SOFTWARE\Microsoft\Windows\CurrentVersion
\*.ibq
\IBSetup.exe
\IBBar.dll
\IBMH.dll
\IBDaemon.exe
In order to install Instant Buzz on your computer, we must restart Windows now. Before continuing, please ensure that you have saved all data in any running applications. Do you wish to reboot and install now?
In order to uninstall Instant Buzz from your computer, we must restart Windows now. Before continuing, please ensure that you have saved all data in any running applications. Do you wish to reboot and uninstall now?
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IBDaemon_exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Buzz
\Software\Microsoft\Internet Explorer\New Windows\Allow
*.instantbuzz.com
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths
IEXPLORE.EXE
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
.idata
.edata
P.reloc
P.rsrc
user32.dll
;!199{199
;0!8&2{199
Windows 95
Windows 95 OSR-2
Windows 98
Windows 98 SE
Windows ME
Windows 9x New
Windows NT 3
Windows NT 4
Windows 2000
Windows XP
Windows 2003
Windows NT New
user.exe
TMsgHandlers
madToolsMsgHandlerMutex
madToolsMsgHandlerWindow
cmovÌ
setÌ
pop %seg
push %seg
VVV.madshi.net
bugReport
eaMailBugReport
eaSaveBugReport
eaPrintBugReport
eaShowBugReport
ntdll.dll
The import table is invalid.
%exceptMsg%
screenShot.png
*.txt
wininet.dll
SMTP:
mapi32.dll
Tcpip\Parameters
VxD\MSTCP
IpHlpApi.dll
A.ROOT-SERVERS.NET
K.ROOT-SERVERS.NET
LOGIN
--VVV.madshi.net_SMTP_Boundary
AUTH LOGIN
Content-Type: multipart/mixed; boundary="VVV.madshi.net_SMTP_Boundary"
--VVV.madshi.net_SMTP_Boundary--
<tr><td><button onClick="history.back();" style="height:19.5pt;"> 
<button onClick="document.getElementById('bugReport').style.visibility='visible';this.style.visibility='hidden';" style="height:19.5pt;"> 
<textarea id="bugReport" readonly cols="80" rows="20" style="width:100%;height:100%;
operating system :
idapi32.dll
GetThreadReport
An exception occurred during composing the bug report.
wtsapi32.dll
HardWareKey
setupapi.dll
GetModuleReport
internal error. please notify [email protected]
vcl70.bpl
rtl70.bpl
visualclx70.bpl
@System@@StartExe$qqrp23System@PackageInfoTablep17System@TLibModule
OLEAUT32.DLL
Uh.ED
%s[%d]
Uh.SD
AutoHotkeys`&G
KeyPreviewT-G
Uh.hH
IWebBrowser
IWebBrowser20
IWebBrowserAppp
OnGetOverrideKeyPath
OnGetOptionKeyPath`
OnTranslateUrlx
c:\x\a\source\delphi7\lib\gr32\GR32_Transforms.pas
c:\x\a\source\delphi7\lib\gr32\GR32.pas
Unpaired TThreadPersistent.EndUpdate
c:\x\a\source\delphi7\lib\gr32\GR32_Image.pas
c:\x\a\source\delphi7\lib\gr32\GR32_Layers.pas
TssIPCTextMsgRecieved
MsgBuf
TssIPCBinMsgRecieved
MsgSize
OnTextMsgRecieved
OnBinMsgRecieved
madExceptWizard_.bpl
'<#<9020
{00021492-0000-0000-C000-000000000046}
{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}
Component Categories\{00021492-0000-0000-C000-000000000046}\Enum
LoginMenuItem
LoginMenuItemClick
IBIPCTextMsgRecieved
redirect.php
hXXp://
&url=
dologin
members.php?
