Trojan.Win32.IEDummy_e8e8fcfffe

by malwarelabrobot on August 4th, 2014 in Malware Descriptions.

Trojan.Win32.IEDummy.FD, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e8e8fcfffe4f88c1462563a6d5c45478
SHA1: 8a03eec7779c3fa9ba01d41cac5a374b9d0ff5ba
SHA256: 1b6e946bf64d81f4bbe21756cfcad0d5bf10de67570b792f0b7c3adb96896117
SSDeep: 6144:NM/in98C/WvBJIzvGO8QC2VQ8nVG2CPRgLXM 1mq7kycl8dk3LNr6XoRDae8N5Ym:0C98CQnmGl2r gL8 13gyc6EZou AJK
Size: 735336 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Softonic
Created at: 2010-11-01 23:14:48
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:756
%original file name%.exe:1500
SelectRebates.exe:2028
SelectRebatesDownload.exe:2024
SelectRebatesDownload.exe:1272
ShopAtHome_Toolbar_Installer.exe:1740

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHX6B4M9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2FFAH1MS.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\24P26NA4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XMNUZUYC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LV5MCTUC.exe (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJTGL44G\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LV5MCTUC.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\U9E0PNFU.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2FFAH1MS.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (0 bytes)

The process SelectRebates.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SelectRebates\srtmpprf1cbo1bfc.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpsqus6ksvjjd.tmp (6 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (7 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (168486 bytes)
%Program Files%\SelectRebates\SelectRebatesB.dat (11518 bytes)
%Program Files%\SelectRebates\srtmpgfiv51ljon0.tmp (9607 bytes)
%Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
%Program Files%\SelectRebates\srtmpprfu7r3kl5g.tmp (2 bytes)
%Program Files%\SelectRebates\srtmpsqu2jmret6p.tmp (4 bytes)
%Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
%Program Files%\SelectRebates\srtmpprft1g072d3.tmp (2 bytes)

The Trojan deletes the following file(s):

%Program Files%\SelectRebates\srtmpprf1cbo1bfc.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqus6ksvjjd.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpgfiv51ljon0.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprfu7r3kl5g.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpsqu2jmret6p.tmp (0 bytes)
%Program Files%\SelectRebates\srtmpprft1g072d3.tmp (0 bytes)

The process SelectRebatesDownload.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SelectRebates\srtmpprf1cbo1bfc.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpgfiv51ljon0.tmp (223857 bytes)
%Program Files%\SelectRebates\srtmpprfu7r3kl5g.tmp (25 bytes)
%Program Files%\SelectRebates\srtmpprft1g072d3.tmp (1 bytes)
%Program Files%\SelectRebates\srtmpsqu2jmret6p.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)

The process SelectRebatesDownload.exe:1272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\U9E0PNFU.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)

The process ShopAtHome_Toolbar_Installer.exe:1740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (4 bytes)
%Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (4 bytes)
%Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
%Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
%Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
%Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
%System%\config\SOFTWARE.LOG (5347 bytes)
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2FFAH1MS.tmp (146 bytes)
%Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
%Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
%Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
%Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (2996 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRFF3.dll (673 bytes)
%Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
%Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
%Program Files%\SelectRebates\SelectAlerts.dat (1 bytes)
%System%\config\software (3756 bytes)
%Program Files%\SelectRebates\SelectRebates.ini (12675 bytes)
%Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
%Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
%Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
%Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
%Program Files%\SelectRebates\SRebates.dll (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (0 bytes)
%Program Files%\SelectRebates\FFToolbar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (0 bytes)

Registry activity

The process regsvr32.exe:756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\ShopAtHome\Toolbar]
"EditWidthcombo1" = "1"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\VersionIndependentProgID]
"(Default)" = "ShopAtHome.IEToolbar"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"

[HKCU\Software\ShopAtHome\Toolbar]
"KeepHistory" = "1"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\"

[HKCU\Software\ShopAtHome\Toolbar]
"RunSearchDragAutomatically" = "1"
"corruptedMsg" = "One of the XML files is corrupted or invalid. Press OK to uninstall."
"lastVersionMsg" = "You have the latest version of the ShopAtHome Toolbar."
"ShowExternalSearches" = "1"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\VersionIndependentProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}" = "00"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\ToolBand.ShopAtHomeIEHelper\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"

[HKCR\ToolBand.ShopAtHomeIEHelper.1\CLSID]
"(Default)" = "{E8DAAA30-6CAA-4b58-9603-8E54238219E2}"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\ProgID]
"(Default)" = "ShopAtHome.IEToolbar.1"

[HKCU\Software\ShopAtHome\Toolbar]
"PopStop" = "Untitled Toolbar has blocked a Pop-up window"

[HKCR\ToolBand.ShopAtHomeIEHelper]
"(Default)" = "ShopAtHomeIEHelper Class"

[HKCU\Software\ShopAtHome\Toolbar]
"autoUpdateMsg" = "New version of ShopAtHome Toolbar is available. Would you like to download and install new version?"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0\0\win32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"

[HKCR\ShopAtHome.IEToolbar\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"

[HKCU\Software\ShopAtHome\Toolbar]
"firstTime" = "1"
"ErrorMsg" = "Error"
"#EditWidthcombo1#" = "Widthcombo11"
"versionError" = "Can not find current version information."
"UpdateAutomatically" = "0"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\ProgID]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"

[HKCU\Software\ShopAtHome\Toolbar]
"DescriptiveText" = "1"
"OpenNew" = "0"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper Class"

[HKCU\Software\ShopAtHome\Toolbar]
"AutoComplete" = "1"
"closeAllWindowsForUpdate" = "All running IE Windows will be closed before updating the ShopAtHome Toolbar. Continue?"
"RunSearchAutomatically" = "1"
"toolbar_version" = "undefined"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}]
"(Default)" = "ShopAtHome.com Toolbar"

[HKCU\Software\ShopAtHome\Toolbar]
"updateMsg" = "This will try to update the ShopAtHome Toolbar from the server. Continue?"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A D9 BE 85 64 5A 6D 24 65 61 01 B6 F2 7F 65 E2"

[HKCU\Software\ShopAtHome\Toolbar]
"toolbar_id" = "{E911CBBA-36F9-4efc-837B-ED38674F2629}"

[HKCR\ShopAtHome.IEToolbar.1]
"(Default)" = "ShopAtHome.com Toolbar"

[HKCU\Software\ShopAtHome\Toolbar]
"contextMenuItemName" = "ShopAtHome Toolbar search"

[HKCR\ShopAtHome.IEToolbar.1\CLSID]
"(Default)" = "{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}"

[HKCU\Software\ShopAtHome\Toolbar]
"ShowFindButtons" = "0"

[HKCR\ToolBand.ShopAtHomeIEHelper\CurVer]
"(Default)" = "ToolBand.ShopAtHomeIEHelper.1"

[HKCR\ShopAtHome.IEToolbar]
"(Default)" = "ShopAtHome.com Toolbar"

[HKCR\ToolBand.ShopAtHomeIEHelper.1]
"(Default)" = "ShopAtHomeIEHelper Class"

[HKCR\ShopAtHome.IEToolbar\CurVer]
"(Default)" = "ShopAtHome.IEToolbar.1"

[HKCU\Software\ShopAtHome\Toolbar]
"AlertMsg" = "Alert"
"uninstallMsg" = "This will remove the ShopAtHome Toolbar from your computer! Are you sure?"

[HKCR\TypeLib\{462E4AEC-DB3B-4E69-AF61-4F300D76255C}\1.0]
"(Default)" = "ShopAtHome Toolbar 1.0 Type Library"

[HKCU\Software\ShopAtHome\Toolbar\tb_items]
"Widthcombo11" = "1"

[HKCU\Software\ShopAtHome\Toolbar]
"connectionError" = "Can't establish a connection."

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\TypeLib]
"(Default)" = "{462E4AEC-DB3B-4e69-AF61-4F300D76255C}"

[HKCR\CLSID\{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}\InprocServer32]
"(Default)" = "%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll"

[HKCR\CLSID\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}\InprocServer32]
"ThreadingModel" = "Apartment"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}]
"(Default)" = "ShopAtHomeIEHelper"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"

The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 0B CE 00 C8 48 48 CA 98 F4 5B 30 99 B4 C4 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process SelectRebates.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD E3 37 F3 38 EE 9D 13 5B 76 5A E2 B1 36 24 59"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayName" = "ShopAtHome.com Toolbar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"

[HKLM\SOFTWARE]
"test"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"URLUpdateInfo"
"URLInfoAbout"

The process SelectRebatesDownload.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC B9 70 EE F0 50 DD 7F 3E BE E4 E7 0B 2A AA B8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process SelectRebatesDownload.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 30 1C E9 C0 BC 60 82 CB C3 53 F3 70 73 11 1A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ShopAtHome_Toolbar_Installer.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 2A E2 00 D0 6A 77 C9 7B 97 8C DE FD 5D 26 7E"

[HKCU\Software\ShopAtHome\Toolbar]
"TBHideFirst" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ShopAtHome_Toolbar_Installer.exe,"

[HKLM\SOFTWARE\ShopAtHome\SelectRebates]
"SelectRebatesLocation" = "%Program Files%\SelectRebates\SelectRebates.exe"

[HKCU\Software\ShopAtHome\Toolbar]
"TBShowOnce" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"UninstallString" = "%Program Files%\SelectRebates\SelectRebatesUninstall.exe"
"DisplayName" = "ShopAtHome.com Toolbar"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SelectRebatesUninstall]
"DisplayIcon"
"Publisher"
"HelpLink"
"URLUpdateInfo"

"URLInfoAbout"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SAHAgent"

Dropped PE files

MD5 File path
84ffd42c17931a9d1f8361e7680c78de c:\Program Files\SelectRebates\SRFF3.dll
017e694bf86cd554b0fca3b09957e15f c:\Program Files\SelectRebates\SRebates.dll
0bf024e4f8fc508acfed092399f0fb4c c:\Program Files\SelectRebates\SelectRebates.exe
5c2402121f5bf6b7f9e3fe302cb291a0 c:\Program Files\SelectRebates\SelectRebatesApi.exe
589c85ad4b3fd73456f32eb9d58e2f9c c:\Program Files\SelectRebates\SelectRebatesDownload.exe
388a88031cb58ff9ca2e879086ce7c15 c:\Program Files\SelectRebates\SelectRebatesUninstall.exe
28bfc80b6652ae0b1b5e4de75ff2247d c:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 5, 2, 0, 0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5, 2, 0, 0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 121297 121344 4.44682 4d681f47f45c557319b32552b0a75e91
.rdata 126976 32074 32256 3.67224 3219c7385c305fabe90ec07b6e8aadd5
.data 159744 22044 12288 3.66691 7f9b10f539db05c0cc4cefc5ab543072
.rsrc 184320 564256 564736 3.23182 2ce1b2e75e71719365a1b5ca1436ab03

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 7
3b493757f823312f972863558a369720
3ec10249ca7c85295746eeaaecd0e8ac
e0bf3c43452f4d9da23080112a0177ac
9a9f0d3f1943ee9907235530d042257c
7b7438826c6e17b0927711989e90ef11
4da1ff1281e76273c6a72dd84f3f42e6
2df5aac3e356cd3881e39cbf2079fc70

URLs

URL IP
hxxp://74.63.145.172/install/toolbar5200_ff.cab
hxxp://www.shopathome.com/agent/agentprefs_.sah 74.63.145.186
hxxp://gs1.wpc.v2cdn.net/agent/toolbarprefs.sah
hxxp://tbws.shopathome.com/RequestHandler.ashx 74.63.145.160
hxxp://gs1.wpc.v2cdn.net/agent/bce_.sah
hxxp://tbws.shopathome.com/RequestHandler.ashx?MfcISAPICommand=installstatus&param=èfrtXFiqIX4GbgcJxPRH7be0DduJjehBXcU_ijoe_Yk7184KcM5uMOzy6qgQ684qQN_n1tdMvaDFOCAkODEmwtIz1E15I1heWCRUQwLrMdJ4MadEXy7l5twFx_vcrx7xz62-2Ce-cg8g8YE_OCsHQQ8WK7TJVzyQNH-wN-Q34VCFwA1dMx5WK332XZrbW5T7JhIDJ1E45-XWfC2Toxg0BUHlYSflnIBQPun_7EqOid6-2BuotMC9cWgTu4CMgEBjJDoiJV6To0An-3tBoeD_dkonSMWGCHIXU8ehz3xfiFf0fzx11uOHy54wfQZGt9mFrncxDfC9WJmBmzK_Sh9zSUKmExO74vJtlFrF3vfh4Uv8BCaEmJgLFJ-8nFhTZ6Y8NbCLTuOOKDklhB0B8J0fwAyNjQlHTk-OQbkUBATz4ed8NxF_oEM21xooLwlSQH587lLQiNd9Zk_35KJOhYrsbxW1sw0sxz9iLr0Lksyzd8NTkfybYMNnhG3Dsrh8I2gC4-YiRsWN-nIOsavXzRH61WwbQY8lUx5LPWI2n0dxcgcATamu3o4xzPh4ZDAjoPWQfvLBAgwvULlvh3aO8usdloQIebqDGD-DViICqgt9c1gcKTc1nqohbnO5lQYO_cGOrQX8zCwKQAi8 74.63.145.160
hxxp://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext= 74.63.145.186
hxxp://googleapis.l.google.com/css?family=Roboto:300,700,400|Fjalla One|Noticia Text:400italic
hxxp://e250.b.akamaiedge.net/js/rac/sli-rac.1.3.css
hxxp://cs227.wac.edgecastcdn.net/styles/CombinedAll_A773E6245BEC1845258BE6B2BD00D120.css
hxxp://svip-usa7.sli-systems.net/rac/sli-rac.css?rev=148249
hxxp://fonts.gstatic.com/s/noticiatext/v5/dAuxVpkYE_Q_IwIm6elsKDoGYR7Z3iWH66EXnaJoKgg.eot 173.194.39.87
hxxp://cs227.wac.edgecastcdn.net/js/html5shiv.js
hxxp://fonts.gstatic.com/s/fjallaone/v3/rxxXUYj4oZ6Q5oDJFtEd6lQlYEbsez9cZjKsNMjLOwM.eot 173.194.39.87
hxxp://googlehosted.l.googleusercontent.com/static/fonts/roboto/v11/5YB-ifwqHP20Yn46l_BDhA.eot
hxxp://cs227.wac.edgecastcdn.net/js/tipped/excanvas/excanvas.js
hxxp://cs227.wac.edgecastcdn.net/images/background_sah_2014.jpg
hxxp://gp1.wac.v2cdn.net/js/91114986.js
hxxp://www.shopathome.com/WebResource.axd?d=utXq0EopSmH_wSGx3BdZvDyYLpS5Ff55sDuYcl5aUvI_mXIJL5BpykW6xvZro8cCJWqYDkZtKLBu4ajxaGC76D-cQPk1&t=635195457660000000 74.63.145.186
hxxp://cs227.wac.edgecastcdn.net/styles/tbpi.css
hxxp://dualstack.log-334788911.us-east-1.elb.amazonaws.com/event?a=91114986&d=21303474&y=false&s172491114=direct&s172437468=false&s172419741=ie&s172406886=none&n=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&u=oeu1407066704571r0.7012583148362586&t=1407066704665&f=702098547,1004574052,1656520074,868243247,1658670006,1390230039,1006681359,786269042&g=104247111
hxxp://dualstack.log-334788911.us-east-1.elb.amazonaws.com/event?a=91114986&d=21303474&y=false&s172491114=direct&s172437468=false&s172419741=ie&s172406886=none&n=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&u=oeu1407066704571r0.7012583148362586&t=1407066704961&f=702098547,1004574052,1656520074,868243247,1658670006,1390230039,1006681359,786269042&g=104247111
hxxp://cs227.wac.edgecastcdn.net/images/global-sprite2.png
hxxp://e54.g.akamaiedge.net/meter/www.shopathome.com/32.gif
hxxp://pagead.l.doubleclick.net/pagead/conversion.js
hxxp://cs227.wac.edgecastcdn.net/images/enable-arrow-yellow.png
hxxp://cs227.wac.edgecastcdn.net/images/bttn_continueshopping.png
hxxp://cs227.wac.edgecastcdn.net/images/button-continue-for-great-coupons.jpg
hxxp://pagead.l.doubleclick.net/pagead/conversion/1071192949/?random=1407066705852&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/1071192949/?random=349323124&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://www.google.com/ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025 173.194.39.114
hxxp://fonts.gstatic.com/ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025&ipr=y 173.194.39.87
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=1836808299&utmhn=www.shopathome.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x669&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Toolbar&utmhid=483429228&utmr=-&utmp=/1394716560/goal&utmht=1407066711290&utmac=UA-2915199-5&utmcc=__utma=57828200.490078841.1407066707.1407066707.1407066707.1;+__utmz=57828200.1407066707.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DAC~
hxxp://cs227.wac.edgecastcdn.net/js/lazyload-min.js
hxxp://cs227.wac.edgecastcdn.net/js/CombinedJS_4593A913F195ABA1D3383484F2281230.js
hxxp://stats.l.doubleclick.net/dc.js
hxxp://cs227.wac.edgecastcdn.net/js/baccommunication.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=1561656860&utmhn=www.shopathome.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x669&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Toolbar&utmhid=483429228&utmr=-&utmp=/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&ae=no&source=91099&subsource=FAMILYCOUPONS%7C302133&setupguid=%7B93ec191d-46ed-4123-97ed-f0a0af6373ef%7D&setupcid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&sahusertype=nonauth&utmht=1407066713680&utmac=UA-2915199-1&utmcc=__utma=212097611.2090233412.1407066713.1407066713.1407066713.1;+__utmz=212097611.1407066713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=LBCAAAwAAAAAAAAAAAAAAAg~
hxxp://cs227.wac.edgecastcdn.net/images/slots-rewards.jpg
hxxp://cs227.wac.edgecastcdn.net/images/window-shade.png
hxxp://cs227.wac.edgecastcdn.net/images/rewards-sprite.jpg
hxxp://cs227.wac.edgecastcdn.net/js/jquery.browser.js
hxxp://cs227.wac.edgecastcdn.net/js/secondaryoffers.js
hxxp://ins-011.inscname.net/nr-411.min.js
hxxp://cs227.wac.edgecastcdn.net//js/toolbar/toolbarutilities.js
hxxp://cs227.wac.edgecastcdn.net/js/toolbarpostinstall/submittoshopathomedownload.js
hxxp://cs227.wac.edgecastcdn.net/js/toolbarpostinstall/defaultsearchprovider.js
hxxp://beacon-1.newrelic.com/1/eabd37c669?a=442317&ap=7&fe=11781&dc=11594&tt=39120E64E5BFEA57&v=411.b2946c1&to=YlVRZxFXX0VWVkMPDVsfcmAzGUVZWFlVBxBFX0BHClhCQlZZW0gDRkBL&f=[]&jsonp=NREUM.setToken 50.31.164.168
hxxp://i2.sahcdn.com/images/slots-rewards.jpg 68.232.35.51
hxxp://i2.sahcdn.com/images/button-continue-for-great-coupons.jpg 68.232.35.51
hxxp://i2.sahcdn.com/images/window-shade.png 68.232.35.51
hxxp://js-agent.newrelic.com/nr-411.min.js 192.33.31.101
hxxp://i2.sahcdn.com/images/rewards-sprite.jpg 68.232.35.51
hxxp://xml.sahcdn.com/agent/toolbarprefs.sah 93.184.221.133
hxxp://fonts.googleapis.com/css?family=Roboto:300,700,400|Fjalla One|Noticia Text:400italic 64.233.165.95
hxxp://c2.sahcdn.com/styles/tbpi.css 68.232.35.51
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=1836808299&utmhn=www.shopathome.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x669&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Toolbar&utmhid=483429228&utmr=-&utmp=/1394716560/goal&utmht=1407066711290&utmac=UA-2915199-5&utmcc=__utma=57828200.490078841.1407066707.1407066707.1407066707.1;+__utmz=57828200.1407066707.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DAC~ 173.194.39.133
hxxp://j2.sahcdn.com/js/html5shiv.js 68.232.35.51
hxxp://toolbar.shopathome.com/install/toolbar5200_ff.cab
hxxp://j2.sahcdn.com/js/toolbarpostinstall/submittoshopathomedownload.js 68.232.35.51
hxxp://j2.sahcdn.com//js/toolbar/toolbarutilities.js 68.232.35.51
hxxp://j2.sahcdn.com/js/baccommunication.js 68.232.35.51
hxxp://j2.sahcdn.com/js/CombinedJS_4593A913F195ABA1D3383484F2281230.js 68.232.35.51
hxxp://xml.sahcdn.com/agent/bce_.sah 93.184.221.133
hxxp://j2.sahcdn.com/js/secondaryoffers.js 68.232.35.51
hxxp://c2.sahcdn.com/styles/CombinedAll_A773E6245BEC1845258BE6B2BD00D120.css 68.232.35.51
hxxp://c2.sahcdn.com/images/background_sah_2014.jpg 68.232.35.51
hxxp://c2.sahcdn.com/images/global-sprite2.png 68.232.35.51
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.4&utms=1&utmn=1561656860&utmhn=www.shopathome.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x669&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Toolbar&utmhid=483429228&utmr=-&utmp=/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&ae=no&source=91099&subsource=FAMILYCOUPONS%7C302133&setupguid=%7B93ec191d-46ed-4123-97ed-f0a0af6373ef%7D&setupcid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&sahusertype=nonauth&utmht=1407066713680&utmac=UA-2915199-1&utmcc=__utma=212097611.2090233412.1407066713.1407066713.1407066713.1;+__utmz=212097611.1407066713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=LBCAAAwAAAAAAAAAAAAAAAg~ 173.194.39.133
hxxp://www.googleadservices.com/pagead/conversion/1071192949/?random=1407066705852&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext= 173.194.39.185
hxxp://j2.sahcdn.com/js/lazyload-min.js 68.232.35.51
hxxp://i2.sahcdn.com/images/enable-arrow-yellow.png 68.232.35.51
hxxp://91114986.log.optimizely.com/event?a=91114986&d=21303474&y=false&s172491114=direct&s172437468=false&s172419741=ie&s172406886=none&n=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&u=oeu1407066704571r0.7012583148362586&t=1407066704961&f=702098547,1004574052,1656520074,868243247,1658670006,1390230039,1006681359,786269042&g=104247111 174.129.23.139
hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071192949/?random=349323124&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 173.194.39.90
hxxp://j2.sahcdn.com/js/tipped/excanvas/excanvas.js 68.232.35.51
hxxp://www.google.com.ua/ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025&ipr=y 173.194.39.79
hxxp://91114986.log.optimizely.com/event?a=91114986&d=21303474&y=false&s172491114=direct&s172437468=false&s172419741=ie&s172406886=none&n=http://www.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&u=oeu1407066704571r0.7012583148362586&t=1407066704665&f=702098547,1004574052,1656520074,868243247,1658670006,1390230039,1006681359,786269042&g=104247111 174.129.23.139
hxxp://cdn.optimizely.com/js/91114986.js 93.184.220.20
hxxp://i2.sahcdn.com/images/bttn_continueshopping.png 68.232.35.51
hxxp://images.scanalert.com/meter/www.shopathome.com/32.gif 23.215.102.75
hxxp://www.googleadservices.com/pagead/conversion.js 173.194.39.185
hxxp://assets.resultspage.com/js/rac/sli-rac.1.3.css 23.215.112.190
hxxp://stats.g.doubleclick.net/dc.js 64.233.164.154
hxxp://www.google-analytics.com/ga.js 173.194.39.133
hxxp://j2.sahcdn.com/js/jquery.browser.js 68.232.35.51
hxxp://themes.googleusercontent.com/static/fonts/roboto/v11/5YB-ifwqHP20Yn46l_BDhA.eot 173.194.39.171
hxxp://shopathome.resultspage.com/rac/sli-rac.css?rev=148249 63.131.147.11
hxxp://j2.sahcdn.com/js/toolbarpostinstall/defaultsearchprovider.js 68.232.35.51
ads.yahoo.com 119.161.22.33


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /js/91114986.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.optimizely.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: max-age=120
Content-Type: text/javascript
Date: Sun, 03 Aug 2014 11:51:28 GMT
Etag: "81652c96a976bcda1b203658e689f043"
Last-Modified: Fri, 01 Aug 2014 18:23:39 GMT
Server: AmazonS3
Timing-Allow-Origin: *
Vary: Accept-Encoding
x-amz-id-2: tX b4Z0tq/SeMDKvmgdvE37G0ZR7qAWShZO0skAlE3GVHLUv BUp7yzo9hlLOWaj
x-amz-request-id: E2B7F17FFCBBC261
X-Cache: HIT
Content-Length: 63199
....*..S....{{.V./..>.........B.&i;.No.I.3....B.b@[email protected]]A.`;.4
U...I.......~.......4..?.z..|.'.W3o...F...[7..z..y.Z.f..;.............
e..%q.....b)v.g;k...SQ.G.;....#[email protected]*..1^......q........v.
d1...r.N}<.....a...0..........I.....%.}F.~..K..[.-..}P..`....rqvv..
....s....Cw5Y.......Rm.. .!}.n...*.- ...9{...DS....p....\.._.......8.f
..V.QTES..U.g#w.O...}SLK.MS.K._.g.:.B....k...MBw..2L...K...=F...z..j..
.Y.ky..D.n2.E.-G.,..S7.Az...}.... .......W.M.4..5y..r...c..V..`....2X.
...o.`.Ae..... Fk....Q-.q....F..../E.e.b..3..j.G..i.....U....<..<
;.....,....x.....b.Jn...!Az.ct..#.pI6M.M..r..$3L...!uL.....].....D.U.R
.........).a.uS.U.5'...P.......C.u.<.......5Y.......>....%V,Y...
.!..........D[......6b...7.X..}...q.Bd5f.[cUlKu...8....I0H.h.#........
.c?..8.&.....J...e...jRb.a.......L...]......K.w..X...<..`..n.l.....
..{...3...Nb.e..e...x.._`...D.....#cz.f..7.....3....ss..9.......E.r...
.b.5K......S...A.u.Z2..w..{..t.&#..S......l../.n;k.Z<~...q.K......8
_K"t..H$@...`..j.Y][email protected]#....W.}.%...0G%7..f.2.|a..../|.........
. .p6..\.:...Wsj3F.|..NV>}....s.[._........Qh.i......-\.......$$...
.."\E./...W...2-....v.X....L..7..V..2.O...g...a..z.M.O..x.o.E..S(...DM
,...bp..6..l0`@r.U.T...........54. .&R2L.z ..le..1:.K.&..._...ia......
[email protected]@O..B..b...AS........#O....L...C.......Y......
?M..,...SV......6..U......[.K...Ki..V*.RZ..J...1.."U.T...H....%..c."..
.b.{2.o....."C.<...p./..-.6........l........t..>...Fc......l.u..
.....f.w...fF.n.6$u&E..|.....p.ReEK...o./..0...~./..`..JB.rT..\.X`
<<< skipped >>>


GET /css?family=Roboto:300,700,400|Fjalla One|Noticia Text:400italic HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Timing-Allow-Origin: *
Expires: Sun, 03 Aug 2014 11:51:26 GMT
Date: Sun, 03 Aug 2014 11:51:26 GMT
Cache-Control: private, max-age=86400
Content-Encoding: gzip
Content-Length: 473
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic
............]s.@.... .N3S\....I2.G..Z)......,,e..v....&f.t21....y.s.9.
[email protected])A.......((.(bIH.C5.....:.fU....4.u_.X....7<...
...B...k."..6N.|aX..[.....{Bwd:.......^nF.f...f..0q.`B.Mh.0......&..K)
I*.#S..(.".5...8.H,.H.1....s..&J...|...e...F.\...z....>.....V:...!.
......}..h.^.......4...Y.j..f.P..G..[3e....,...\...=..0-....p.W Qz.?6.
Q._.=..P.w.y..$..(........5.....>.PN..G!....O....v.......o[-......~
...5..#...._>.x.........~.T...&.3c....k...s...-..........<....HT
TP/1.1 200 OK..Content-Type: text/css..Timing-Allow-Origin: *..Expires
: Sun, 03 Aug 2014 11:51:26 GMT..Date: Sun, 03 Aug 2014 11:51:26 GMT..
Cache-Control: private, max-age=86400..Content-Encoding: gzip..Content
-Length: 473..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEOR
IGIN..X-XSS-Protection: 1; mode=block..Server: GSE..Alternate-Protocol
: 80:quic..............]s.@.... .N3S\....I2.G..Z)......,,e..v....&f.t2
[email protected])A.......((.(bIH.C5.....:.fU....4.u_.X.
...7<......B...k."..6N.|aX..[.....{Bwd:.......^nF.f...f..0q.`B.Mh.0
......&..K)I*.#S..(.".5...8.H,.H.1....s..&J...|...e...F.\...z....>.
....V:...!.......}..h.^.......4...Y.j..f.P..G..[3e....,...\...=..0-...
.p.W Qz.?6.Q._.=..P.w.y..$..(........5.....>.PN..G!....O....v......
.o[-......~...5..#...._>.x.........~.T...&.3c....k...s...-.........
.<......
<<< skipped >>>


GET /s/noticiatext/v5/dAuxVpkYE_Q_IwIm6elsKDoGYR7Z3iWH66EXnaJoKgg.eot HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.gstatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: font/eot
Last-Modified: Wed, 23 Jul 2014 21:38:22 GMT
Date: Thu, 24 Jul 2014 05:47:55 GMT
Expires: Fri, 24 Jul 2015 05:47:55 GMT
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Content-Length: 18076
Age: 885811
Alternate-Protocol: 80:quic
..........t{eP...........S(.................{qw......o...\2.7.{....C..
..A(.......... ........._........R.T...R`......w ..c..%.#..`.0./L..j.,
.^.U..T...h....Y........p./w.8..e.....s..X..o'......W.V..'.....x..<
...X......,.|Id..g.7.,....<i.).x.p...r...amYtF.B)$.(jK..9..M.<-S
&.......i.^.4.\.....\.Xs[C.a{..h.....V....O...57d...:.l.7....x......?.
6.. .C.V.@..$X...J......b!..N..o.F...[]... ?G.E.e......N.|.....u./ao..
.Ms... :v.p..x.EPw1.0.k..h....V......Q.b.73.g2..I.'....Gr$..)$`.......
S.6..}21IU..x.]..v....G.NG.'%;e].h.o.......}pr-.......QS ..J.wN.a.e..N
....U4...m....#....&<.ZQ...B1...."&.....%[..u..&.l=L !,a.... j).,..
*.0..x.n..,fx..4.y.........Wd~;..vW..2......B6WK....2.-......,..\.....
.u...9vN~/v.V#zrXOT-.......^7....v......?OG.|...P|....u.....&LC.V....d
.JZ.?i.......8..k.s.{.O..\.m...h..9.s.;1.E..*.R.....H|..R.Vy..'R...kF.
..M..$5N.I.~.-.^.:.....G..0;....*d.v..h.0Y.r.p$.e0:r...F...OX...SX'W..
Gj..w...$..5J.._*(.Y.P%.."..,......A..6.'"].f ..2=VV.....Qk.x.lA.7o!K.
T...u1..p?7H&...%2..E/./9.#.pZ..T...@&c.....w.Y..>...6W.Q.!X...."|.
.y.....aH.9P7.a.L..L-..Biw. SY._Z...s.2.6`w-.....V...z..sXKzHI..V...&.
... . ....qd.............1...p.L.i..D.T....*.]..E}E$.8...{(......F..`.
l.1..6....._P.....i.GG.Pu....6.O.Yj....L.1S...v...h.z.._.....f.....h  
.v.....N..[.B.......!......].......g..V.@.".qt.N.T.5.b1. 8./.......T..
.....ox-.b6j.e.......17/........./......tD....~.......:..\.q.....ye.I,
...N.B...........,..>.I..1...A..@E1nF..............]u_'q..b."....|G
_..Pd.............x3.nhZ.LZ.......E....)......J..fn.Hy... ..`.L.%.
<<< skipped >>>


GET /styles/CombinedAll_A773E6245BEC1845258BE6B2BD00D120.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: text/css
Date: Sun, 03 Aug 2014 11:51:26 GMT
Etag: "4f283b9838abcf1:0"
Last-Modified: Tue, 29 Jul 2014 14:22:57 GMT
Server: ECS (rtm/35A7)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web06
X-UA-Compatible: IE=edge
Content-Length: 45005
............y..9.'.U8...T....N:#^....<f..J....7/..`.K$.E'%Eq.....H.
..7..........b).t....`0........jxX....v...n.E]/7...j..G..~EF..-..4.rZ,
..n..X6...............vY.aM..r...........}=..p.4{.....f.nw.a;\..a.)>
;.[R........^..Uq.]....iL.(v...R8~\..r.Z.....uM67V..E..MY...ZV.;......
...e....#...=........@.?..i...._.......n......._.zY....~.V;B6.bS..\..G
5.........].......}..Q<....M.............$...n..(W.4n.....j"....\o.
....OW.k.......c$......Vd..f..4'..j...a......(......o........e..~GV...
...OdW..b...v...r.F'..vV...]_M.S:.7d$G&.gd}S...6O6.H.[,....a.....uqK.?
....../I.O..........5u.#[R.G.E.>...(:.!>.A.}..rZ.o..?m.^.N.QV *f
e.....=..U. .d....:.Z.f.,.T....;V..I.i..4'M.....v1.yA..Gb.0./)a.T.....
.u..X..K:.Gk.O.UC....7...mw...o..1.....f=f.Ow...$fV.f3gV$...R.<...1
-q.y...;...eYv..<"o... o.......4.u.:..C.x...<.1.%W._H`.$..;>.
..]T.J\L3... j.V.....qU..m....P......q4..p..&.jG..G........]l.......r)
..lm.x.Cw..J2....b=;1#8.CW.i,..u...*B..<-.?.ZU...U....A...o.&G.#.6V
w:..w....^~._.D...]............Z..U...Cu.......*.!....g....... v..]Q/)
./iqCFd.=....6./.l.H.a.7Y..!..,;.B7.}...ZQ...~..R./.3F....-...k..i.>
; W..`D..l(?.7<O\....}#....z.. .._:i..........e..,p.J..-...?.M..)[.
..(vI.\dQ.........0.5..bo...6..Y.l....h...gZog....X-o7........h.Gv....
...q.j.b5j.;..&......)V0A.Y.....`...[..Eo......CV.3?......].d.....l...
.9c....Z.al.~cK.uD*7.....?BE.g..21Y..`R.Jv..JQ bqQ...5=! {.4.Z. l.....
|n'..`...<!......Q..l0..Z .X....UU.w#Fw.......F0gc[[email protected]
......D....y.L..#.k....G.e...B.f.h..5.fD.0].w.[53.jf).lD.......M..
<<< skipped >>>

GET /images/background_sah_2014.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:27 GMT
Etag: "802d51f43e66cf1:0"
Last-Modified: Fri, 02 May 2014 19:44:39 GMT
Server: ECS (rtm/35D0)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web05
X-UA-Compatible: IE=edge
Content-Length: 1198
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c061 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" 
xmpMM:InstanceID="xmp.iid:3295104FD23211E3AE07B2FBA6D740AA" xmpMM:Docu
mentID="xmp.did:32951050D23211E3AE07B2FBA6D740AA"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:3295104DD23211E3AE07B2FBA6D740AA" stRe
f:documentID="xmp.did:3295104ED23211E3AE07B2FBA6D740AA"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
.......................................d..............................
..................................Q.....U.......................R.....
[email protected]...'r..W.U...H.w..t>....
<<< skipped >>>

GET /styles/tbpi.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: text/css
Date: Sun, 03 Aug 2014 11:51:27 GMT
Etag: "80da345aada6cf1:0"
Last-Modified: Wed, 23 Jul 2014 19:36:09 GMT
Server: ECS (rtm/35AD)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web06
X-UA-Compatible: IE=edge
Content-Length: 946
...........W.n.6....;.1...R i..Z>.Fs*.c..DI.)R .^.A.,.<R_.C...n.
.\......!...|......}#.ALhC8..<=9StGT..UtrTE.ylhA2.-P....U<.B_OO.
<..R%....8\}.i......f.1A....e......k.D..a.<...eee.$....4....N...
..&.d"A A!.;...`."..% [email protected].....'(......2g.%9U}.9..'./...[..d...
.)..J%.".}..,..kH.3Q&(.......=.4..O.V.(\*.3*.....Y.....~?........M...-
...... g.}...Y/......`..t.Ln]-:.Ws>...4v.z..~......:R..s=....}..T.L
.n..t-9..#oo.......U.:. .;..wM.%.&.........^[email protected].:#....R.
!f...u/.IV....w.s.t...0.&Z..Q.jRB^[.//*c.d.dq.I..".d.t..Rsi4..._..b.M.
n(q|.}N.oe..l....S...&a....v...vL.c:........\V.......I...XI.......1j..
...?.......;.U<v.....!A..B..3hJ.Q.`CMZz.].2...~..].}.%.).X7........
......hc;.G..T...p....0.U.r..M..........-.L......97J.3K.L.r.:.c.......
{..{Mq<.\7X6.,.f.L...G...P.g...%.....H..-..1bJ.^g..Y..'eye....Y.Wo.
....9...g~.....4i.~.*1I{..m[..^.:...,.V=p......f.....3.%.X...d........
.~.m..0..8n.(.......S.u..(.[.k...'=.....G..bR.....i..{.5.).....HTTP/1.
1 200 OK..Content-Encoding: gzip..Accept-Ranges: bytes..Cache-Control:
 public,max-age=604800..Content-Type: text/css..Date: Sun, 03 Aug 2014
 11:51:27 GMT..Etag: "80da345aada6cf1:0"..Last-Modified: Wed, 23 Jul 2
014 19:36:09 GMT..Server: ECS (rtm/35AD)..Vary: Accept-Encoding..X-Cac
he: HIT..X-Powered-By: ASP.NET..X-Server: Web06..X-UA-Compatible: IE=e
dge..Content-Length: 946.............W.n.6....;.1...R i..Z>.Fs*.c..
DI.)R .^.A.,.<R_.C...n..\......!...|......}#.ALhC8..<=9StGT..Utr
TE.ylhA2.-P....U<.B_OO.<..R%....8\}.i......f.1A....e......k.
<<< skipped >>>

GET /images/global-sprite2.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/png
Date: Sun, 03 Aug 2014 11:51:29 GMT
Etag: "8079543cc79bcf1:0"
Last-Modified: Wed, 09 Jul 2014 22:43:43 GMT
Server: ECS (rtm/35A3)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web02
X-UA-Compatible: IE=edge
Content-Length: 131879
.PNG........IHDR...............Y.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com
/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:
stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http
://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocum
entID="xmp.did:5B7E35C1E28FE1119A6689FFA9306BF0" xmpMM:DocumentID="xmp
.did:7A6F686A07BA11E48D81FB838E841546" xmpMM:InstanceID="xmp.iid:7A6F6
86907BA11E48D81FB838E841546" xmp:CreatorTool="Adobe Photoshop CS5.1 Wi
ndows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5FEB65F5950
7E411B6F0B4AC838C9823" stRef:documentID="xmp.did:5B7E35C1E28FE1119A668
9FFA9306BF0"/> </rdf:Description> </rdf:RDF> </x:xmp
meta> <?xpacket end="r"?>..~.....IDATx..}.|T...yo.-.....!...Q
.%..w..b.O._......uk]...-.-.V-..U.......l"[email protected].{...L&3.$d.$..
s3.{..;...|...I..i....@VR.....,Rr......f...555.O....)...i.....\..#....
.H...c ..............3....TX.5.x_.... ..{.7...\R.$E.A.....i.~....]....
.........m........H... .j..d3._m(((.w.g...qT]`.......*...pY.......^I.z
i.......\s.o.]C...d..2.,?u..}dF....&.AT....._Q...\..5j\..W.......)....
.KP61;....g..VTT...z....EQ....!$......<....`.4iR]vvv39......p..
<<< skipped >>>


POST /RequestHandler.ashx HTTP/1.1
Accept: */*
Content-Type: application/octet-stream
User-Agent: SelectRebates
Host: tbws.shopathome.com
Content-Length: 565
Cache-Control: no-cache
Cookie: SAHSessionID=e36127ba-aaf2-4cec-9a92-fc156034c504; SAH=dcVer=5.2.0.0&SRC=REBATE&REFER=91099; sahdsp=tbinstalldate=8/3/2014 5:51:24 AM; ToolbarDetection=Version=5.0.2.0&cid=47685889; CookieCheck=Y; SAHtbpi=showconversion=false

cmd=ar0&xml=<?xml version="1.0" encoding="utf-8" ?><AlertRequest><Cust><GUID></GUID><Id>47685889</Id></Cust><Dog><GUID>{540AEB63-F616-4B6A-8960-7794B185A087}</GUID><Ver>5.2.0.0</Ver><TbVer>5.2.0.0</TbVer><Prefs>1</Prefs></Dog><Requests><Request><Type>Favorites</Type><Id>5</Id><Src></Src><String></String><LastFavorites>-1</LastFavorites><LRFav>-1</LRFav><OpenTime>1</OpenTime></Request><Request><Type>Checkin</Type><Id>6</Id><Src></Src><String></String><LastFavorites>-1</LastFavorites><LRFav>-1</LRFav><OpenTime>1</OpenTime></Request></Requests></AlertRequest>
.
HTTP/1.1 200 OK
Connection: close
Date: Sun, 03 Aug 2014 11:51:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/xml
Content-Length: 138
<?xml version="1.0" ?><AlertResponse xmlns:xsi="hXXp://VVV.w3
.org/2001/XMLSchema-instance" xmlns:xsd="hXXp://VVV.w3.org/2001/XMLSch
ema" />..