C:\x\a\source\delphi7\InstantBuzz\Bar\_IEBrowserHelper.pas
Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
6666666666666666
[email protected]
2.005 BAR BUG REPORT
www2.instantbuzz.com
smtp
bugreport.txt
mail bug report
save bug report
print bug report
show bug report
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetCPInfo
CreatePipe
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
ShellExecuteExA
URLMON.DLL
comdlg32.dll
wsock32.dll
IBBar.dll
0#02090[0
;&;.;6;^;
5l6
3 3$3(3,3034383<3@3
: :0:5:^:
3 3$3(3,303
4F4C4I4P4V4[4a4h4r4y4~4
5!5X5D5H5T5X5`5d5h5l5p5t5x5|5
2*2.2@2\2
0 0$0(0,0004080<0@0
> >$>(>,>0>4>8><>@>
0"0&0*0.02060
>%?)?-?1?8?
: :$:(:6:>:
6$6.646<6
4M4V4
2 2-2N2
?!?'?/?6?=?\?
.UUVP
-kp}@t
KWindows
.SHDocVw_TLB
DzURL
gWinInetHTTP
WebCommandUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
PrintOptions.Margins.Left
PrintOptions.Margins.Right
PrintOptions.Margins.Top
PrintOptions.Margins.Bottom
PrintOptions.Header
PrintOptions.HTMLHeader.Strings
PrintOptions.Footer
PrintOptions.Orientation
Bitmap.DrawMode
Bitmap.Data
BitmapHot.DrawMode
BitmapHot.Data
BitmapDown.DrawMode
BitmapDown.Data
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<a href="hXXp://VVV.yahoo.com/">Yahoo</a> or <a href="hXXp://VVV.google.com/">
if (document.all.yesradio.checked) {
document.all.maindiv.style.display = 'none';
document.all.yesdiv.style.display = 'block';
} else if (document.all.noradio.checked) {
document.all.nodiv.style.display = 'block';
<a href="hXXp://VVV.instantbuzz.com/desk">contact
P.tls
.rdata
Uh.qC
.Owner
Proportional
PasswordChar
OnKeyPress<
OnKeyUp`
OnKeyUpT(F
Uh.kF
HelpKeyword,
TWinInetHTTP2StringBgThread
Password
TLoginForm
LoginFormUnit
Please enter your password.
login.php?username=
&password=
We were unable to authenticate your username and password combination. Please check that they are correct and try again.
We were unable to connect to InstantBuzz.com to log you in. Please ensure that you are connected to the Internet, and that all your firewall settings allow this program to connect to the Internet.
We received an unexpected response from the InstantBuzz.com server. Please contact support immediately.
OnTranslateUrl
#%s%s%s
id="%s"
bgcolor="%s"
text="%s"
link="%s"
vlink="%s"
alink="%s"
face="%s"
size="%s"
color="%s"
align="%s"
href="%s"
type="%s"
name="%s"
method="%s"
<img src="%s"
width="%d"
height="%d"
size="%d"
value="%s"
var1="%s"
var2="%s"
var3="%s"
Password,
Password2
Please make sure you email address is valid (e.g. [email protected]).
Please select a password.
The two passwords you entered don't seem to match.
signuptaf.php?username=
signup.php?username=
We were unable to connect to InstantBuzz.com to register your account. Please ensure that you are connected to the Internet, and that all your firewall settings allow this program to connect to the Internet.
At this time, an invitation is required to join Instant Buzz. Please get an invitation from a current member, and then re-download and install Instant Buzz from that link.
members.php?username=
signupsigads.php?username=
::9=09%fg
;3:'84!<:;
can contact me at "[email protected]".
U4U%FUE
0'030'0;60
'02<&!',
hXXp://VVV.instantbuzz.com/whatissigad.php
setprefs.php?username=
IBSetup.exe
upgradefrom1x.php?username=
members.php?page=actionplan&username=
AdURL
WebCookieSetter|
WebCookieResetter
WebCookieResetterTimer
WebCookieSetterDocumentComplete
forgotlogin.php
aftersignup.php?
getprefs.php?username=
{ADURL}
IBMH.dll
sigads2.php?r=1&username=
/barads2.php?username=
newibq.php?username=
version2.php?version=
oneadaycaller.php?localtime=
setcookies.php?username=
2.005 DAEMON BUG REPORT
ShellExecuteA
InternetOpenUrlA
HttpQueryInfoA
ibdaemon.exe
5 5$5(5,50545
3!373`3~3
9!:):-<:<~<
11e1t1
? ?$?(?<?