GET /rac/sli-rac.css?rev=148249 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: shopathome.resultspage.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 11:51:26 GMT
Server: Apache
Last-Modified: Mon, 28 Jul 2014 18:38:48 GMT
ETag: "262-4ff453bcd9e00"
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Expires: Tue, 02 Sep 2014 11:51:26 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 265
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/css
.............J.1...}...(........l2..l&$.Y\..nK..v....g........mE!..G..
......l3vB~..%(&.c............j.......qh..b.D..S.K..... 3nc.IA:y.Atju.
...D.......#_M........{[email protected]%..z..<..6.c ...
'.i*$./...|...."........g..n.........<`......x.b..w'6Ab...HTTP/1.1 
200 OK..Date: Sun, 03 Aug 2014 11:51:26 GMT..Server: Apache..Last-Modi
fied: Mon, 28 Jul 2014 18:38:48 GMT..ETag: "262-4ff453bcd9e00"..Accept
-Ranges: bytes..Cache-Control: max-age=2592000..Expires: Tue, 02 Sep 2
014 11:51:26 GMT..Vary: Accept-Encoding..Content-Encoding: gzip..Conte
nt-Length: 265..Keep-Alive: timeout=2, max=100..Connection: Keep-Alive
..Content-Type: text/css...............J.1...}...(........l2..l&$.Y\..
nK..v....g........mE!..G........l3vB~..%(&.c............j.......qh..b.
D..S.K..... 3nc.IA:y.Atju....D.......#_M........{[email protected].
.zh.S.x%..z..<..6.c ...'.i*$./...|...."........g..n.........<`..
....x.b..w'6Ab.....



GET /s/fjallaone/v3/rxxXUYj4oZ6Q5oDJFtEd6lQlYEbsez9cZjKsNMjLOwM.eot HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.gstatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: font/eot
Last-Modified: Wed, 23 Jul 2014 21:41:46 GMT
Date: Wed, 23 Jul 2014 22:52:33 GMT
Expires: Thu, 23 Jul 2015 22:52:33 GMT
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Content-Length: 17801
Age: 910733
Alternate-Protocol: 80:quic
..........|.UP.....a.........%.{....5.C...............i.j.<.......S
w.,..).......?........R`...........H..O............ .p.X....%....p....
..Z..=...s....@.?....8......p........3...........>i....2...j.....e.
.b....GXG...az9...Y....I...*jt,.....B....U.jj..e....(.)..<[email protected]
.{[email protected]?.....2j...a..%.....1r..<.....;........7....r....
.3...D.>.... [.Lw.&....Vp..([email protected]#,6U1.`.t..6~...T..
D.A....p....5..'..E.T.....Z..?...}..D.[..iyyA&8..3..W.V.....J.90.7 ...
......LQ.5.FN..~..X..d..j...y...)?.i......-}.qZ.H.. .R.x........AG..\8
(%|./.t......b-`......VM...%7...n..)....Ym......g.l. 1.u.7.]{Mje...Y.A
....y.%.aG...idV..so XD.ai....e7k..Y....v...iA(.......w...F..L..(...1.
Y.<..$...Y..\...c5.:/E.s.y..N!.|%...........,Xf.Y{.#...i.9.....N.&l
t;.M.W3.g.A!..^....5,j...{......(8...Q.i...=.....m:.. .a/FO....<.Y.
o..S.g\.%`._. . .;...r.0..L&]...A.R...N..>......Q:..).$..=....;P...
,..F$.>".9 .....:&j....e.p..z{.,.'Z9.(.."..c............?.7.......%
.x,.....7,.......o3<..v..U....(E_d..H.28.....G.a5....@*......g=...5
.......].>........z4..-..\[email protected].`fK.../'..ew...MiM.
..9.* >p.J.5.....N........B3..3.4...J.V..L.]../.....D...T...\.Qr...
p.......8l...n(.../...]s{.s.l.0e.v..K.S.o.....j..D..4Hl...B..c..Uh-...
.tu].j.0.W..C.-..B.U.4..$..T.....Oq...s...t^.:&....-|b."4.]H...E.."e7k
U......2X.j.<.....s.....N.......H..N...9...%\...?.{4...$......x..m.
.....Fv.3..A....s.....(_....m..W..v.s0.\c.......T....C..D.%..v...... .
...W^y.c...E...(.tr......|r.<.!...>.6Q.~4....VM .!mN.G.[...d
<<< skipped >>>


GET /install/toolbar5200_ff.cab HTTP/1.1
Accept: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: toolbar.shopathome.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 01 Nov 2010 21:15:04 GMT
Accept-Ranges: bytes
ETag: "0fcf1d997acb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
X-Server: Web08
X-Powered-By: ASP.NET
Date: Sun, 03 Aug 2014 11:50:50 GMT
Content-Length: 358086
MSCF.....v......0.....................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /images/rewards-sprite.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:38 GMT
Etag: "0fa6a6c1a84cf1:0"
Last-Modified: Mon, 09 Jun 2014 19:38:44 GMT
Server: ECS (rtm/35C3)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web09
X-UA-Compatible: IE=edge
Content-Length: 50170
......Exif..II*.................Ducky.......P.....ohXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DB007B0061E7E3118
D81887002F653B1" xmpMM:DocumentID="xmp.did:AADCE73CF00D11E3B218DCA04E4
6994B" xmpMM:InstanceID="xmp.iid:AADCE73BF00D11E3B218DCA04E46994B" xmp
:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:7015E28F0CF0E311893BDEEDFD747222" stRef:doc
umentID="xmp.did:DB007B0061E7E3118D81887002F653B1"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
....................b.................................................
.............................................!.1A..Q".aq2B.R#.....3S$.
b..C4....rc%....DTt..5U.Vv7..s.d....&f.......................!..1A.Qaq
.."......2BRr.....b...#S....3CcT......$.sd5.....%............?.....DQ.
DE..DQ.DE..DQ.DE..DQ.DE..DQ.DE..DQ.DE..DQ..^i.._u............I#c..@...
V..........D.F..J..R..G.A&...F....c....U..2..#wbF_u{~...X..qm..:[5
<<< skipped >>>

GET /images/slots-rewards.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:38 GMT
Etag: "80ae881f567fcf1:0"
Last-Modified: Tue, 03 Jun 2014 18:03:29 GMT
Server: ECS (rtm/3591)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web07
X-UA-Compatible: IE=edge
Content-Length: 106459
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c061 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" 
xmpMM:InstanceID="xmp.iid:5DDDB795EB4911E3AB48E272FC25F790" xmpMM:Docu
mentID="xmp.did:5DDDB796EB4911E3AB48E272FC25F790"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:5DDDB793EB4911E3AB48E272FC25F790" stRe
f:documentID="xmp.did:5DDDB794EB4911E3AB48E272FC25F790"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
......................................................................
..............................................!1..AQa"..q.2...BR#.....
br3U......C..$T.u.7..Ss..4.5..ct6.Dd%..........................!1..AQ.
aq".......2...BR.r#.b3.....4...Cc$s............?..M.....P..@(......P..
@(......P..@(......P..@(......P..@(......P..@(..M.).4..n.r.|&.....I.6.
..6......o........(I.!.|.....'2b5.~.......Z=.9..3.E...<..b.M3.b#..&
gt;..J>.Z...f.m>Dl..i.,#......s..... [email protected].|.....
<<< skipped >>>


GET /js/lazyload-min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:35 GMT
Etag: "e9a62c1e8edccd1:0"
Last-Modified: Mon, 17 Dec 2012 19:38:41 GMT
Server: ECS (rtm/3599)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web06
X-UA-Compatible: IE=edge
Content-Length: 1156
...........V.n.6...[...([email protected](-I%......%.Nv.....p..
.C.......%.W.*..T....>.z .c...2..ZJ...K..,..FY>I>7...-.....=.
...])n7BX..S.....A.En..j)b.?.$.V....E2.gnJ. ..c..e.J.8.H5....VL....'..
.j.....k.gj....\4V...u..s.......w.@WRI.....>..w`.pm..yY..b.4.4..Q..
_.u..3..9....l...,..E.!m.B....i4.G.1......M..Z...0(.....:~..7..Pi..s.$
......'..\..r..J....j..g....f.....D.....K.....F.,...I,....U]../..]....
..c.&gl..cR.....n^.`-s>.../w...V|...}.o...zR..;.|@..w,#..t.z<...
...`mH..Hs}{.q.yG..Q..2.zB&.<M....Ox.\....=.X{.....tW..4...x.......
S..DY..[[email protected]@d..;.DiD..(A. I..6.oa....o.G..
...@S...............~......g........|.;.7 .....9..0.....].....G....d~h
.OAc.x.._....'..,#U...?..2....4b.p..j.%.F...1......e7..EnO...MZ...t,#.
.M.....BQ.. .<*...........\.J.D.]]..yn.....>..(..x..s. ...X.....
......R........]..1.... .H..f..;...w .g..u..N.Y...[..e..q.. @z.U..pO.R
B.z...?.I>..............H.(#.E.....n,..4..pT........./..$N...w....L
1..<..""-.....h.Y.k....=..l)...:..b../.R....7.B....M&......Q56.J...
..I.g..h...4.u..;]<I./....}.b....`.E..7K....%....#....3.......xN.B.
'.d......h. _C......,]..B.b.._y.......O9......_w....F....A]e....o...}.
......
<<< skipped >>>

GET /js/CombinedJS_4593A913F195ABA1D3383484F2281230.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:35 GMT
Etag: "ce401df39abcf1:0"
Last-Modified: Tue, 29 Jul 2014 14:32:05 GMT
Server: ECS (rtm/35BF)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web07
X-UA-Compatible: IE=edge
Content-Length: 104678
.............r.H.0....B.HD.DQ..t7(..,.m........Z.....-..."Y#2b_c..{...
.G...W..... @I..=.3...Q.............{....o....M.j..C.q....W.O.;.....;Q
..8..ow.....<L.N>.5.a..]...K;.ky.|.....#.x)7?.x^....>..v..'a&
lt;.Z>..a.....c{iv#.n.....l.w.B.Y?.../..;...g\D..E.,......."5..b..;
Ly^..]6K..!..0",2...k...eu\T0....E.8 X.......6.....'Ag...%...$.....&..
K......r...x..0.Sk.}......Y~.Y0.,.....c....a..p.....fP.(k%W<.......
S..h...y.,.....1...../.)?...s.v].a....a.....2..A.P..Sw.Rmk.oG...M. U..
.y7.....kX..Z.X4.o.*.ZgB.KH.m.Y7.]q..~..!.Ny..x.....y...T.......*.....
O.~.!.;....g.Q\N.......F.7......,..-....{..49...y.......kA...6........
.]kd.....;..Y1...;`.l...ww>....?Z..N..1.9...3..?.a.....er..C/.].6G.
....,..&..B...74.~Bs.'4i...`.oS~u..q....Ly.........|.?....R../.x..;L.8
.......o..M....p./..i....Vo.?...V/.Yg.[.d.-..fx......Y....<.mn....Z
F.^..\....;#......\7.u ....OX..z]c0.v.....z.....Aj..~.p.....v..5...^.v
D..[...$....{^.&....>V.l........V.}..Q..a*t.s.%&V.9...anF...5 ...6.
D...P1....03.....5...l$1C<[email protected]{...H.l. ~.n..:.XZM.
g...h..G..M.....7;g.~.D.p.o..NjC..hIC*...V.m.&.r|t..-z....xv...S7..i..
. [email protected].'.........u.%..4.,..)*.Q./~..%&..)~....c......:....}*`.d.O..
K`.0...z....d.....r..8._..W.RC.."[email protected]..|'I;.2..?.M..Xi...d.].......f
...H..=.....1....\.......].......*.0.8.|..e..o...{.....\.|3s._|..m5.gu
.H...3{...$..7.t\R.`.!.O....#2.WX.R.!........*.>.a...k;:}.........n
C.p.....?.....Ck..>...a2O.P....c.....4!o}..G.....4..D...H.U..."_...
.....Ci.ww.:....Y..h....K].....p..SR5IR.....X..J.$e...!........x..
<<< skipped >>>

GET /js/baccommunication.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:37 GMT
Etag: "07e30b1215ece1:0"
Last-Modified: Fri, 31 May 2013 17:10:04 GMT
Server: ECS (rtm/3591)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web09
X-UA-Compatible: IE=edge
Content-Length: 250
..........\.KN.0.....;....Q.X..D...A.QT..Qc.?...d,8R.P.i.....of...7Fo.
...j...I.m.P.j.>1.....k.....0..4J^@.fv'L.<( ...(9.I.$.k......S..
.~.._.=3....8..^.....Bv.....=......Z.Yj.n..._.l..A......$(.K....h..y..
).Lvv.7pyj.E..H...it.....^..Y...W`[email protected]/1.1 200 OK..Content
-Encoding: gzip..Accept-Ranges: bytes..Cache-Control: public,max-age=6
04800..Content-Type: application/x-javascript..Date: Sun, 03 Aug 2014 
11:51:37 GMT..Etag: "07e30b1215ece1:0"..Last-Modified: Fri, 31 May 201
3 17:10:04 GMT..Server: ECS (rtm/3591)..Vary: Accept-Encoding..X-Cache
: HIT..X-Powered-By: ASP.NET..X-Server: Web09..X-UA-Compatible: IE=edg
e..Content-Length: 250............\.KN.0.....;....Q.X..D...A.QT..Qc.?.
..d,8R.P.i.....of...7Fo....j...I.m.P.j.>1.....k.....0..4J^@.fv'L.&l
t;( ...(9.I.$.k......S...~.._.=3....8..^.....Bv.....=......Z.Yj.n..._.
l..A......$(.K....h..y..).Lvv.7pyj.E..H...it.....^..Y...W`[email protected]....
....


GET /js/jquery.browser.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:37 GMT
Etag: "80a580a2176ccd1:0"
Last-Modified: Fri, 27 Jul 2012 16:48:23 GMT
Server: ECS (rtm/35C9)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web05
X-UA-Compatible: IE=edge
Content-Length: 1200
...........Umo.6......W ..D..t[.{Y..k.6..%[email protected]"U......;R.$w.0$A.{
y..9.)>|.....?**...)..J..W...>.;...TLp8....i..x...........A.....
...2..A....h....-.UQ*.xZc;..T.......hl..M.LA..3.ij. %%...iD..g([email protected]
 ..........Hs..L\.W.....5.....pR-.......T...E...^p.3...$w...|.l..Aw.?.
./..P..M.........K.YJ..u..o..G...)..4jR`[email protected]>.W9j.ho
...):.- .:IMCOB?...`.$..;......R..'...{.u.t..Ni....i........ ^........
GM..Ti8........[...*../.Xs/.......q.!d..-.|...$.... .r..:.:!.#8...I..H
.2')...........$.:....kLu%9H'..B........x.n....X..HX..$....,.c`T.PM...
.A.o..8.... .%..G.f0.....m....1.O..l.<9.. :..X.9.,....:....$.....N.
.......s.(%.Sx...m.{........o.3I....x..)..L.`}....RKjI..orA..*C8I...p.
..f.E~..nl....</.T5UZ.Ih...6[..A.]...|..v7|..4Rb..-...T.sMVlApG.\;t
.h>3.~...4...a.mv.........&.\l...._k.p.[`I..-M..|...^!.8.b&a....p..
....:..f.-B.k...&.N..a..T \..l....."-........4..o.....e...>..;....!
.$.~J...I].f.p...f.....|c........[[email protected].?".....q4>.
[email protected]_f....XG ...(....YM3.u.llR
.9.....&.,c`.-p[.8... K.v......5.. ....6FU\(.D..)..Lp.........:.......
.K\l.....C..5.^..>...m.){....."2.]...G6k7.a...so......6..5.D..q../.
? v.5..|.z.W(z...Y..._.B......{.B........
<<< skipped >>>

GET /js/secondaryoffers.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:37 GMT
Etag: "0e911a7c44cf1:0"
Last-Modified: Thu, 20 Mar 2014 20:36:42 GMT
Server: ECS (rtm/35B4)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web08
X-UA-Compatible: IE=edge
Content-Length: 1801
...........Z.n.8....w..E,.....M...M.6E.6.4..E.`$.VV...Nb.~..b.i_a..Y"e
%...[..".......d.....[.[....>....o.c.. ......F.[......P.#......z.[.
..j..g..~Nb...].{..J1.....g..!...$%....lF.q..{i.;....(..YL3.....Dlr.#.
..d...y...d.%="..JU..W...I.....,....'...R).x".a..}..n.>e......V.#.|
A.E..KH...p..\.).....3....8.8..0....?....(Z'.8..!..)gW..p.0.%...{...".
....\.Kh.....3.G8.@...:..A...s.U.V@#A...i..............CT..Z.O.?..r.0.
... .C .^D..D..$..{.8.04.y...s.]....w!:...w...h:\~E..E..8uk..h8...g .R
.FPg.. .ufB...Em....9...w......|.:...v_..UC:..9.Fj...S........../K..T.
.-.y....n.s2.o...@........;-.k.o'[email protected]."...B.ij.jr.{V:.4..G?.......k.
X...m5B.....w.N..e.V.K.v. ..^..7.3.y....,.T..M-.....X.R.`O.'..,...^. .
.{.......3...H.t6.L($.....0......)....b..<..4......^.m..........H.^
.T.D..7f........c.U-R..E$.$...B........C4....y.[..aS..k..,9.....`.HH..
...Q.....Q.....Q.L.....r....l@.!./..g{..........b..O.)...."B.2..E.j.]L
F.I.e..b.~...0..b.H.a..FRP....vvJ.:. -NI..h<.Sx.{..%."#k.kh.]utxL..
.0U.x..oU8...h..n?1<-....$r!..k..Dr$....[..........CC.Q..I....*...i
&....K..(..ce./....zE9!.S...e:......n.p...a.~;v.....G.....[.0..B..X...
.b....&O..T.o..f[~.xk.J.R....aU..=......),O...e.....N..x.6Uj..t.......
K.....JI...%....r.&.......,j......&,4IPYM.....} Fn......d.X,.N/K.J.2.%
.. o.PDUi...Q.....u]RO...#..s.?..9.......yD.?.6.Vm....Y..%..k.hSXT#y.&
....`.3]...bm4...........Ab..q..IzM.^sPi.Sw....L}.<.....S..P#^.!#..
..o........;.....Uc 8u..:...H..,.l(.T..M..](.9A.....eiR..O...,.....?.a
...j.......k.vc..F/x....$..PZq%Q.1..e[.i...G...4kEo.....5I.>g.&
<<< skipped >>>

GET //js/toolbar/toolbarutilities.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:38 GMT
Etag: "29f18a681a8fcf1:0"
Last-Modified: Mon, 23 Jun 2014 19:36:20 GMT
Server: ECS (rtm/3593)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web08
X-UA-Compatible: IE=edge
Content-Length: 1857
...........Z.r.6..g.w.&.....\1..NH M.H.&......R.e,9....z.G. ....l.?K..
..o....st.tt..........`..sA.*(......xz2. .@....<|..9...Q......D.$t.
e!.G....|$rLD..x..4As.p.[....e....?..#............Ei[.3... .,.hW.D>
;;.........y..JE...Y8....G...FuI.SY...R.......X.>.I.7.R...as.T..-.y
..G.....#s...2.......q.b.......;.#k..l.K...B....la..ot. .h...o..o.No. 
\|$1....7..R...;&...m.(...c.$..hF)..P...$SL)L)...B.y.}Fh..WjjN.}...*%9
$"E.....S..%,..RJ.....H-.<Z..#..v.hl\..._.....7D}...=q...3...8..4q]
..y......Cc.$.t[..Ru.J{W..$..o....\....r..<D3.aYHS...\5...b..b.....
<....s...r..8...Td.bK.f.m..ZlY..,[*........`...)...v.r#..[.....Q..e
#7U..wt..u...}.j ...(.Q...ZL.t...C..r?.Z..1...[..F........}....t..%O..
17Y.k...H......oprm.C.(..y]..C...1..#[email protected]
.`.....].Kg...O............d..]0*...t..G.~.N0....z."{?.....0......?..u
..M.Gs.B$......E....3&....."3.....~;.G..@.>.&."....o..Pob..R.......
.......g`....d%.q..../.fYB..1....a..._......#IUGc...c.\aT...XH..n1.I .
NZ.......c.h.......E$..l...Y 9._E......Pz..~T......{..F.V..H?..".Tu&..
Z'...r..k.*..v..N...*fW`..(..0.l.T..g..).c......1Sr.(.Tr..SY].u..:MQe.
...[....y....nfK.=<-...(.89....gt.B.y.So.:...d.......Tk2.C.<(.)c
6-........ixI8...99....O.Uwl$auv....$..z..G..i:F..Q...A.{.C...[U^.'W..
..]..M`/..#.O.Fis......4.-)...>.....x.h.....0`.3D..v|o.Z..5......vv
.`".>K...8...fL..'...!x.B.>..M .x...........d........K.?-Gd....k
...iN..}.tz#...T.....)s.....;.U)tSr.c.<.fP.4.=........x.k...Z..EGa.
..i......6....Q..:....5.u.... ....O.(b....o...t4[..l~...]gm.......
<<< skipped >>>

GET /js/toolbarpostinstall/submittoshopathomedownload.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:38 GMT
Etag: "04af24ffe2bcf1:0"
Last-Modified: Mon, 17 Feb 2014 16:35:48 GMT
Server: ECS (rtm/35AA)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web06
X-UA-Compatible: IE=edge
Content-Length: 784
...........W.n.0....w0.Z.....7 .(....I.<..8.'..l..ly2.x$^...?[.....
.......}'.....S..J....5.B.....n...........z.G..G..|.7-....r......T....
@(..Z.....I{..L.. ...f[.....n.Z.yM.lPb.........q....6....G%O.e....Z..!
.......c..9nw.y..j......z*.......}....F..4..!...E\...a......%\C..`6Vi.
~R......u...........y..1J0O.!YY=[./.R..........$M...-#.1:9A-......S...
.....R.]/0....al.......*.M.R.....<.4M......\...M.5e.$.y3..x....o6.W
!.......j{HI.F...;...5.P....... ...LK.QaXw5.9b0<[email protected].."...1F....Q?
...f..b.Zu\....].#.....R..)jAU.E.)r.,[email protected].."6z.;m_...>....n.B.d
.,_.p;..x.j.....)>.<.......(........|}.....15...0..Vs?.......z..
.y.......xh.m....*.x.Xex.s..r.:l.>.o2......."........JK.w..*....C..
#...5.L.P.|...6".D...<...N##...........]...LxS.{.*.v.*.o......B.W~.
 (.3.......^?K\.'t..}......?..y...........


GET /js/toolbarpostinstall/defaultsearchprovider.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:38 GMT
Etag: "0b6ee121963cf1:0"
Last-Modified: Mon, 28 Apr 2014 19:35:56 GMT
Server: ECS (rtm/35AA)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web06
X-UA-Compatible: IE=edge
Content-Length: 983
...........V.n.6../.w`...P..3l..*E..[.n.....vAKG6cY.H*N...v.G. .P?.d.v
..`........w.?..#).Hs.. ...."..R.....Mgo.m@$.\B......I6..R.....by.]-..
.7L...*.v.....o<!.....X(.4A...%..nWf...Z.Oh...C...j.vJ.......x..W._
}_.. .;.......U....dE.Z.3diz~uY..h....v. ..IWwI UPz.1...|X.0.;.g.K-..g
...;J.Zx....~]...hJ<......w9..|..1K..........t;E.C.3...m)P|.I).....
.LF........w.bp.l.6O$2%R...x-...!.^.....2e...O..8.$4..?>...3..)-?09
..Q.(Z....Q..Y.y.....K.Ai/c7|[email protected],@.......k..........E.9.....
...6k..Y .V.[.....d..hh.`...g.X.XD.......rNu..aDE.UM.u....3..XZ.Z|N.r.
9.M1>g3.%}.J......sP\....d.k..F....~A....Q......~..a..-.m`S...(..=R
..............d. ..w.?...A.. ..?.."..g...T....Y..K.z.I.f{..2a3...yw..`
0..g.......wx...!...o...;J.J..|.f.....J.q.CQ.8..".< .O(............
q{..T...}.>.....i.../.7.Y..=YZ.../'.......ey~.....S2...c.!A...>.
|1.s..']..l0....!.h]J..........3*.w.ws.6s9...bdD=..g..N[H..k....w..A9.
._...q:Z..Qb6G).W...........E|.....;........H....\...v....6.{.........
h...gs.{.m..._...h......HTTP/1.1 200 OK..Content-Encoding: gzip..Accep
t-Ranges: bytes..Cache-Control: public,max-age=604800..Content-Type: a
pplication/x-javascript..Date: Sun, 03 Aug 2014 11:51:38 GMT..Etag: "0
b6ee121963cf1:0"..Last-Modified: Mon, 28 Apr 2014 19:35:56 GMT..Server
: ECS (rtm/35AA)..Vary: Accept-Encoding..X-Cache: HIT..X-Powered-By: A
SP.NET..X-Server: Web06..X-UA-Compatible: IE=edge..Content-Length: 983
.............V.n.6../.w`...P..3l..*E..[.n.....vAKG6cY.H*N...v.G. .P?.d
.v..`........w.?..#).Hs.. ...."..R.....Mgo.m@$.\B......I6..R.....b
<<< skipped >>>


GET /ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025&ipr=y HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: VVV.google.com.ua


HTTP/1.1 200 OK
Content-Type: image/gif
Date: Sun, 03 Aug 2014 11:51:31 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
X-Content-Type-Options: nosniff
Server: adclick_server
Content-Length: 42
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic
GIF89a.............!.......,...........D.;HTTP/1.1 200 OK..Content-Typ
e: image/gif..Date: Sun, 03 Aug 2014 11:51:31 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..X-Content-Type-Options: nosniff..Server: adclick_
server..Content-Length: 42..X-XSS-Protection: 1; mode=block..Alternate
-Protocol: 80:quic..GIF89a.............!.......,...........D.;HTTP/1.1
 200 OK..Content-Type: image/gif..Date: Sun, 03 Aug 2014 11:51:31 GMT.
.Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Contr
ol: no-cache, no-store, must-revalidate..X-Content-Type-Options: nosni
ff..Server: adclick_server..Content-Length: 42..X-XSS-Protection: 1; m
ode=block..Alternate-Protocol: 80:quic..GIF89a.............!.......,..
.........D.;..



GET /nr-411.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js-agent.newrelic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 5775
Connection: keep-alive
Server: AmazonS3
ETag: "9050946217be03f42647b3f708ef10d3"
x-instart-cache-id: 1:16954596951746155381
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Thu, 01 May 2014 23:15:58 GMT
Cache-Control: public, max-age=315360000
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Accept-Ranges: bytes
Date: Thu, 10 Jul 2014 19:02:44 GMT
x-amz-id-2: M6Z1FvhosAPz/iDGNmz4we1GllhHXR2rCe8NAa/cyM2LxF4ezoQWqSqUblbUlD30
x-amz-request-id: 7B5A513F8EC80783
X-Instart-Request-ID: 16053233814722616906:SEN01-NPPRY14:1407066698:70
...........[mw.6....B..*....8NB.V.4......fv?Hj.M....TA..G.............
I../.....Y\f.J.......V.=.(...$v..L-L)[email protected]...........|/..e"E....P.
../])T).^...F...U]n..J..{...{ e...&..\..$.z.<*S......}..=a........\
.......u6Z.. M.`hA.^.0..}.p....."".|.{.....=....TU.>.~f....<.G..
F.S.-.j....v|.,......{.6....&.............I.D&$K..G.Z.qz...?..........
.7.....4.w.'Qo....~./....G.v...Mg.b.s..o...6 ......m.*[email protected].
.J&a..0.........'0...a^f..a.1...?.1Z............n....N.......4...P.u..
w...E^....Col...Q1.1..-Px...V...F....<.A1.LU.Q.6.Se.....-..~.n.G..m
.d ..SP.d..g.....&.x0'..4...fr.. .\.........H.B..5..H..2M.....rf~....;
.D#.....)Z....0...2..T......!.T.7...p)..d-..(.U[.,4O.J.#l..0.........S
..a.....R....c...^r...2.....<.}...4B.-T.....>[email protected];.W.x..
..D..S"VoW...lA. ..g...\*O..2Oda.......|..3....J.I.P8)$.H.*.R..,4...{$
.........nE...a.&..=..oy.9.....k.x.....U....$.&A]..lAF%......k....&iX.
.>).d.,..hRVX.9....;...p.)..S.............l.Z.9s.....0RVyG..<..*
...e.....l a.<..=.,..[.....a..>...JT...[./.t5B.K]w..g...(M......
.1D9l.W..{bS...........v..l...X...^.e..J.......'...^Y.,.....{....Z...2
...E.m....].zj......x....2M.......<,.`.a(....T... B.l.^.....xP.....
..f.!4t=.].=...Fd..U.F.9......F~...bb..v...vR.V.0..|x'.0.....R...Z..!I
w.u...([.s....U..r..|..)...t.M.1..aw.}..H..C9Nd....`.vq...H.y.u.E.A.(_
..3E...../H..0v.~.X..^P-Rbh<..^...v...%`c.C0c..].W..7V.h5 .........
vP..e..mhY............5..7..o$....V...Kl.....:-...o*..hCc......A......
-...\......0,...;........3[..q.l....b.......]x.Yp.,.F..?.ES.[....F
<<< skipped >>>


GET /js/rac/sli-rac.1.3.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: assets.resultspage.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Last-Modified: Wed, 14 May 2014 03:13:05 GMT
ETag: "ed6-4f9538f159240"
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 943
Content-Type: text/css
Cache-Control: max-age=1639541
Expires: Fri, 22 Aug 2014 11:17:07 GMT
Date: Sun, 03 Aug 2014 11:51:26 GMT
Connection: keep-alive
...........W.n.0.}[email protected]..%.I6F.....`..:6.&i...wl !.H...[..5.3..3.J1..
.iiT.....O...*W..(Ih..(....\.7".......W..._(@._.7...[Z. .,.)c S\%J...s
2...aD...P.d~..*.(I.0R...A.....F..&........3.....%..g.3..8..<z.3$2t
.F....2(5.g....f..p...I#q0...o}..90 ..t...=A......._...y<.ah#..|*T.
*._.O...8....= [email protected]..(.. .4
Ym.#.q9....2........>....:..{t..'..p['"...:...96R..p .M.'.|?..n;~..
.....'..N<7..o....Z..F...]Q...I..3....... ...V..%s1D.k.`.....)...LF
...{..Qk=..E..............9.Um....Z].x.`.).j..=P].....E....|Nm.ri..HN.
...gT^/j.L...E.?...`2zZ#.z|.b......b...'.l.....bn ....y.........m..2M.
....^."4.j@/............o.k.a...V..R,..^...nU..[.3.U..~...-}.,....30..
..mg..4.....J{..c\....6...k...=.P..m..{....i.k .;w........&.W.....\?G.
... .M............^.6q.. ....RN....X/.Mr_...Z...Ng.......Z............
...@.;.|Jl.C....>v.....\...b.H#.8..g......u}.*8..5.9w..`S..ao......
..K....w.!.p))...c|...3ZO......f..q.....-xd.....HTTP/1.1 200 OK..Last-
Modified: Wed, 14 May 2014 03:13:05 GMT..ETag: "ed6-4f9538f159240"..Se
rver: Apache..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Enc
oding: gzip..Content-Length: 943..Content-Type: text/css..Cache-Contro
l: max-age=1639541..Expires: Fri, 22 Aug 2014 11:17:07 GMT..Date: Sun,
 03 Aug 2014 11:51:26 GMT..Connection: keep-alive.............W.n.0.}.
[email protected]..%.I6F.....`..:6.&i...wl !.H...[..5.3..3.J1...iiT.....O...*W..(I
h..(....\.7".......W..._(@._.7...[Z. .,.)c S\%J...s2...aD...P.d~..*.(I
.0R...A.....F..&........3.....%..g.3..8..<z.3$2t.F....2(5.g....
<<< skipped >>>


GET /ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: VVV.google.com


HTTP/1.1 302 Found
Location: hXXp://VVV.google.com.ua/ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025&ipr=y
Cache-Control: private, max-age=43200
Date: Sun, 03 Aug 2014 11:51:31 GMT
Expires: Sun, 03 Aug 2014 11:51:31 GMT
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Server: adclick_server
Content-Length: 860
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/ads/user-lists/1071192949/?lab
el=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie
_present=false&cv=7&frm=0&url=http://VVV.shopathome.
com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92
-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&Error
Level=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=n
o&source=91099&subsource=FAMILYCOUPONS|302133&setupguid=
{93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid
=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcod
e=1&tbtext=&random=620693025&ipr=y">here</A>...
</BODY></HTML>....
<<< skipped >>>


GET /pagead/viewthroughconversion/1071192949/?random=349323124&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e
Connection: Keep-Alive
Host: googleads.g.doubleclick.net


HTTP/1.1 302 Found
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Sun, 03 Aug 2014 11:51:31 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://VVV.google.com/ads/user-lists/1071192949/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=false&cv=7&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&random=620693025
Content-Type: image/gif
X-Content-Type-Options: nosniff
Server: cafe
Content-Length: 42
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic
GIF89a.............!.......,...........D.;HTTP/1.1 302 Found..P3P: pol
icyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="C
URa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV O
TC NOI DSP COR"..Date: Sun, 03 Aug 2014 11:51:31 GMT..Pragma: no-cache
..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, mus
t-revalidate..Location: hXXp://VVV.google.com/ads/user-lists/107119294
9/?label=FQpPCJHS2wIQ9bbk_gM&fmt=3&bg=ffffff&num=1&ct_cookie_present=f
alse&cv=7&frm=0&url=http://VVV.shopathome.com/ToolbarPostInsta
ll.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=Su
ccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={
540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&s
ubsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-
97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=
960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&rand
om=620693025..Content-Type: image/gif..X-Content-Type-Options: nosniff
..Server: cafe..Content-Length: 42..X-XSS-Protection: 1; mode=block..A
lternate-Protocol: 80:quic..GIF89a.............!.......,...........D.;
..
<<< skipped >>>


GET /images/bttn_continueshopping.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/png
Date: Sun, 03 Aug 2014 11:51:29 GMT
Etag: "8090d77ebfdca1:0"
Last-Modified: Thu, 27 May 2010 22:25:09 GMT
Server: ECS (rtm/35C7)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web03
X-UA-Compatible: IE=edge
Content-Length: 4797
.PNG........IHDR.......J......t.<....tEXtSoftware.Adobe ImageReadyq
.e<....PLTE(\..!c.=.#H..C........c.......v...K.......0R.h...,......
.....;..6.(M..C................i}..6..........$P.....9....q..<]....
.........Dd.EX...........0.Ki.Zv...."T..6.yyyc}.. .h|..0.G`.Sq..4....0
e.,\.....7..0.Qn.}...=.Rk.*Y.$S.y...6..3.....2../.\p....4V..8....5P..2
....7Y..........eu..4.(V._y.Uf.Hf.A_..7..>.0Dy/`.......u..=Y.n...N.
Yu.......v..$@....'X..3.......7X.9Q.......9Y..........\ 6.....IDATx...
._.H..... ..... ...j-6F..hi.....)b...S..<..b..gfv......<w.....f7
;_ff7.D.."........`..0..'.....-j... .........!.6.'....ZJ......P2..E.&n
....;&..`.N..o............xG0..i...m.)w"b0...C...$m..M...:....b.~r.I#.
.D...U.2....1.&!Ot.p#.. ..A...{.>...........&..p..l.k.....g.L.v=<
;.S .(....5..8.7....c]s....m.<...T&!O=...H.3...~(.J..,..W-.5."%jL.&
lt;Q-.]s =...A..<..(t.n..DY..^Z../?.~>.........e.>`WI:....N.2
*...I...Jss.8.(..[,.?....{..5..uw..5.......................V....H4.S%R
.b..!...)e2s.l......g........p9y..:.B...0..?.......h...V.ei."..K...&l!
.1 ....X.................V.!.8d4,.8.gf....w.]....Y.d..,..U$..C=.C.-.e.
... .r/.I,%.....a@2?s.T>..,[email protected]...(..A;.9.....q...G.<
;d*.....H%..........md.P..ry..e..H....33.c{.x\\tvv..@*....`.|ZaH..j..x
.xB^.b.F.aJ.D... .a...2sL`Z_3.*[email protected])....p..o....:5fL|..
.I...p.r.~^...b.......v.......<..p.B.p ." ..Hd..8.$....>.x......
.... ..|..bpp.2.0radZ\.O.A8.?8.A. [email protected]'.!.J.."[email protected].!q..........F
.u..9.cO.......r*..ai...l.6Ar.....R.<.s.4.z(..*..r...4D..E]..
<<< skipped >>>


POST /RequestHandler.ashx HTTP/1.1
Accept: */*
Content-Type: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: tbws.shopathome.com
Content-Length: 725
Cache-Control: no-cache

MfcISAPICommand=update¶m=jrY4KCvNQB0jGQRA1_PCpBffIgoPd-yOmMJiRaUNtj5ntc83z6XqUZEl58YWhrF6R4L1gzFzrnrsl43tEcZA0JZqOYi44BetlYWGfx4nJKwMDwEDSvxJkPAm_dSkuDAoT0SJwZ_L13W7_h5FUQPshqxFw1PCtRwnR6OyCRS9eST5ZfZXFVbK8EPdTfTvYnmWc5tvcY5WnFudiH71JAVSWot0kvQkdOiifvMlMvMnWKKsNwmukolsEPhezGZy4etTidBvgaS_YSDh79hNfK1edVyan4RKHU5K5Bfx70XETuFr8FYw-Qe_GchXQTMcIFzy5eD8h4uxw2Av3IvYaXSTVZoPzk0IL63izFwany0vpucPYVl5v5lS41a6uJAKQ8AqsnhQm19R4oFmDt7yDg5roz4vXlnekCdFOHJbQR85LGm5S7dUEQMCQU5ub-WZB3YvZZWfxC_vOBH-wF_0rzPLnTSkOZnDFe-akR8KcnY86mTjQY49sNXsoBN3X_eJ_MjuhcPzLNrS1yOUS4535cgFSq30no8JuQHk4cyaOUjrxSVTHUleSdi0QephZo1DD7ruWp230v3-oPxeLAAcu2rXDtjnmQIHdYKKL-yin1IqYoZH_QlkSyTlt6vstRrW6PH5-ZuxUyvuWk5ri9ZkgGjjHP9tNxdW23fCcHLlnjrwjaa.
HTTP/1.1 200 OK
Connection: close
Date: Sun, 03 Aug 2014 11:51:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html
Content-Length: 460
.....X.P.Wh.-A....L..iJ......d.nG...q.b..htz..Z..i....x.....9@...0.2..
^8.....s..^.5....).0V.N^.....Z'...L..........m..0..."J...h5.J.Xh...)e.
Gk..GJ. ...........~.j...V@&O..... ....y.L&..g.y..;.EY}AD.e..p.....&..
.....x....UR$.U..{.x....8....O...Tn........^.{.. .(.Z.h.Y#.7..D.F_.-..
z..V...Cb..l....$.r.G......h.L3.5R....bZg..P..a*...r.....L.p.=...o...]
....48..).tz.h..qP........dg...fbN.=6Ef..{.B{.....n.e....b.c.....g....
.d7q F.O?9....SQ...,.....q....g.r...*Z.Q..