= =$=(=,=0=4=8=<=@=
4%5s5
? ?$?(?,?0?4?8?<?@?
= =$=(=,=<=[=
=)>->1>5><>{>
; ;$;(;,;0;4;8;<;@;
<,<9<@<_<
> >$>(>,>0>4>8>
8!9%9)909
>$?1?8?}?
=!=%=)=-=1=8=
? ?3?@?\?
0 0$0(0,0004080>0~0
353[3`3{3
VVV.madshi.netX
Un&%Cj
Zi%f"!
 6D-.fL
<.ehx
Z.yX`oqp/
%u_@I
Icon.Data
Lines.Strings
WebCookieSetter
LoginForm
InstantBuzz.com Log In
Password:
&Click here if you forgot your password
This will turn on MailSpace Ads for your personal email client if you have use a client-side email application (Outlook, Outlook Express, Eudora, Incredimail, etc). If you do not, you may <a href="hXXp://VVV.microsoft.com/windows/ie/">download Outlook Express</a> for free (download the latest version of Internet Explorer and when prompted indicate that you would also like to install Outlook Express).
Yes, I have read, understand, and will abide by <a href="hXXp://VVV.instantbuzz.com/aup.php">Acceptable Use Policy</a> including (but not limited to) the rule that I will now only use my email client for one-to-one email communications and will not use it for mass email of any form. I understand that if my recipients perceive any of my SigAd email messages as spam I am responsible for any consequences.
ButtonStart.Caption
ButtonStart.NumGlyphs
ButtonStart.Layout
ButtonStart.ModalResult
ButtonStart.Width
ButtonLast.Caption
ButtonLast.NumGlyphs
ButtonLast.Layout
ButtonLast.ModalResult
ButtonLast.Width
ButtonBack.Caption
ButtonBack.NumGlyphs
ButtonBack.Layout
ButtonBack.ModalResult
ButtonBack.Width
ButtonNext.Caption
ButtonNext.NumGlyphs
ButtonNext.Layout
ButtonNext.ModalResult
ButtonNext.Width
ButtonFinish.Caption
ButtonFinish.NumGlyphs
ButtonFinish.Layout
ButtonFinish.ModalResult
ButtonFinish.Width
ButtonCancel.Caption
ButtonCancel.NumGlyphs
ButtonCancel.Layout
ButtonCancel.ModalResult
ButtonCancel.Width
ButtonHelp.Caption
ButtonHelp.NumGlyphs
ButtonHelp.Layout
ButtonHelp.ModalResult
ButtonHelp.Width
Header.Color
Header.Visible
Header.ImageIndex
Header.ImageOffset
Header.ImageAlignment
Header.Height
Header.ParentFont
Header.Title.Color
Header.Title.Visible
Header.Title.Text
Header.Title.Anchors
Header.Title.AnchorPlacement
Header.Title.Indent
Header.Title.Alignment
Header.Title.Font.Charset
Header.Title.Font.Color
Header.Title.Font.Height
Header.Title.Font.Name
Header.Title.Font.Style
Header.Subtitle.Color
Header.Subtitle.Visible
Header.Subtitle.Text
Header.Subtitle.Anchors
Header.Subtitle.AnchorPlacement
Header.Subtitle.Indent
Header.Subtitle.Alignment
Header.Subtitle.Font.Charset
Header.Subtitle.Font.Color
Header.Subtitle.Font.Height
Header.Subtitle.Font.Name
Header.Subtitle.Font.Style
Header.ShowDivider
Image.Alignment
Image.Layout
Image.Transparent
Panel.Color
Panel.Visible
Panel.BorderWidth
InstantBuzz.com Set Up Process
Select A Password:
Repeat Password:
If you choose to participate, the sites you visit will be reported back to InstantBuzz.com, but this information will NEVER be associated with your username.
.Yes, send anonymous data to help Instant Buzz.
Items.Strings
Yahoo! Webmail
Other Webmail
-Now, stay tuned for a very important message!