GET /images/enable-arrow-yellow.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/png
Date: Sun, 03 Aug 2014 11:51:29 GMT
Etag: "80789b5f38bfcc1:0"
Last-Modified: Tue, 20 Dec 2011 16:56:53 GMT
Server: ECS (rtm/35B0)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web05
X-UA-Compatible: IE=edge
Content-Length: 1703
.PNG........IHDR...I...1........p....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:75580AF22A8F11E19E2CBFD0
DCA407DD" xmpMM:DocumentID="xmp.did:75580AF32A8F11E19E2CBFD0DCA407DD"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:75580AF02A8F11E19E
2CBFD0DCA407DD" stRef:documentID="xmp.did:75580AF12A8F11E19E2CBFD0DCA4
07DD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>...X....IDATx...Yk.A...........n.w..T.".QT.
4..q.....D...FT..DI.Fc....1....8.L.........LwWu...u.V.(M.......RMU..&l
t;Gku....o..O..|.)h..._nr..I.......T....&.?j.....].y-..2...g..........
...84R...[.z....z*/V.T......t..NV..k4x'[email protected].:./..3..'',|ECA Q[..
)..][email protected]........).4.3x.#.k..3.?N.....F...iH.
.&...x.........d..D}../.%$..|!......6.....2.....pG..:.....xB.u...6.!^|
.o......x..$.e.N.!m.... ,[email protected][email protected][email protected];...b.3m
p`,..w..6....LB..lv.2..p.......HVkK9..E.!Qg.....e.5...#....Y....^.... 
}..J...:U..k. ).r..O.U.......f..../..\.!Q.e..B.....P..X...T.p.w..q
<<< skipped >>>

GET /images/button-continue-for-great-coupons.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:29 GMT
Etag: "0d3c398bccce1:0"
Last-Modified: Fri, 18 Oct 2013 14:09:02 GMT
Server: ECS (rtm/35B2)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web06
X-UA-Compatible: IE=edge
Content-Length: 25359
......Exif..II*.................Ducky.......d..... hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmp
MM:InstanceID="xmp.iid:D760254037FE11E381E48C3E8E0381AF" xmpMM:Documen
tID="xmp.did:D760254137FE11E381E48C3E8E0381AF"> <xmpMM:DerivedFr
om stRef:instanceID="xmp.iid:D760253E37FE11E381E48C3E8E0381AF" stRef:d
ocumentID="xmp.did:D760253F37FE11E381E48C3E8E0381AF"/> </rdf:Des
cription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?
>....Adobe.d.......................................................
......................................................................
....................\.E...............................................
.....................................................Qa!1.....W...X..A
....".q.e..2BRb#$..Cd..r3sTE.............................!.1AQ".T..V.a
.....q.2b#...Br.....Rcs$..t..3CSD.u.............?.....P.:.....Tud.E5..
......H..i...3..UE.\g0..&.1..5...2.{...t.{.U=.....<..k.`......3....
.{......-..y.n...8.........=....c..?....y...m..hpjiJJ.m.........7C...k
...@.?...K.....oUz-5U....zJ_4..*}&Jf'.U*|Lq.....F.M..b.ol...r\..T.
<<< skipped >>>


GET /images/slots-rewards.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:37 GMT
Etag: "80ae881f567fcf1:0"
Last-Modified: Tue, 03 Jun 2014 18:03:29 GMT
Server: ECS (rtm/3591)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web07
X-UA-Compatible: IE=edge
Content-Length: 106459
......Exif..II*.................Ducky.......<..... hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c061 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" 
xmpMM:InstanceID="xmp.iid:5DDDB795EB4911E3AB48E272FC25F790" xmpMM:Docu
mentID="xmp.did:5DDDB796EB4911E3AB48E272FC25F790"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:5DDDB793EB4911E3AB48E272FC25F790" stRe
f:documentID="xmp.did:5DDDB794EB4911E3AB48E272FC25F790"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>....Adobe.d....................................................
......................................................................
......................................................................
..............................................!1..AQa"..q.2...BR#.....
br3U......C..$T.u.7..Ss..4.5..ct6.Dd%..........................!1..AQ.
aq".......2...BR.r#.b3.....4...Cc$s............?..M.....P..@(......P..
@(......P..@(......P..@(......P..@(......P..@(..M.).4..n.r.|&.....I.6.
..6......o........(I.!.|.....'2b5.~.......Z=.9..3.E...<..b.M3.b#..&
gt;..J>.Z...f.m>Dl..i.,#......s..... [email protected].|.....
<<< skipped >>>


GET /ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.shopathome.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: SAHSessionID=e36127ba-aaf2-4cec-9a92-fc156034c504; domain=shopathome.com; path=/
X-AspNet-Version: 4.0.30319
Set-Cookie: SAHSessionID=e36127ba-aaf2-4cec-9a92-fc156034c504; domain=shopathome.com; path=/
Set-Cookie: SAH=dcVer=5.2.0.0&SRC=REBATE&REFER=91099; domain=.shopathome.com; expires=Mon, 04-Aug-2014 11:51:24 GMT; path=/
Set-Cookie: sahdsp=tbinstalldate=8/3/2014 5:51:24 AM; domain=.shopathome.com; expires=Thu, 31-Dec-2020 07:00:00 GMT; path=/
Set-Cookie: ToolbarDetection=Version=5.0.2.0&cid=47685889; domain=.shopathome.com; expires=Mon, 03-Aug-2015 11:51:24 GMT; path=/
Set-Cookie: CPA=; domain=shopathome.com; expires=Fri, 25-Apr-2014 11:51:24 GMT; path=/
Set-Cookie: CookieCheck=Y; domain=.shopathome.com; path=/
Set-Cookie: pixelparamid=; domain=shopathome.com; expires=Fri, 25-Apr-2014 11:51:25 GMT; path=/
Set-Cookie: SAHtbpi=showconversion=false; domain=.shopathome.com; expires=Tue, 02-Sep-2014 11:51:25 GMT; path=/
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
X-Server: Web02
X-Powered-By: ASP.NET
X-UA-Compatible: IE=edge
Date: Sun, 03 Aug 2014 11:51:24 GMT
Content-Length: 11189
...........}.w......=..?h...>..y%@i/.$..W.h..=9......m.h..~g$..`.i.
...v....F.h4.....O..........]2... H..d24-...<oT.f......l;..R.T.....
..........m...=..s..l........v.$.i.r.a.US. .Z..~...BT....%.3s.....$*..
..............|....RO%.@u\.......H$ .-uH...q...L".my..(.6,.N....M.~...
...=..E.3...q_.>d....=....5i...n}W..b...#.x........U.U.*.z.&....t..
...$.[...j.I6..M..Q.R.j...!...}p.ihHj)-Q...f...e..........I-..N..M..^.
........dB.l....b1_P.!.sT.U5.8..A.....z...C........{...._./.__........
\.M.........~...y...1.czn`5.H.<m.........*J>.[....{.........u.f.
c..Y.iQQ..a...4{....V..on,...Qvh.7....^.J....N.$......G.9.x.:...s..NF.
.......A...gYSM3i." .Tk.E........Po.`..k.j.fi;..L.D.6.'.....R....v..;.
...i...$y......&....f.x...}.?..\f..v.=>8.~..$D....>Zw>zA?.k*.
.O...p....!.h....?......|.Gcw.DI.....#m....w.N.Tf...mx...nR..;....s../
"9/.%%..)...W.....^..yu.M..|f......'3....,c.....5.....OS..<rl......
..d.......v....]....7.......l!A......s'.?J.e.....d......#Ys...].....$.
>..t...px!.Os..ij...a.0..Y..S..L..I=.(.d._..y.....L.a..1..n.[\6....
....$.s..........$g.......J..|..G......;..}....=<....D.).A......K.^
=)I/L..I...kF..Y.3........vi.1..U..{@..C..........u...?......(P..;....
.\>2.S..G.5H.-F:.I.Z..].v....ER........S...a.Q......X.:k.....~..u.4
....4.......K.l....}...T..........C...O...R......_1...w..O}ql..G.gh...
.Dp...O..!...u...&u...TXRC..?A.3D....M.$....]u.......#...xa(.R........
..2....bQ...VRJ.B!.....}V....u.i][email protected].\,.....0k|...nFz.Ez..e
........y........Rs....K..Ns...7..\.T.....`.....Z.F.....l..=....n.
<<< skipped >>>

GET /WebResource.axd?d=utXq0EopSmH_wSGx3BdZvDyYLpS5Ff55sDuYcl5aUvI_mXIJL5BpykW6xvZro8cCJWqYDkZtKLBu4ajxaGC76D-cQPk1&t=635195457660000000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.shopathome.com
Connection: Keep-Alive
Cookie: SAHSessionID=e36127ba-aaf2-4cec-9a92-fc156034c504; SAH=dcVer=5.2.0.0&SRC=REBATE&REFER=91099; sahdsp=tbinstalldate=8/3/2014 5:51:24 AM; ToolbarDetection=Version=5.0.2.0&cid=47685889; CookieCheck=Y; SAHtbpi=showconversion=false


HTTP/1.1 200 OK
Cache-Control: public
Content-Type: application/x-javascript
Content-Encoding: gzip
Expires: Wed, 29 Jul 2015 15:52:25 GMT
Last-Modified: Sat, 09 Nov 2013 05:16:06 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
X-Server: Web02
X-Powered-By: ASP.NET
X-UA-Compatible: IE=edge
Date: Sun, 03 Aug 2014 11:51:27 GMT
Content-Length: 4391
............io...{.......,.....*.B..]..mXJ6...hrdqC.*9.-...;'97.8i?4=,
..5..7o.....&y....N.b9..Kx.F_.Wx......4,...z...._/......I.b8...E.^u...
.P.]....i..............x...O....I..8yCO.6P........ky.T...BD.....\M..U.
E.z...."[email protected]....?i.8..=~M...$.. .=.. .5(.)$B..c..=.%L.".A.f..yp....
.H.....7.z{\[email protected]..&6..S....^.=...`.d .;........u.Z.
.R.......w......b.h...>7."....ZxiX....;......?...&.......;..E.TT.J.
.peh.(^.#h,....8...G.......C..k hN.}...>.....`.R......3..<.o....
T..f/.]d.c.;.a.W6 ..3.c>........e.......S.]..F.yve..........* .....
...'...I..n9..@.'..8L.;D..x...QQ...#P.r.E."..u.A1.3..'.~.f`\68I..M.rH.
4...Ox.(..._.`.E......q.C$.l.......M...xt~~4....x.{...'Y...$p.H.uM.jt=
z.HL..q[*1N.'.O...G.g....... Y......V.].]<...>....L......]......
...]>.?........Q..E..I)..TG$.?]...".......|.{..tz.w......6..@......
x.."[email protected]....).J..8&.................FM.>LM....8
0......<O..KO.4=M.....$..R0Is....[..#......G.z.3....,o.4n=......$%M
....r..9.zyV .M.QU.-..........U....U....."...z.w...(....yAC.M...n..'.#
R3.V!\........?.z.X......{...c..F.x54..... .w%,....c/._.fY...._.?*...E
...F.*66..............d.CM.c.E0..Y.....%[email protected].
..."<..)........L}......Rrd........)*2..?\.............y...H....C.X
 B.5.....r....."[email protected].(.>..Z9...)!..?..w,s<P.(.o
...`[R.F9B....P..Q)..#...$&.....P.../`#...Q^ .c....m........i{..nR.C..
.....2O....X0..$..M..z...S0....Y.a.FlM#DHk....."b..Q[..V..............
x..q...^.&(..T."..Q...q.....oa..^....5..T.R.q..B..Q......BM.6...".
<<< skipped >>>


GET /agent/agentprefs_.sah HTTP/1.1
Accept: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: VVV.shopathome.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Tue, 29 Jul 2014 21:01:40 GMT
Accept-Ranges: bytes
ETag: "0d2ff4a70abcf1:0"
Server: Microsoft-IIS/7.5
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
X-Server: Web03
X-Powered-By: ASP.NET
X-UA-Compatible: IE=edge
Date: Sun, 03 Aug 2014 11:51:10 GMT
Content-Length: 1080
..1....?"[email protected]&d../....=d;....]z.`3_..:p36x....w..=oK$...:%.U_..
.....|.2.<=.R......TKOX.p..P....=9..M..?.."...$j.H..;..gw..f.U.....
...pf..[\.....r......hE.....a=.o.]P,..f.5..6...D.;5BP.wTH.....Z..P,:..
..>..4.8...3...jg.$...n.....3]...l.T<....3.S."...2.[...k.~.NB...
=......j.YFcJ[..%...Y...ES<........'..dh.S...A}R.oa<.M9.m.. ...(
..t...O.k..T22j........-3j,...b...(m=.14.."..mO.n.>[email protected]
....U..-.Nu. .^..0.S........Q...$!4.....:..p.!......s...wo..f.....n?Ft
..?..O.cP......{.I.,..m.Pd,.V........."..c.....v..s..%.....l...2j.....
...._....._1-...U........i ......>.k&([email protected].?....{.}......ei
-..&].`.-U. s.....V..^............I..E}.A_.b1.X!.Zy..Ig.G....^.TJ7.?.l
..V..<.KZ....|.....dDZ.f....U;.s.2...='Cw......I......G.....s@>.
...K....1.t..rH.8k....q.... .{.q>.....88.....S..TH.O..<!....u]..
......<.w......(l.(.......%D...].....o....Y.:...E..g9.....x.....].K
{.Q....u.d..u..R "n}kVCC .;.b2d..W (........k.1.&.......f.9..^.V`.l...
IN..>.C.{.0.D.J%.?......'! 7z..........4Q@;.. ..8|..............I..
..{.:.H.Z#.b.<.~.k....S.....6.=3.B........5.y.'.VD..-~UJ.....s.hZA.
..HTTP/1.1 200 OK..Cache-Control: max-age=86400..Content-Type: applica
tion/octet-stream..Last-Modified: Tue, 29 Jul 2014 21:01:40 GMT..Accep
t-Ranges: bytes..ETag: "0d2ff4a70abcf1:0"..Server: Microsoft-IIS/7.5..
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"..X-Server: Web03..X-Powere
d-By: ASP.NET..X-UA-Compatible: IE=edge..Date: Sun, 03 Aug 2014 11:51:
10 GMT..Content-Length: 1080....1....?"[email protected]&d../....=d;....
<<< skipped >>>


GET /event?a=91114986&d=21303474&y=false&s172491114=direct&s172437468=false&s172419741=ie&s172406886=none&n=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&u=oeu1407066704571r0.7012583148362586&t=1407066704665&f=702098547,1004574052,1656520074,868243247,1658670006,1390230039,1006681359,786269042&g=104247111 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 91114986.log.optimizely.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Date: Sun, 03 Aug 2014 11:51:28 GMT
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Server: nginx/1.2.7
Set-Cookie: fixed_external_91114986_end_user_id=; Domain=.optimizely.com; expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=-1
Set-Cookie: end_user_id=oeu1407066704571r0.7012583148362586; Domain=.91114986.log.optimizely.com; expires=Wed, 31 Jul 2024 11:51:28 GMT
Content-Length: 35
Connection: keep-alive
GIF89a.............,...........D..;HTTP/1.1 200 OK..Content-Type: imag
e/gif..Date: Sun, 03 Aug 2014 11:51:28 GMT..P3P: CP="IDC DSP COR CURa 
ADMa OUR IND PHY ONL COM STA"..Server: nginx/1.2.7..Set-Cookie: fixed_
external_91114986_end_user_id=; Domain=.optimizely.com; expires=Thu, 0
1 Jan 1970 00:00:00 GMT; Max-Age=-1..Set-Cookie: end_user_id=oeu140706
6704571r0.7012583148362586; Domain=.91114986.log.optimizely.com; expir
es=Wed, 31 Jul 2024 11:51:28 GMT..Content-Length: 35..Connection: keep
-alive..GIF89a.............,...........D..;....


GET /event?a=91114986&d=21303474&y=false&s172491114=direct&s172437468=false&s172419741=ie&s172406886=none&n=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&u=oeu1407066704571r0.7012583148362586&t=1407066704961&f=702098547,1004574052,1656520074,868243247,1658670006,1390230039,1006681359,786269042&g=104247111 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 91114986.log.optimizely.com
Connection: Keep-Alive
Cookie: end_user_id=oeu1407066704571r0.7012583148362586


HTTP/1.1 200 OK
Content-Type: image/gif
Date: Sun, 03 Aug 2014 11:51:29 GMT
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Server: nginx/1.2.7
Content-Length: 35
Connection: keep-alive
GIF89a.............,...........D..;HTTP/1.1 200 OK..Content-Type: imag
e/gif..Date: Sun, 03 Aug 2014 11:51:29 GMT..P3P: CP="IDC DSP COR CURa 
ADMa OUR IND PHY ONL COM STA"..Server: nginx/1.2.7..Content-Length: 35
..Connection: keep-alive..GIF89a.............,...........D..;..



GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 07:46:36 GMT
Expires: Sun, 03 Aug 2014 19:46:36 GMT
Last-Modified: Thu, 31 Jul 2014 23:23:53 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15983
Cache-Control: public, max-age=43200
Age: 14695
Alternate-Protocol: 80:quic
...........}k[....w~...f. .$..&.y....--..M.......8.........$[NB.>.&
lt;..".gt..F....O.".%C..}.....r(.H~.x..\....f,...0..{.=.<Hev....$c.
.z.;..].'<.d......4.,.J....=..d<\.~2.$<..i..h>............
 .................x.$c.].......a.._.L\:l...d..k.0.<...y..vX7p......
.e...&p..,...]...N:....A.4KF..d......_.3H.......1.].u.d.H......X......
hp..!.......Lb.?1.A. ...2. ...........F..=.4.zA..[.`.8....a.aw:..~...k
>.A./z..'..H.w....^..J...I.....1.....[y?p~&=..Kl...V..y.....`W.^z..
[email protected]. u.Y...!..R.h.F..`./>5...*{...(..:A.5Ob;...r.&.E..J.
WVV.;..E2.*O....8^...:z.xE..J.R%.....Y.<!.J...Z.yI..b..5.3......Tep
......g.f..W...<......:n.....}.Y.[1jL....v....W.8..#w...t..........
Qr.zv.1.t).~...*..r.Z...6. [email protected]*............~.B...s.
....\.]6.7U...Tp=......T.`<..........AN..nL.....(:...r.K3...5.r1p..
A.|.e\\.ze...:04.....7......F.f..j...R....c...C^t.Z.Dp...A.Ta..e......
...[[email protected]|..w0,|.K9..$.o.
b3....b<....L..........S.;6..... ..I....$\.S..sdu..;......t..g..N. 
....i....:>...N..>...U...JG.."..X....B.qh.E....(*..#. .o.. A".u{
{.;.......W.....kM.c="h,.(.=.....%..\[email protected]\x..5......\.L...M"tf.GM
...X[.QU......_.lH......n@91........[...f>F."..QD.....&.s...Ka....]
.Ux.{=O....(.".;..".G..aR\Y.WVtX....;k..h._.O..b...2....{[email protected].)2.
..xD7.4.T...i.v.RC`.m.8.\....J...To..sss.....p*.....3.WH...5X...k...y.
`\ ....&1..j"?.D.W.}.;D:d.F....p#... ......d...T..jU7n.;-.h._..E..`-`w
..a..@}.!...]...Pk..j.k.|.9}H|.......O.C..Q.....0a..,.{2.'oJ..n...
<<< skipped >>>

GET /__utm.gif?utmwv=5.5.4&utms=1&utmn=1836808299&utmhn=VVV.shopathome.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x669&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Toolbar&utmhid=483429228&utmr=-&utmp=/1394716560/goal&utmht=1407066711290&utmac=UA-2915199-5&utmcc=__utma=57828200.490078841.1407066707.1407066707.1407066707.1;+__utmz=57828200.1407066707.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=DAC~ HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 31 Jul 2014 21:16:46 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 225289
Alternate-Protocol: 80:quic
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 31 Jul 2014 21:16:46 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 225289..Alternate-Protocol: 80:quic..GIF89a............
.,...........D..;....


GET /__utm.gif?utmwv=5.5.4&utms=1&utmn=1561656860&utmhn=VVV.shopathome.com&utmcs=utf-8&utmsr=1276x846&utmvp=1256x669&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Toolbar&utmhid=483429228&utmr=-&utmp=/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&ae=no&source=91099&subsource=FAMILYCOUPONS%7C302133&setupguid=%7B93ec191d-46ed-4123-97ed-f0a0af6373ef%7D&setupcid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&sahusertype=nonauth&utmht=1407066713680&utmac=UA-2915199-1&utmcc=__utma=212097611.2090233412.1407066713.1407066713.1407066713.1;+__utmz=212097611.1407066713.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=LBCAAAwAAAAAAAAAAAAAAAg~ HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Thu, 31 Jul 2014 21:16:46 GMT
Server: Golfe2
Content-Length: 35
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Age: 225291
Alternate-Protocol: 80:quic
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 31 Jul 2014 21:16:46 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 225291..Alternate-Protocol: 80:quic..GIF89a............
.,...........D..;..



GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive
Cookie: id=c21c6444d00007f||t=1360768149|et=730|cs=002213fd480b36e81315d0d96e


HTTP/1.1 200 OK
Date: Sun, 03 Aug 2014 06:28:58 GMT
Expires: Sun, 03 Aug 2014 18:28:58 GMT
Last-Modified: Tue, 17 Jun 2014 01:05:58 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15758
Cache-Control: public, max-age=43200
Age: 19357
Alternate-Protocol: 80:quic
X-Google-Cookies-Blocked: id=
...........}kW....w~.....;[email protected]).....H..$t?....M,
..~..F3c7.'"....{...E....A$.|...\...L2..`?.{I/.g....N{Wr0.X..^...d...g
.L. .........r.z.#..G."..~%.p..e_..p.^8...'.i.._.J.=!.6.....9./.....a}
....`.. ...>..t..ox..q....D..(v...W<.P.......^c....... ...F...@(
p.....NW5.a....`.n....l.K....:..... .h....!DO..~.r>.E...F..=. ..e..
.h0.].}..#P.0.ol.....K>..o.....%........{[email protected]..:......{..c.nz
P*..n...........[9..)Ta...m=z.m......(....N...&A...X.KCV5.R...<..._
|b&.$/l..3..1P'..O...s...x3.E..J.....[... .......8^...:z..".7.y.2.....
,C..Y%.0..4...^.V..y.#..`.6U...........y..w...5=...N..{....o;.u E.iPs.
..........$rW...._.m.?..@<..W.g...L...../.a./...x"........a '......
.|.n.. &S....Ea....r..P.......5.89..lto.$....z..s......|*.;N......AN..
mL..*..(...U...f2...,....J...y.qqA.........BTo.../k$..7r..9P..H.J.^...
....b..=..A..&...Qo.A?..W....l.........'".. ..D. ..EA.........Id.s....
.2.9.k.f......aZ.0.r..H....n0.#&.|xo.]X..-..-..5.....4(.x..4j&..V..p.N
)0..5..Cv.K.!........&A>...I....:>lh.A..>...U...J'..........B
.q..y....()..3. .... A".u{{.;.......W.....k-..zF.\`Q.0........\d..a..A
.1....5.y...`-^.F..M"tf.GM. .XY.YU...T.._.lH.......A=1..N....?Z..R ..{
...(.RS..^...)...8Em.e.EU..^.....<I.H..C.....R......%...<$......
...S......L.,.{..)..b....-E&.7...f.V.j..(...Bj.l..!..K...Z......T.....
.B..NU3%4.i...9.......a...>/..kE.`_.$.;.Ld;......x.H....\.8.n....D8
[email protected]@.-...k..Z.....J..D.R.m..J.5 ...U...$..jG./..>
;O.}.,R.....0q..l.;2o'oJj....|]M.........:!X...&![v..EO....E&?.N.$
<<< skipped >>>


GET /1/eabd37c669?a=442317&ap=7&fe=11781&dc=11594&tt=39120E64E5BFEA57&v=411.b2946c1&to=YlVRZxFXX0VWVkMPDVsfcmAzGUVZWFlVBxBFX0BHClhCQlZZW0gDRkBL&f=[]&jsonp=NREUM.setToken HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: beacon-1.newrelic.com
Connection: Keep-Alive


HTTP/1.1 200 OK




GET /static/fonts/roboto/v11/5YB-ifwqHP20Yn46l_BDhA.eot HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: themes.googleusercontent.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: font/eot
Last-Modified: Thu, 17 Apr 2014 17:56:21 GMT
Date: Fri, 01 Aug 2014 15:34:54 GMT
Expires: Sat, 01 Aug 2015 15:34:54 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 19481
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 159392
Alternate-Protocol: 80:quic
..........m.eT.L.-88......;....,.%@........w....-8$....o..}[u....:.u.W
...S..b........?....@....*[email protected]..\^...C..Z...............
O./.3..........q.x......_1.......r.x.3..8......O.....?.........>...
C."...e.. ..Y......H. ...,Y..A.....(..........~..f..2....!L.'U..."..Qc
.....|\.jm.a.C4'ss."\..2.U.uH..S.......:[email protected]%..V.2.hR.-L......
..g:{2.vY.{..;*..5...pY..,....e......`....L.=....Z.......yz........U.6
.8oz.....3....."h[......r...*<^.{"#......E...|.....o...Ae.. .......
...M..W..v..E....G6W.d>{.p}..j..^..#....U.U.D03.#......3.C.....O...
o...('Xf..z...Ra.E.$..........K.N.&.U.....D.u......j.C...&{*Y........G
J......?.....*..&$..2..z.......IG.v....../..v.9..am(...nz.....w...]...
i...@[email protected].../.. ..t..b..~3-..l7._........=.'u.......6.P.a...S.c.'W..
kLI*".....-.;........P...&(.4.p..;....V..l.l......jZ.A......t..7...Tf)
...r..H..V:..B.t....gF.rG?...Y..nG....;....P........8......:.........-
..af..i>......2..Y....<.<.....S...%(..#..v. (J...\..:Q .c..[.
.....#..i.D....{.D....S.q'.6..:....p..ft..P..#.G..X....0.nH.\j.}....y.
....SqQ..Ml.[...L.....S........y........)UZ..gm...w.5..S..M....:.=....
..,.l....k8v .......w..Y.....hv.G.G.3l;..=?o%....=......H...,..@`g.k.-
z.-.n5C.u...t.E.U&......u..T...$...u.~.v..$cXNT......K.{sd../.rW....`.
.k.@$.&..qr.fna......!.fL.{...z.B>.=........FR..w'....y.!Uu...q...N
.e .{.eo^.P...(g...\Y.>.h......I1\i.C. .y...,WM............ r......
..6?.....'v~.~".&b8..P.u..U^...W..jI0.'..)5 ..b..9...&...6"&.......;@M
,........^...W.0.........b...G..a.....I...vd.....'x..6J.. ..#.'./X
<<< skipped >>>


GET /pagead/conversion.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.googleadservices.com
Connection: Keep-Alive


HTTP/1.1 200 OK
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
Content-Type: text/javascript; charset=UTF-8
ETag: 10956373391978167308
Date: Sat, 02 Aug 2014 22:47:55 GMT
Expires: Sun, 03 Aug 2014 22:47:55 GMT
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Content-Encoding: gzip
Server: cafe
Content-Length: 3522
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 47014
Alternate-Protocol: 80:quic
...........Y.s.:..=...t..p.$M....4i..{m..I.....ma.....J....J.m.....Lb.
......gec<..,.#..X..1f.$H.. .\1...f".7.....;_....... ..F....\.{.$|E
.....p|!.....$.j86..1E.fI..8.....$.|..a.sI..J..m.y.r..xz.\.-1...Z.I4.:
"...$ ...M.M2.<1."..........qA..H........wB...g.D.F..{S(.*.{.o.....
'.p.R!}.d#.T4rj4..{O.P.B.L`K.................i.!.p..7........JO..?.qbH
...kp...Mxz..>...M..h....\......LN.$...$....g..X....3....{#..u.$Z.;
.Q...d....I.I....".y.'x.....%.<..._D..S.. Km'...!6....5{..v..W.,\|.
[email protected]..\@..n...........z...."9..0h)...}.....?NI.e&
gt;./.......a_L.w,k6...#.....`-D.B..j....>7h.........g..}G.a..wtm.v
o..;...P.u...^[email protected]...].....mj......c.o.5.R.q....).y......b../.h
.)..bO..q.5:.sZ.;.c..h8...5.4.o[..a.r.`h..g.'.'..1=.._N....vN<..r..
0(..g8D#4....`e:..u...w.;..nu..a.:*Z...1.....Ad....qM...E....;H..C....
.x.....&V.!.O.J.V.........$YI..".l..Q.}...La/e...d5.b........s....=..:
.........g......\..9.I..1...........0..........U.j..S7.{.[%z.[g...:...
......m..8..B.5.4......4E.......Qs6O..6..wN.....s..}$.... &.-x.*..mn..
...<c..c?.#7.r.....L.......k.!..'...B..s...Z.....y...]...X8...i....
..q..^.b..-...&I<.'...)O.E..a.G.....2J.O.I.DA&.iA..Y<.A...be.<
;.[x.L.._.Q.l.j1.F.h...7.Y6....#H....r.A*.j....<..b.....y.5...L."u.
L..k..A.......SU.J.N.....{...Ba....!<K.....<..k..DWc.&.`Y.S..$..
.......j.wEQ....K../UH.G.^..N.D.B...m.}....{.4[..*.)..7,..u........,..
x..V.h.......w....,GA8...Dq....!w.jnu.B.7.M.E.3.>......b....B..p...
....l...B.qY.1....kQ.\.%.8......a.....<5.h...\L"^....!.j.L.y...
<<< skipped >>>

GET /pagead/conversion/1071192949/?random=1407066705852&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext= HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.googleadservices.com
Connection: Keep-Alive


HTTP/1.1 302 Found
P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
Date: Sun, 03 Aug 2014 11:51:30 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071192949/?random=349323124&cv=7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
Content-Type: image/gif
X-Content-Type-Options: nosniff
Server: cafe
Content-Length: 42
X-XSS-Protection: 1; mode=block
Alternate-Protocol: 80:quic
GIF89a.............!.......,...........D.;HTTP/1.1 302 Found..P3P: pol
icyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV P
SA PSD IVA IVD OTP OUR OTR IND OTC"..Date: Sun, 03 Aug 2014 11:51:30 G
MT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Co
ntrol: no-cache, must-revalidate..Location: hXXp://googleads.g.doublec
lick.net/pagead/viewthroughconversion/1071192949/?random=349323124&cv=
7&fst=1407066705852&num=1&fmt=3&value=0&label=FQpPCJHS2wIQ9bbk_gM&bg=f
fffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=
0&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://VVV.shopathome.com/T
oolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc1560
34c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel%3
D1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&sou
rce=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec
191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=4768
5889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1%2
6tbtext=&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts
=0..Content-Type: image/gif..X-Content-Type-Options: nosniff..Server: 
cafe..Content-Length: 42..X-XSS-Protection: 1; mode=block..Alternate-P
rotocol: 80:quic..GIF89a.............!.......,...........D.;..
<<< skipped >>>


GET /agent/toolbarprefs.sah HTTP/1.1
Accept: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: xml.sahcdn.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Date: Sun, 03 Aug 2014 11:51:11 GMT
Etag: "0d2ff4a70abcf1:0"
Last-Modified: Tue, 29 Jul 2014 21:01:40 GMT
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
Server: ECAcc (fra/D457)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web05
X-UA-Compatible: IE=edge
Content-Length: 1008
.|..A...k}......@1......$L..X:u.F5..m..h....T......O.....m.}J..R..Q...
.H.,ZN.,.ad)s.S.4..6.h6b........0)._..al...eZ.e...S.....W....7.1.....i
.......Y.t..|._..o4......E......Z........Z#..R._.?..].~..m1V.....F=...
Q....!..r..\j........h..\..7...L.P...!8f."......S'.}V..b...&...p.5OW.h
.q. @J.T'......t....iN.:......].R{.d..Puw..D...o....._.P....0..z..!...
...I....3....kb.N....rC....V.GiM.$.....G....Sx.:......."..."...>A..
.?4..w.fq=.`...%..k......p`3:./n.....C..0Wx.K.ZX........K..%...... ...
.......9k..OI..*A....m....G:..[Z..m........Z.?.. }.'....[....I........
a..r...... ..|. ..a5..1..?..-#...D...........G. rt.&....}gA...o..!....
.Kl..:.qe....%y\?.9]&.by....t-.i...d..W.:e2!8.....u....&O...m..[.WCRB.
.Z..K.......cZF....... ....P....D..|5F6.....].G7.8^s.qi..z...s.Q...E?]
.......QA........Wf<...P.|.`f_...>S..u...]U...{`[.>..a...t...
......41..S....eDJ.~.`...H.C.....!H..G.......hRc$..}....].....[Y..T..s
q.*..K{.~...&..N.].Y......._...']..V.5.>. & ...>T.......vJ...U..
z.{.Y,D..?X.....N...3..l..W>.<.3.N.-.....xqDh.HTTP/1.1 200 OK..A
ccept-Ranges: bytes..Cache-Control: max-age=86400..Content-Type: appli
cation/octet-stream..Date: Sun, 03 Aug 2014 11:51:11 GMT..Etag: "0d2ff
4a70abcf1:0"..Last-Modified: Tue, 29 Jul 2014 21:01:40 GMT..P3P: CP="N
ON DSP COR CURa ADMa OUR NOR PUR"..Server: ECAcc (fra/D457)..X-Cache: 
HIT..X-Powered-By: ASP.NET..X-Server: Web05..X-UA-Compatible: IE=edge.
.Content-Length: 1008...|..A...k}......@1......$L..X:u.F5..m..h....T..
....O.....m.}J..R..Q....H.,ZN.,.ad)s.S.4..6.h6b........0)._..al...
<<< skipped >>>

GET /agent/toolbarprefs.sah HTTP/1.1


Accept: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: xml.sahcdn.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Date: Sun, 03 Aug 2014 11:51:12 GMT
Etag: "0d2ff4a70abcf1:0"
Last-Modified: Tue, 29 Jul 2014 21:01:40 GMT
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
Server: ECAcc (fra/D457)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web05
X-UA-Compatible: IE=edge
Content-Length: 1008
.|..A...k}......@1......$L..X:u.F5..m..h....T......O.....m.}J..R..Q...
.H.,ZN.,.ad)s.S.4..6.h6b........0)._..al...eZ.e...S.....W....7.1.....i
.......Y.t..|._..o4......E......Z........Z#..R._.?..].~..m1V.....F=...
Q....!..r..\j........h..\..7...L.P...!8f."......S'.}V..b...&...p.5OW.h
.q. @J.T'......t....iN.:......].R{.d..Puw..D...o....._.P....0..z..!...
...I....3....kb.N....rC....V.GiM.$.....G....Sx.:......."..."...>A..
.?4..w.fq=.`...%..k......p`3:./n.....C..0Wx.K.ZX........K..%...... ...
.......9k..OI..*A....m....G:..[Z..m........Z.?.. }.'....[....I........
a..r...... ..|. ..a5..1..?..-#...D...........G. rt.&....}gA...o..!....
.Kl..:.qe....%y\?.9]&.by....t-.i...d..W.:e2!8.....u....&O...m..[.WCRB.
.Z..K.......cZF....... ....P....D..|5F6.....].G7.8^s.qi..z...s.Q...E?]
.......QA........Wf<...P.|.`f_...>S..u...]U...{`[.>..a...t...
......41..S....eDJ.~.`...H.C.....!H..G.......hRc$..}....].....[Y..T..s
q.*..K{.~...&..N.].Y......._...']..V.5.>. & ...>T.......vJ...U..
z.{.Y,D..?X.....N...3..l..W>.<.3.N.-.....xqDh.HTTP/1.1 200 OK..A
ccept-Ranges: bytes..Cache-Control: max-age=86400..Content-Type: appli
cation/octet-stream..Date: Sun, 03 Aug 2014 11:51:12 GMT..Etag: "0d2ff
4a70abcf1:0"..Last-Modified: Tue, 29 Jul 2014 21:01:40 GMT..P3P: CP="N
ON DSP COR CURa ADMa OUR NOR PUR"..Server: ECAcc (fra/D457)..X-Cache: 
HIT..X-Powered-By: ASP.NET..X-Server: Web05..X-UA-Compatible: IE=edge.
.Content-Length: 1008...|..A...k}......@1......$L..X:u.F5..m..h....T..
....O.....m.}J..R..Q....H.,ZN.,.ad)s.S.4..6.h6b........0)._..al...
<<< skipped >>>

GET /agent/bce_.sah HTTP/1.1


Accept: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: xml.sahcdn.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Date: Sun, 03 Aug 2014 11:51:12 GMT
Etag: "8057b55870abcf1:0"
Last-Modified: Tue, 29 Jul 2014 21:02:03 GMT
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
Server: ECAcc (fra/D4CC)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web09
X-UA-Compatible: IE=edge
Content-Length: 459792
...v.a.5uq,:..=w2..b....M..T>.!."..9...LW.&...W?C'..w. .C........!.
...G.'........P....p(bPA.;.x..l. .}3#..5.............s.....J.h;.at.|..
...h...M.5.....J.?. dP....f....f.(Hj...#.,U.:.......O..L. .US...aX?...
..~r.u.k.x...CK.....4..0Q...._4.".H..q/Qu..&.f.ui.5.......e....t..J...
f...*........c...}.... >...m.%.}..,.....DR_u...^..Oot..Fc....pe{...
...~....................W.n....p.#3...:.lP."......dnYB...&0X.E>x...
.....P..T.tNg8...o...~.....7......|.......Lu....C.|..lZ.......4[I.*...
..YK.........9G.$.....x..<.)*.bx...`;...L../.<....l`$.]W.......\
k..cy1{s.6|~v.......3F....?.(.N..E...d.N....W..e...../.Ca.l.Y.B..c....
.b....6.S.......L......[3a...*.."...........v"..<..U9....l.Z..<a
j.b...T...C........t...Y#.n.#y^...EL.v..bD.....j...p..@%u.S.......q.p.
....lna.>"......O{F..".Ik.-'....5.m5...N..V=_..CK...>&....`I1<
;a&..rJ... .W.......CJM..C7..K"[email protected].............
...&.:.......6..40h..L...b......<^.{/.5.9......~...V.....7&...E.'..
.EqJ.......f.."......;q...i=.....Hq..cTu............6..p.o.Q..z....&..
-NX..E..........<J*.BW..\.......k2*......l...k... .^,.*.70)X..K...)
.!.sYA.'.]w.....SI.....V.b{X....s....v....3....a..N.P.>JWL........,
.<.... L........D$f.\4....V;....... XW....A....a4....)....U../....E
...cX.v`..l.n....B ..]..e:......r67....?.E..........('..x..0.<...T.
..f.....L..T.....@ .'H..>.....g........\2.....$.dV.I&....uV.a...>
;..w..M.%9@{.h2.T.r.1u.F..5.3.a...#\iK.......[...Mt....]/.H.\}Ft~J....
Z......"..d.E.<8a...UZk1R...-A...j....vpR.!..G...^.M...R../...'
<<< skipped >>>


GET /js/html5shiv.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:26 GMT
Etag: "db63b078838bcd1:0 gzip"
Last-Modified: Wed, 05 Sep 2012 16:28:24 GMT
Server: ECS (rtm/35BA)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web08
X-UA-Compatible: IE=edge
Content-Length: 2808
.....}GP....ks.6.{~.......N...~.y5Mf..sN?..."!.1E..$.g......IQ.}mo.3.L
p.............}L.r.&.G.'...&O...s...O.-.(..Q.V2Z...-.......?.....) ...
~r.8...TsQ.......d"]-Y.G..^..I.....yq....&B..}..d.i"*......f..X..\/...
.............s^.J.Y.<2...-\..!.)I~=....;..4..^..V...Z.KM%...}.g>
.t.j..~-.XU..%.!.....E......I.Q.[.$o.'.......|..#...gu*2Vg|].9 2.D.?..
...Q..]....I....XQ...E].....e........Vk:.....j..:...WE...L...E.t.$..2.
.B..jUUB..26..B. m..%H.......A. /"..-...31F.\.y.:.9Y.b^....E.D...Th. .
.] .......[..5t..=....'......"{....6.^.4..eTS....n>^".i..o#.Uy^..r.
8=./..{.`...B7".......p?2....`..9.qD..q.L'.,.D.GY.\^.....?...$..0.Y.Jt
..I}E."|YY. ..f..*..A.9....Q.S.l..4......#K:B..##..|OR..N......LjR.r..
vzJ.b....?)[email protected].........../t(.[..Z..aY.z.... ..V.K.....=u.I.W.$qk..
~U1.-.71....G.V%.,....aw..$|g....}.M..l..{....4.YP...13.. ....6h...q./
....N..H.".9..K1..l.A.2A..~.FS..gg....(Ah...h4.vD.X|O ....?QH6...gC..L
.G.....-gZ.r..V.=.FP........x?C.7....E$..A....!l.;<.=E.R.v....~8...
...8.1.....^...........f....G..../.........O.a...A#.....[...\.r.. ....
R...IA.~.Qf...\.%c......I.........._.......FQ)...i4.{.0...A#6.L...6RbH
(A\[email protected]].:.q. ..H.1..|.,OTUpP3.F....m......I...E....].*..?.q...
d.=#Q[..H.........mif.6hU..:.......x!..{.....P`.%W.....a..............
..-U...5{.......*.M.....{.[..........X..l.....U...........y.t..a..1..C
.....A..R\.8h......o..9...q=.....Fw......#v.n.....k.....6.......BM.75.
......i.9.u....L4D...p.$......b.........l.(.d!pBh...K....|.]cJW.y.....
....j...32E..b.4.X<.......M...4....X.).^.e..1..Ig.1..hcw.g(P...
<<< skipped >>>