&Instant Buzz - Important - Please Read
.Show me the next tip next time I send an email
<font name="Arial" size=9>Please acknowledge that you have read and accept our new <a href="hXXp://VVV.instantbuzz.com/tos.php">Terms of Service</a> and our new <a href="hXXp://VVV.instantbuzz.com/aup.php">Acceptable Use Policy</a>.
After you have completed the Set Up Wizard you'll be given the opportunity to take a detailed tutorial that will explain all of this in detail.
<p>The following types of products, services or websites are
Abusive Websites<br>
be stated so clearly and obviously on your website.</p>
verified by a third party on your website.</p>
<p>If you state that your website has a particular type of content,
aided, abetted, or assisted in the spoofing operation.</td>
3-Cj}
jdu%s
.KB/r
i#'%c
.wix%
8TcPl
C( (%c' dT
KiIC.uV
.UVeY
t-n}N
<title>Important - Please Read</title>
<p align="center"><font size="5"><u><b>Important - Please Read:</b></u><br>
important information about MailSpace Ads you need to know.</p>
<p align="left">We have two more important tips for you that will
through the <a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>InstantBuzz
<b><a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>InstantBuzz Action Plan</a></b>. 
the <b><a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>Action Plan</a></b> are 8 times
<a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>Infinity Streams</a></b>
<a href="hXXp://VVV.instantbuzz.com/members.php?page=actionplan" target=_new>Action Plan</a></b> right
'.Gp3
.IltQ
<meta name="ProgId" content="FrontPage.Editor.Document">
<p><u><b>IMPORTANT:</b> If you do not agree to
will not hold InstantBuzz.com, it's principals,
hereby agree to indemnify InstantBuzz.com, it's
knowingly do so, I agree to pay InstantBuzz.com
Instant Buzz a fine of $10 per webpage surfed
given the opportunity to read as appropriate).</p>
InstantBuzz.com, InstantBuzz users, or
agree to pay InstantBuzz.com a fine of
.reloc
ws2_32.dll
< <$<(<,<0<4<8<<<%=?=
7)7/777<7
1#1-121<1
3 3%3S3j3
IMPORTANT
=IMPORTANT: Enabling 3rd Party Extensions in Internet Explorer
Chances are low that this will happen to you, but in the event it does, most spyware can be eliminated using a freeware removal tool such as the great one that can be found at hXXp://VVV.safer-networking.org/ .
hXXp://VVV.safer-networking.org/
7Check your email for details. Thanks for your support!
ExitWindowsEx
errorUrl
IBDAEMON_EXE
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
66006666
Window Text=This control requires version 4.70 or greater of COMCTL32.DLL
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Invalid pixel format!Cannot change the size of an icon Invalid operation on TOleGraphic
#A component named %s already exists%String list does not allow duplicates
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
A class named %s already exists%List does not allow duplicates ($0%x)
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
'%s' is not a valid GUID value
TLOGINFORM
JPEG error #%d
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE error %.8x.Method '%s' not supported by automation object
Unable to insert a line Clipboard does not support Icons
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
Thread creation error: %s
Thread Error: %s (%d)
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic$Unknown picture file extension (.%s)
Invalid floating point operation
InstantBuzz.com
2.0.0.0
List index out of bounds (%d)
%s.Seek not implemented$Operation not allowed on sorted list
Cannot assign a %s to a %s%String list does not allow duplicates
Invalid property value List capacity out of bounds (%d)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    0f9973657874e53:1696

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Instant Buzz\InstantBuzz1408360070.dll (8581 bytes)
    %Program Files%\Instant Buzz\Dist.exe (4781 bytes)
    %Program Files%\Instant Buzz\IBBar.dll (8581 bytes)
    %Program Files%\Instant Buzz\IBSetup.exe (9421 bytes)
    %Program Files%\Instant Buzz\IBMH.dll (1821 bytes)
    %Program Files%\Instant Buzz\IBDaemon.exe (9965 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Instant Buzz Daemon" = "%Program Files%\Instant Buzz\IBDaemon.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now