GET /js/tipped/excanvas/excanvas.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: j2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Cache-Control: public,max-age=604800
Content-Type: application/x-javascript
Date: Sun, 03 Aug 2014 11:51:27 GMT
Etag: "77a21f22d76dce1:0 gzip"
Last-Modified: Thu, 20 Jun 2013 16:56:39 GMT
Server: ECS (rtm/3597)
Vary: Accept-Encoding
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web08
X-UA-Compatible: IE=edge
Content-Length: 4290
....G4.Q...:.s.....S..\LJ.%...wd........M.......$D..H..,1..... .Jr....
.L....b.X./p<......h^iG..[.C.E......a<....8`i.Bm.....9.Nr......7
V.q.jG.D3p..Q..".:[j.ZkiVi......f1..... -N. [.IL..i....u$..D..42..0...
.z3u.F .....*w...jeQ.....8.............,..3MXYj.{\..l..5..K.........hT
0.U...*.*N#....Z..!.0.."..UOb...ou.....~r.]\.......A"._\....k...._O../
.../_../.././.\B.W...F.....Dc /X....w.l.(K.r.]1.ca.......,.`ki........
).H.Y..K<.....L./..V.../..0....VVP0Z...a....>.R7..UgYZ.u..2[..R2
.....Ag..N.j>..XU..;...).;.7...n...A5.54&b^.%YQ.y..n.........7.7_^.
j-.<[email protected]{f0...L.......w....O.&..(.C..h.....q.......C...h...
........5N........S`(./.e.7.V-.......[..[!..L.`Y. ...j~g..rn<....g.
bV.-.'v..$....[kl....q.v..9..Q...B.....IZ...y.o.7..;~V...D.......h... 
.t..2...J$WU.0q.pu..&.....D....~..j....?.8.tP[V(..h..p.*...O..^4...$.i
r..s.....QW.,..U.....}.?...._..Zq.@\p)...9...N..s......w.C.n..l...8.Y.
a...Q..N.2K...p4`.X....$...{`.=..V.R.......l.....t..tK0...[..;......g.
.t....lE..=.)..`1u'd3.L.f..o....m".g......F.u..P.\...L...yz......Dc.U.
/[email protected].$3O%. .L....'I..A.t~.Qsw#....]..e......cv.M..;...Fp.....
i....F....%.f..Ss.....K...37S.O(*..(B......r.h..Uh4.6-..w..M..]*d...r.
..A5..0[.&....vZ.....x..}..JV..be.........]u.....O....(-U:..F...I.....
.N....0.h..F.BP..1...2...:.7..8..Go.)..8.hz..n.}6.f.i......}...[.L.dJn
'.....*.-.<.....]rQ....V..P..L...T...V...Z.3\..Jc@... ...K.`..p&t..
..V2p*..J...F.%kX.......-........A...uG...B^....rS.TM....$.-".%Jrd...)
1..p.....9.X..V..|.3...n..r8kw....^.V......3.}.x..H.M.......-f...L
<<< skipped >>>


GET /RequestHandler.ashx?MfcISAPICommand=installstatus¶m=èfrtXFiqIX4GbgcJxPRH7be0DduJjehBXcU_ijoe_Yk7184KcM5uMOzy6qgQ684qQN_n1tdMvaDFOCAkODEmwtIz1E15I1heWCRUQwLrMdJ4MadEXy7l5twFx_vcrx7xz62-2Ce-cg8g8YE_OCsHQQ8WK7TJVzyQNH-wN-Q34VCFwA1dMx5WK332XZrbW5T7JhIDJ1E45-XWfC2Toxg0BUHlYSflnIBQPun_7EqOid6-2BuotMC9cWgTu4CMgEBjJDoiJV6To0An-3tBoeD_dkonSMWGCHIXU8ehz3xfiFf0fzx11uOHy54wfQZGt9mFrncxDfC9WJmBmzK_Sh9zSUKmExO74vJtlFrF3vfh4Uv8BCaEmJgLFJ-8nFhTZ6Y8NbCLTuOOKDklhB0B8J0fwAyNjQlHTk-OQbkUBATz4ed8NxF_oEM21xooLwlSQH587lLQiNd9Zk_35KJOhYrsbxW1sw0sxz9iLr0Lksyzd8NTkfybYMNnhG3Dsrh8I2gC4-YiRsWN-nIOsavXzRH61WwbQY8lUx5LPWI2n0dxcgcATamu3o4xzPh4ZDAjoPWQfvLBAgwvULlvh3aO8usdloQIebqDGD-DViICqgt9c1gcKTc1nqohbnO5lQYO_cGOrQX8zCwKQAi8 HTTP/1.1
Accept: application/octet-stream
User-Agent: SelectRebatesDownloader
Host: tbws.shopathome.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Connection: close
Date: Sun, 03 Aug 2014 11:51:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON DSP COR CURa ADMa OUR NOR PUR"
X-Server: Farm01
Etag:
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html
Content-Length: 72
...;.E......n.R...[:.4. .|"^..:.0.....I..-.X......].w...w{.....P......
....



GET /images/window-shade.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/png
Date: Sun, 03 Aug 2014 11:51:37 GMT
Etag: "0a1669987bcf1:0"
Last-Modified: Thu, 29 May 2014 23:45:14 GMT
Server: ECS (rtm/35CE)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web02
X-UA-Compatible: IE=edge
Content-Length: 4249
.PNG........IHDR...b.........;uo"....tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:8F47765C7FE7E3118D81887002F653B1" xmpMM:DocumentID="xmp.did:47FB
EFF2E78B11E39DA7A32D87E29047" xmpMM:InstanceID="xmp.iid:47FBEFF1E78B11
E39DA7A32D87E29047" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9047765C7FE7E3118D81
887002F653B1" stRef:documentID="xmp.did:8F47765C7FE7E3118D81887002F653
B1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>..T.....IDATx..].r....I.wos.....w...[{$"7...n
7(.o......<..".F...e1.........._....=.....&....]._....v}=...n06...1
.w|W.>.7....].Y`<..E.s.....|..=.w.>..D<........N.wP6*x<
s...R..`d.......7..B`B...0......3}W.._.{.>..!pQ<.F.....}......0.
O.hd.J...r....h...W2....h.......L... Q.."...].A..L......#..V.,.<G.O
Q..I.y!-..Lx>.g|[email protected].|...D..<....x.*....0..Y..P.\..0n.@....
[email protected]\......(.)..4J..s.....4....x.h>..&<!.>.a.......
7.......).9...i.)....G.......Q.....'....CN?..P9}.8...Y.7.}..:.....
<<< skipped >>>

GET /images/rewards-sprite.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:37 GMT
Etag: "0fa6a6c1a84cf1:0"
Last-Modified: Mon, 09 Jun 2014 19:38:44 GMT
Server: ECS (rtm/35C3)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web09
X-UA-Compatible: IE=edge
Content-Length: 50170
......Exif..II*.................Ducky.......P.....ohXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DB007B0061E7E3118
D81887002F653B1" xmpMM:DocumentID="xmp.did:AADCE73CF00D11E3B218DCA04E4
6994B" xmpMM:InstanceID="xmp.iid:AADCE73BF00D11E3B218DCA04E46994B" xmp
:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:7015E28F0CF0E311893BDEEDFD747222" stRef:doc
umentID="xmp.did:DB007B0061E7E3118D81887002F653B1"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
....................b.................................................
.............................................!.1A..Q".aq2B.R#.....3S$.
b..C4....rc%....DTt..5U.Vv7..s.d....&f.......................!..1A.Qaq
.."......2BRr.....b...#S....3CcT......$.sd5.....%............?.....DQ.
DE..DQ.DE..DQ.DE..DQ.DE..DQ.DE..DQ.DE..DQ..^i.._u............I#c..@...
V..........D.F..J..R..G.A&...F....c....U..2..#wbF_u{~...X..qm..:[5
<<< skipped >>>

GET /images/rewards-sprite.jpg HTTP/1.1


Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i2.sahcdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public,max-age=604800
Content-Type: image/jpeg
Date: Sun, 03 Aug 2014 11:51:38 GMT
Etag: "0fa6a6c1a84cf1:0"
Last-Modified: Mon, 09 Jun 2014 19:38:44 GMT
Server: ECS (rtm/35C3)
X-Cache: HIT
X-Powered-By: ASP.NET
X-Server: Web09
X-UA-Compatible: IE=edge
Content-Length: 50170
......Exif..II*.................Ducky.......P.....ohXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DB007B0061E7E3118
D81887002F653B1" xmpMM:DocumentID="xmp.did:AADCE73CF00D11E3B218DCA04E4
6994B" xmpMM:InstanceID="xmp.iid:AADCE73BF00D11E3B218DCA04E46994B" xmp
:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:7015E28F0CF0E311893BDEEDFD747222" stRef:doc
umentID="xmp.did:DB007B0061E7E3118D81887002F653B1"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
....................b.................................................
.............................................!.1A..Q".aq2B.R#.....3S$.
b..C4....rc%....DTt..5U.Vv7..s.d....&f.......................!..1A.Qaq
.."......2BRr.....b...#S....3CcT......$.sd5.....%............?.....DQ.
DE..DQ.DE..DQ.DE..DQ.DE..DQ.DE..DQ.DE..DQ..^i.._u............I#c..@...
V..........D.F..J..R..G.A&...F....c....U..2..#wbF_u{~...X..qm..:[5
<<< skipped >>>


GET /meter/VVV.shopathome.com/32.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.shopathome.com/ToolbarPostInstall.aspx?oldsessionid=e36127ba-aaf2-4cec-9a92-fc156034c504&A=SuccessPI&owner=dlnopop&ErrorInfo=&ErrorLevel=1&GUID={540AEB63-F616-4B6A-8960-7794B185A087}&ae=no&source=91099&subsource=FAMILYCOUPONS|302133&setupguid={93ec191d-46ed-4123-97ed-f0a0af6373ef}&setupcid=47685889&cid=47685889&refer=960121414&disabler=-1&tbstatus=1&tbcode=1&tbtext=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: images.scanalert.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
Expires: Sun, 03 Aug 2014 12:45:14 GMT
Content-Encoding: gzip
Content-Type: image/png; charset=UTF-8
Content-Length: 1737
Vary: Accept-Encoding
Date: Sun, 03 Aug 2014 11:51:29 GMT
Connection: keep-alive
.............M..PNG........IHDR...s..........)!b...yIDATx..[]h.E..H...
... .O. T.....i..P|-.*.C.?.. ..4h...>....iHMmb....5m..B..BI.H...I..
$....o....;3w.i.D..........9svvon('9...j...L.0".....Y\\4..]X.G.....3.z
........n..(=...&UUU...u[.fX9..../...LLL...l... .<2amW~.........H_.
{.g..I(Gb.uh..(..........&.....?:x0*G..fff.}...&.~||\jkkM}cc.2.!299i..
x}}}..c.....H...S...........]..D]SS......#..q8G'.@KQ...>*'J....}...
E...R....\#}.T...G..Z....[..W..LMM...&.L.........(t. ....FI...T..D.C..
.\P...%).X.............db?...m._.<aR...?5d..e.r.l......%z{...w.....
_...M.ZQz..$.....~...........s!)....A.}....$...=Q..g......w#{_7..^.&..
T.788h...C......Ap...B^.Z.g..X.V-V5.!ik......>...6Z...d2.-cYd.U....
..w.|..2..K1.X'...oJ....-dl7K2.7..D.e.su.&.:@...U.E#.%.M..m..f*:TG..{.
.ckw.D.i....^m..B........f..........rX%..K^...%.......,..F[.....8..l.R
..~.............l.t.......q.2._."..u!...'O.w9...tm.).?8b..^..^....t.7.
.2m!.Y....5.N..>.Z.2M............\............p..,&M...F....,H...:s
V..yJ.w.1.$..A....t.^..2.....Q..O.....L....=M.....%...|...).s..@$[...b
/H....E'A...........H.6...C.-}X.6..'.......B.Jw.6h....;......b.,"[....
ba....r*.7G.g[5]3.Y...:..mT.....M...h..~A..<WT..."N2n"[email protected].
..c%...D....3{%....|.F..Vu......E..l]]][email protected]\d.P$.`..]`..d..$....d....d
...5!.....&.. ..93;............@...*.%;M.. ..........LM]1d577..:....w=
i....6ui.p3.\......6.T.......2...$....%z....{...!-.....vA.r. Kk3..|.3.
Udd...$3...%_...l.O .....WP.Y.......Q....q].......3..x!..-../..K;F....
_...........g........{.x...@,..{.BH.l.p..-.....d.I...l9...........
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







SelectRebates.exe_2028:




.text
`.rdata
@.data
.rsrc
PSShh
FtPh
SPSSh
t0Ht(Ht.Ht'Ht
Ht
~!SSh
Yu%C;
<9~^<_tZ<-tV<.tR<*tN<:tJ
PVSSh
t.VhluJ
VSSh&
SSh|~J
SSht~J
SShl~J
SShd~J
SShT~J
uË;U
YYSSh
Yu.Vh4DF
YVSSh
$%&'()* ,-./0123456789:;<=
VERSION.dll
SETUPAPI.dll
WININET.dll
MFC42.DLL
MSVCRT.dll
_acmdln
GetWindowsDirectoryA
GetProcessHeap
KERNEL32.dll
EnumWindows
EnumChildWindows
MapVirtualKeyA
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEPRO32.DLL
OLEAUT32.dll
MSVCP60.dll
ERROR: Event WaitForUnhookAll (%d)
{E03777A2-C73D-4a58-A4FB-28F813CA2583}
[INIT]: XML maps loaded status = %s
[INIT]: CheckSite timeout set to %dms.
[INIT]: FireFox status = %s
FireFox disabled
FireFox enabled
MyAccountUrl
[V] Module %s version is %s and the Agentprefs version is %s
[P] Skipping InfoPop#%d, Opt Out Detected (%s).
[Mouradeling] Url "%s" matches regex "%s". Mouradeling on.
[Mouradeling] Reset timeout to %d sec.
[PBM] pid(%d) = Unsupported: AOL.
[PBM] pid(%d) = Unsupported: Mozilla.
mozilla.exe
[PBM] pid(%d) = Unsupported: Netscape 6.
netscp.exe
[PBM] pid(%d) = Unsupported: Netscape 4.
netscape.exe
aexplore.exe
aol.exe
waol.exe
[PBM] pid(%d) = Firefox
firefox.exe
[PBM] pid(%d) = Internet Explorer.
iexplore.exe
[PBM] Browser Process for pid(%d) = (%s)
[PBM] Failed to get module file name for browser check. (%d)
[PBM] 0 modules returned by enum modules for %d. (%d)
[PBM] Failed to get enum modules for %d. (%d)
[PBM] Failed to get process handle for browser check. (%d)
%Y-%m-%d %H:%M:%S
%s_%d
[OO] OptOut for %s at %s
[OO] OptOut for %s and %s at %s
[OO] OptOut for %s removed.
[OO] Remove all OptOuts %s (%d).
%Y-%m-%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Failure to write %s to %s. (%d)
%s,%d
[M] Upgrade has run more than %d times already. Skip Upgrade.
Clearing upgrade flags: %s
[XPD] Popup %s impossible: %d pops already today.
[XPD] Popup %s impossible: %d pops already in last %d minutes.
[XPD] Failed to find XPD type %s. Allowing.
Rule %s: Popup(%d), Redirect(%d), DoSlider(%d), AdServe(%d), OldPop(%d), %sInfoPop(%d), HideRedirect(%d)
&global=click.linksynergy.com&afsrc=1
&URL=
&tim=%d
GR_check_site.html
http:
CheckSiteUrl
TTUrl
[A] Load result: http(%d): %s
[A] Error %d downloading image. But image is cached, using cached image. Returning 304.
[F] Copying image from "%s" to "%s"
[F] Load Image File: %s, Cache date: %s
[F] File: %s, Next check date: %s
%a, %d %b %Y %H:%M:%S GMT
[F] It is new BANNER/IMAGE %s, force download.
[A] Load image: %s
[A] Agent tracking %s/%s
agenttracking.asp
[A] Search tracking %s
/agent/searchtracking.asp
searchtracking.asp
[A] %s%s%sTracker result: http(%d): %s
Upgrade: Unable to report (%d,%s): poorly formatted or missing UT url: %s
[A] Upgrade Tracker result: http(%d): %s/%s
Upgrade: Reporting result(%d,%s) to %s/%s
Upgrade Result Report: Reporting result(%d,%s) to %s
[A] %d - Unknown error
[D] %s Url has changed. File is necessary to download. (Cache off) (%s->%s)
[D] Storing CID: %s (%s)
CustomerID funky. Changed from '%s' to '%s'
setCustomerID: '%s' seems to be in error. Filtered.
[D] Registry CID: %s
[XPan] Regexp_exception: (%d) %s
CHTTPLoaderThread
[A] HTTP Loader thread OK
ShopAtHome.com Toolbar
HTTP loader thread. Exit instance
0.0.0.7
[M] Opening install page %s
[M] Opening feedback %s
[S] Parameters: %s
[S] serviceRequest(%s) Command: %s
&os=%d
uniqueBundleKey=nonbundle
uniqueBundleKey=
updateURL
&updateURL=
validateURL
&validateURL=
{X-X-X-XX-XXXXXX}
PopupPassword
regpass=
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
Unknown command %s
Clearing cookie %s
Setting cookie %s to %s
Clearing ini %s
Unexpected # of parameters for %s: %d
Setting ini %s to %s
[S] UID: %s
[S] IP: %s
[S] Country: %s
[S] Registry query: %s
[S] Setup filename: %s
lsp_setup.exe
[S] Toolbar Update URL: %s
ToolbarURL
;ffTbUrl=
;toolbarURL=
[S] Update Path: %s
[S] Update Domain: %s
;updateURL=
[S] Auto Upgrade: new value: "%s" enabled: "%s"
[S] Update enabled: %s
[S] ValidateURL: %s
;validateURL=
[S] Validate enabled: %s
[S] NumberOfDaysNextUpdate: %s
[S] NumberOfDaysNextValidate: %s
[S] NumberOfDaysNextHearbeart: %s
[S]%s
%d-%d-%d %d:%d:%d
[XmlDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d
[XmlDataGC] 0x%x count = (%d). Delete Count = %d
[~CAlert] (0x%x)
[BD] Destroying Xml Data. 0x%x
2000-01-01 12:00:00
2020-01-01 12:00:00
[BCEXML] Parse Status = %s
[BCEXML] Memory Exception parsing XML: %s
[BCEXML] Error loading XML into parser(%d).
[BCEXML] Parse Result = %s
//Bce/tb/maxurllength
urls
urlsec
*shopathome.com,*shopathome.sah.com
[R] Global Ignore found: %s
[X] Specific Suppress "%s" found.
14,%s(%s)
[X] Per Merchant Suppress "%s(%s)" found.
[X] Global Suppress "%s" found.
[B] Rule %d not found. Default = %s
[B] Rule %d = %s
%s xmlData decRef(%d) = 0x%x
%s xmlData addRef(%d) = 0x%x
[CBceXml::releaseData] decRef(%d) = 0x%x
[B] Storing new Xml Data. 0x%x
[B] Parse Status = %s
[B] Memory Exception parsing XML: %s
[vectorSahGC] decReference (%d)
.PAVCSahGC@@
.PAUXmlObject@XML@@
.PAVBanner@@
.PAVCAlert@@
.PAVCCouponAlert@@
UrlEx
[B] Deleting duplicate ID: %s %s
HotImageUrl
ImageUrl
[AlertResponse] ID=%s [%s EXIST] Type=%s Text=%s ImageUrl=%s
.PAVSahSearchResponse@@
[XD] Skipping Global Suppress type %d: %s
Program[%s] has exe [%s]
Data = %s
ChildNode[%d]: Node Type = %d (NODE_CDATA_SECTION = %d)
Data= %s
[CXMLParser::CreateNode] AppendChildToParent failed: %s
(0x%x): %s
Unsupport type
[D] ERROR (%d)! %s loading failed.
[D] OK. %s. Last update %s
[D] OK. %s has not been modified.
[D] OK. %s was downloaded.
http://
[D] No %s Filename. Ini file either blank or not writable.
[D] XML is invalid or damaged, exception thrown by CodeBuffer in GetFile: %s
[D] OK. Bce Xml. Last update %s
[D] Validate Path(b): %s
[D] Validate Domain(b): %s
agent/bce.sah
[D] Failed to copy %s file from %s to %s. [%d]
[D] Upgrade copied %s file from %s to %s.
[D] Bce specified skin file as: %s
[D] Error updating file %s: %d
SelectRebatesDownload.exe
FFToolbar.txt
agent/agentprefs_.sah
www.shopathome.com
[F] Error copying %s to %s. (%d)
[F] Getting update file "%s" from "%s/%s"
[F] Install Tracking: %s
.PAVCException@@
[F] Exception thrown by CodeBuffer in serviceQuery, %s
[F] Decrypted buffer: %s
[F] Buffer Size %d is larger than remaining buffer %d.
smartupdater/smartupdater.dll
cidUrlPages
cidUrlSites
[F] OK. preferences loaded. %s
[F] Exception thrown by CodeBuffer reading Prefs, %s
[F] New cab needed, cab dog (%s) version does not match running dog.
[F] New update cab downloaded: %s
_.exe
[F] New toolbar cab needed, cab toolbar (%s) version does not match running toolbar.
[F] Unable to create XML temp file, %s (Error=%d)
[F] exception thrown by CodeBuffer in GetFile: %s
[F] XML Merge failed: Error opening file %s. (Error=%d)
[F] Opened %s, size=%d
[F] Failed to open. Creating file %s
[F] Opening file %s
Error Parsing Temp XML. Count = %d. Reloading bce.
Error Parsing Temp XML. Count = %d. Resetting count and reloading bce.
%s entry found, but file %s does not seem to exist. Removing entry.
%s update failed: file %s seems to exist. Using %s entry.
[A] %s Upgrade Complete: %s New Version = %s
%s entry missing, but file %s seems to exist. Using %s entry.
[A] %s Upgrade to Uninstall Key Complete: %s New Version = %s
Deleting Old Uninstall file %s (%s)replaced by newer uninstall file %s.
SAHUninstallKey
FFToolbar\chrome\skin
[F] Loading SelectAlerts Failed (%d)
[F] Loading SelectAlerts: %s
Removing Excess %s: %s
[F] %s
[processSkinDirectories] Failed to open file %s. (%d)
[processSkinDirectories] Processed skin file %s.
[processSkinDirectories] Error reading file %s.
.SKIN
[F] Skin Directory[%d] = %s (%d)
[F] Skin[%d](%d) = %s Url = %s
[F] Signalling Toolbars: %s
[F] SelectAlerts saved in: %s
%xmlv
Only was able to write %d/%d bytes of Basis Xml file: %s
Saved BasisXml file: %s
*.DYM
[F] File %s is not found in %s.
[F] Looking for unused files in: %s
DefaultUrl
[F] File Added To Toolbar Cache List: %s
[F] Load. Image%s, <%s>, URL: %s, Local: %s
FFToolbar\chrome\skin\
[F] DownloadAndCache: %s
[FFToolbar] Done Processing Command %s
CmdProcessed
[FFToolbar] Command = %s
[FFToolbar] Exception parsing %s
[FFToolbar] Deleted %s.)
[FFToolbar] Error Deleting %s: (%d)
[FFToolbar] Error allocating %d bytes to read %s
[FFToolbar] Error Opening %s: (%d)
SelectRebates.ini
ShowIEToolBarForAll: No IE Exists, adding %s=1
{98279C38-DE4B-4bcf-93C9-8EC26069D6F4}
[A] Show FF Toolbar added toolbar to %d Firefox Profiles.
SelectRebatesSkin.dat
.PAVCAlerts@@
.PAVCBannerAlerts@@
.PAVCSearchAlerts@@
[U] Exception thrown by CodeBuffer, %s
[F] OK. Preferences. Last update %s
[F] Prefs location changed, downloading again: %s %s
[F] Validate Path(a): %s
[F] Validate Domain(a): %s
[F] Exception thrown by CodeBuffer in GetPreferences, %s
[A] Exception thrown by CodeBuffer in ParseXmlFile, %s
[F] Waiting time %d second(s) for next %s...
[F] Repeat counter %d
[F] AttemptDownloadPrefs Success. (Event 0x%x)
[F] Setting up scheduler on %d seconds...
[checkNextUpdate] Retry mode finished: %s
[checkNextUpdate] Retry mode timeout %d second(s). Attempt counter: %d
[checkNextUpdate] Retry mode upto 10 times started at: %s
[checkNextUpdate] Update enabled: %s
[checkNextUpdate] Update Skipped: AutoUpdateFailedCount=%d > %d
[checkNextUpdate] Update needed. _retryMode = %s
[checkNextUpdate] InstallMustValidate enabled: %s
[checkNextUpdate] Validate enabled: %s
[F] Upgrade Path: %s.
[A] SahUpgrade RUN_ONCE key found.
Software\Microsoft\Windows\CurrentVersion\RunOnce
[A] AutoUpgradeStatus is %s, but it can not be cleared so no pop.
[A] Report AutoUpgradeStatus: Auto(%s) Status(%s) Result(%s).
[F] Error upgrading (%d): %s
Failed to extract toolbar cab name from ToolbarURL: %s
[F] Iterate Toolbar Cabinet Failed. Unpacked %d Files. Error(%d %d)
[F] Download Toolbar File (%s)(%s) to %s
Toolbar Upgrade Failed: Unable to find windows temporary folder.
[F] Error launching updater (%d)
[F] Starting updater: %s
[F] Iterate Cabinet Failed. Unpacked %d Files. Error(%d %d)
[F] Path: %s
[F] Server: %s
update911.exe
setup911.tmp
Unable to find windows temporary folder.
0.0.0.0
[F] SelectRebatesUpgrade signal unexpected value = %s(%d) (Error=%d)
[F] SelectRebatesUpgrade Failed: CreateProcess failed (%d)
[F] SelectRebatesUpgrade: Launching %s
[F] SelectRebatesUpgrade. Execute newer SelectRebates (%s). (Upgrading from %s)
[F] SelectRebatesUpgrade Failed. Unable to find new SelectRebates file %s.
[F] SelectRebatesUpgrade. ERROR: %s found on the command line. Infinite Upgrade Loop Diffused?
[F] SelectRebatesUpgrade. New SelectRebates (%s) running.
[F] SelectRebatesUpgrade. SelectRebates running, but version (%s) does not match expected(%s).
[F] SelectRebatesUpgrade COMPLETE! Deleted upgrade file %s
[F] SelectRebatesUpgrade. Failed to delete upgrade file %s. (%d).
[F] SelectRebatesUpgrade. Error: New and Old SelectRebates have the same filename: %s
[F] SelectRebatesUpgrade Failed. Unable to parse module name %s.
[F] Removing %s and %s temp directories.
[F] Delete Upgrade File: %s %s
[F] Delete EulaUpgrade File: %s %s
Failed (%d)
[F] Checking for upgrade files to remove. UpgradeStatus=%s
[F] SelectRebatesUpgrade Copy Failed (%d)... Try again later.
[F] SelectRebatesUpgrade Complete. New file %s copied. Status=%s
[F] SelectRebatesUpgrade. Replacing %s (%s)
[F] SelectRebatesUpgrade. Copying New %s (%s)
ShowWindow = (%d): %s
CCheckServerDialog::MyCreateFont = 0x%x
CCheckServerDialog::OnPaint::serverUp(%d):%s
%s is temporarily unavailable for cash back rebates.
%s is again available for cash back rebates.
[P] Skipping Popup: MID = %d, PopupID = %d
[P] Skipping Older Popup: MID = %d, PopupID = %d
[P] Rule set: DoRedirect = %s, DoPopup = %s, DoSlider = %s, RedirectSuppress = %s (%s)Pop(%d) (Rule: %s)
[R] Rule %d for MID=%d is not defined
[R] Upgrade Rule %d for MID=%d is not defined
[P] Upgrade DoPopup = %s %sPop(%d) (Rule: %s)
[R] Dog NeedsUpgrade. Rule %d for MID=%d.
[P] Rule ID: %d
[P] NeedsUpgrade: %s
[P] Current Browser Has A visible Toolbar: %s
[P] DisableRedirects user: %s
[P] Stealth user: (%s) = %s
[P] Failed fo find popup (%d).
[P] Error loading InfoPop %d for mid(%d). Popup %d not found.
[P] Building Popup for %d: %d
[P] Image is not set for popunderID=%s
[P] Image is not found for popunderID=%s
[P] Building Popunder for %d: %d
checkpassword
[P] Unable to write PopupHtmlFile: %s
[P] Do Secondary reg pop option is: %d
[P] Do initial reg pop option is: %d
Error-%s
[P] Do Donovan's Popup(%d) here for mid(%d): %s
XPDX(%d)
BLD(%d)
[P] Error building InfoPop %d for mid(%d). Popup %d replace failed.
XPD(%d)
NF(%d)
[P] Error building InfoPop %d for mid(%d). Popup %d not found.
[P] Building InfoPop for %d: %d
Mozilla
[PT] Warning: No version operator found processing popup.
Unable to create IE control container in PopWindow, Last Error = %d
Shell.Explorer.2
v=1,pid=%d,data=%s,%s
Unable to parse destination url: %s
Unable to open link in PopWindow navigate: %s
Unable to parse url: %s
PopWindow navigate: %s
[CWindowImplBaseT::StartWindowProc] pThis(0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x) StartWindowProc(0x%x)
[CWindowImplBaseT::WindowProc] pThis(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!
[CWindowImplBaseT::WindowProc] pThis(0x%x) m_hWnd(0x%x) wndProc(0x%x)
[Luke's Debug] Toolbar HWND = 0xx
[Luke's Debug] Parent HWND = 0xx
Create POP Url!.
[~BrowserDataWrangler] rc=%d
[B] AdServe. Shell windows init %s. (result = %d)
[B] FireFox Document Complete CopyData: %d(%d)
[B] FireFox Document Complete
Exception in SaveFireFoxCopyDataContent
[M] WM_COPYDATA message. Type: %d
Unknown ItemID in Firefox data: %d
Error in Firefox COPYDATA. Data Overflow.
[B] FireFox COPYDATA %d(navPtr=%d, ver=%d)
Exception in ProcessFireFoxContent
[B] FireFox. Toolbar call
[B] searchIE failed to find a browser object: "%s" (0x%x).
[B] Creating new Attribute called: "%s".
Advise#%d-%s
[X] Deleting Attribute called: "%s"
[B] exception 2 thrown by searchIE. exceptionTrack = %d
[B] exception 1 thrown by searchIE. exceptionTrack = %d
[B] Browser FOUND. Top window: 0x%x, class: %s
[B] Checking HWND 0xx against 0xx in searchIE
[B] Window 0x%x was found by old code
[B] exception thrown by searchIE. exceptionTrack = %d
[B] Hidden browser FOUND. Top window: 0x%x, class: %s
[B] Window 0x%x was found by new code
[B] Found %i number of shell windows
[B] %s
Cannot get count. Try to get ShellWindows again.
MException trying to navigate same IE tab to: %s
[BrowseToUrl] Browse to IE tab (0x%x): %s
[IEEvents] DISPID_PROPERTYCHANGE - %s
[E] DISPID_PROPERTYCHANGE: LookupFailed 0x%x
[B] ExtraHeaders: [%s] URL: %s
[B] Headers: [%s] URL: %s
[E] DISPID_BEFORENAVIGATE2: %s
[E] DISPID_BEFORENAVIGATE2: LookupFailed 0x%x
[E] DISPID_DOCUMENTCOMPLETE: %s
[E] DISPID_DOCUMENTCOMPLETE: LookupFailed 0x%x
[IEEvents] (0x%x) %d
[IEEvents] (0x%x) %d %d, %d
[B] CBrowserEvents::toolbar. MAIN Frame URL: %s
[X] remove is removing attribute: "%s"
[X] removeAll is removing attribute: "%s"
[Mouradeling] Canceling redirect for 0x%x to: %s
Removing Mouradeling %d from _mouradelingList
BrowserEventsTimerProc(0x%x,%d,%d,%d)
[Mouradeling] SetTimer(0,0,%d,BrowserEventsTimerProc)
[B] Unhanded Exception in executeMouradelingAction.
[Mouradeling] Browse to IE tab (0x%x): %s
[Mouradeling] Cancelled: No source url.
[BrowserEventsTimerProc] Mouradeling %s(flag=%d). DC(#%d)-> pid(%d) mid(%d): %s)
[Mouradeling] Url matches regex "%s". Mouradeling filter on. Skipping DC. (%s)
MozillaUIWindowClass
MozillaWindowClass
mozilla firefox
windows internet explorer
[P] Error launching api pop: %d
[S] Start Search PopUnder #%s
[S] Unable to update SearchPopunderNumber. Skipping search: LastError=%d
S2> UniversalRequest response: %d
S2> Params: %s
[S] Search url: %s
[S] Search string: %s
[S] Search off, ignoring search term: %s
[S] Secondary Registration Delay %d seconds.
[S] Start session for: %s. %d second timeout then checking for next update
[S] Search: Search123 : %s
[S] Search Disabled: %s
[S] Search pop-under is restricted by Rule: %d
[S] Search pop-under is disabled. Enabled only for countries: <%s>
S2> Unable to update Search2Number. Skipping search2: LastError=%d
[S] Duplicate Search found: %s
[S] ProcessSearchEngine: %s
[S] FindWhat: %s
193.168.0.12
&mt=%s&ip_addr=%s
[S] Search123: %s
src="http://
[M] LibraryHooked (%d)
[M] Hooking Skipped: Running process (%d) matches pid.
[M] Hooking Skipped: Process %d is already hooked (Lib Hook = 0x%x).
[M] LoadLibrary Install Process Hook: hwnd:0x%x tid:0x%x pid:%d
[M] LoadLibrary Install Process Hook Skipped: IE8 IS NOT detected (found explorer.exe instead)! hwnd:0x%x tid:0x%x pid:%d
[LibHook] Remote LoadLibrary %s: hModule=0x%x
[LibHook] CreateRemoteThread failed. 0xx
[LibHook] Found pre-existing DLL in Process ID 0xx, backing out
[LibHook] VirtualAllocEx failed. h=0x%x error=%d
[LibHook] Could not open Process = 0xx
[M] Injecting Hook into process id 0x%x
[M] Hooking Skipped: Process %d hooked itself!
[M] Toolbar Hook Detected: pidA=%d pidB=%d
[M] Unable to remove hook on pid %d, no hLibModule found.
[M] FreeLibrary result = %d
[M] Failed to CreateRemoteThread to unload hook in (%d)
[M] FreeLibrary Remotely run FreeLibrary in process handle (0x%x)
[M] OpenProcess failed. (%d)
[M] FreeLibrary Install Process Hook: pid:%d
[M] Browser Found (%s, %s) Post BEMessage_CheckWindow... enum HWND: 0x%x
[CCheckBrowser] PID = ] HWND = 0x%5x Class = s
[CBP] Image Found: %s
background-image: url(
[TBar] Regexp_exception: (%d) %s
[TBar] RegEx. UrlEx: %s, id: %s
[TBar] Regexp_exception search: (%d) %s
[M] UrlEx AlertRequests are off.
[M] SearchEx and UrlEx AlertRequests are off. Skipping RegEx.
[TBar] CCheckBrowser::RegExToolBar. No url terms.
[TBar] CCheckBrowser::RegExToolBar. Query %s, phrase: %s
[TBar] CCheckBrowser::RegExToolBar Sending ESearch search phrase to AlertServe: %s
[TBar] Sent Search Phrase to IE Toolbar History: %s
%d|%d|%s
[R] Skip: Blank Url
[R] Skip: MID=%d. Redirect OFF (No Need) URL (%s)
[R] Skip: MID=%d doRedirect is false. AutoRedirect is turned OFF
[R] Skip: MID=%d Trigger=%s has redirect set to no. AutoRedirect is turned OFF
[R] Skip: MID=%d is not SAH client, AutoRedirect is turned OFF
[R] AutoRedirect: %s
[R] MID=%d SAH client, AutoRedirect ON
[R] Skip: MID=%d SAH client, AutoRedirect OFF
[R] Skip: SPECIFIC domain. Redirect OFF. (MID=%d)
[R] Skip: SEEING EYE HELPER REDIRECT OFF: Redirect OFF. (MID=%d)
[R] Skip: Delay Redirects Until %s: Redirect OFF. (MID=%d)
[R] Current Hook version is: %s
[R] No popup specified for MID=%d.
[R] Skip. Check Site! popup (%d)%d
[R] Redirects are disabled until: %s
[R] OptInRedirect option is: %s
[R] Hook(%d): %s
[R] Hook: * %s
[R] Suppress is turned ON for MID:%d for %d seconds
[R] Suppress turned ON for url "%s" for %d seconds
[R] MID=%d. Site Down: Redirect back ON
[R] MID=%d. Redirect is turned ON
[R] GLOBAL domain. Redirect is turned OFF for MID=%d (%s)
[R] MID=%d. Redirect OFF, Suppress%s Timeout for another %d seconds.
[R] Ignore URL E: %s
webfastconnect
[R] AdServe URL. Globally suppressed for %d more seconds.
[R] Ignore Frameset URL: %s
[R] Ignore URL D: %s
[R] Ignore URL C: %s
topmoxie.com
[R] Ignore URL B: %s
sysupdates.com
[R] Ignore URL A: %s
ebates.com
[R] MID=%d. Redirect OFF (MarkAsNotRedirect)
[R] New GLOBAL Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)
[R] Resetting GLOBAL Suppress Time to %d seconds. PID(%d) Type = %s (%x)
[R] New Per Merchant Suppress. Suppress ON. Expires in %d sec. PID(%d) Type = %s (%x)
[R] Resetting Per Merchant Suppress Time to %d seconds. PID(%d) Type = %s (%x)
[R]Removing GLOBAL domain for PID %d. Type = %x (%s)
[R]Removing expired suppress for PID %d. Type = %x (%s)
[R]Removing suppress for PID %d. %s (%d) 1
[R] Suppress Found PID(%d) / MID(%d). Type = %s (%x) (%d sec remain)
[R] Removing Suppress PID(%d) / MID(%d). Type = %s (%x)
[R]Removing GLOBAL domain for PID %d. 1
Checking FramesetoutList: pid(%d) mid(%d)
Redirect detected, : pid(%d) mid(%d): %s
[R] Unexpected framesetout. Not triggering extra Redirect AlertRequest for %d
[R] InfoPop(%d) found... we are probably in the redirect thread, and I'm not sure what to do at this point... defininitely can't build the pop here. Going to push it to the popup thread to build and download.
[confirmRedirectOccurred] Also recording framesetout on unexpected pid= %d mid(%d)
[confirmRedirectOccurred] ared(NULL) pid(%d), mid(%d)
[confirmRedirectOccurred][DC Mouradeling - Off] (Flag=%d)
[confirmRedirectOccurred][Mouradeling - Off] %s (%s)
No Url
[confirmRedirectOccurred][Mouradeling - On] Wait for ON_DOCUMENT_COMPLETE and goto %s
[confirmRedirectOccurred] ared(#%d)->pid(%d) mid(%d) Popup(%d, %d, %d, %d)
[M] FrameSetOut from toolbar: %s
[M] persistID[%d] size = %d
decodeQueryStringCoderZip2 failed. bad buffer size= %d.
Incorrect key length
\wininit.ini
PendingFileRenameOperations
[CQueuePending] UnPendMove List of files: %s
[CQueuePending] Processing %d ClearPend File%s.
UnPendMove(%s) %s
Detected Pending Move of %s
Found %d default detection items.
Detected the following items: %s
Item #%s %s found (%s)
pad.exe
can.exe
tmgr.exe
ield.exe
svc.exe
KERNEL32.DLL
%d.%d.%d.%d
\StringFileInfo\XX\FileVersion
[DT] Transaction 0x%x sis clearing wrapper 0x%x
~CDownloadTransactionWrapper 0x%x
Error sending WM_COPYDATA message to 0x%x. Error downloading.
[U] Timeout Waiting for Download Done - %d (%d)
[U] Window found: %x. Send WM_COPYDATA from 0x%x.
[U] Storing this transaction (0x%x) in wrapper 0x%x
[U] Buffer length = %d
[sendDataBuffer] >>>>> Lock section: %s %s
[sendDataBuffer] >>>>> Getting Ready to lock section: %s %s
[U] sendDataBuffer. %s%s
Download Exe Window Found 0x%x! Version = %d
Browser Downloader Window Found 0x%x! Version = %d
[U] HTTP result: %d
[U] Method: %s Content type: %s
http=
[U] Server: %s path: %s content: %s
InternetSetCookie failed to add %d.
InternetSetCookie failed to remove %d.
InternetSetCookie(%s): %s (%s)
GetCookieValue FINISH: %s
InternetGetCookie failed %d.
GetCookieValue (%s)
[U] Cookie Blocked! Using previous %s cookie value of "%s"
[U] Clear cookie: %s (%d)
[U] Cookie Blocked! Using default cookie value of "%s"
[U] Get cookie failed. (%s)
[H] WM_COPYDATA finish. Download Failed, transaction not found (window :%x) (result :%d) (path: %s)
[H] WM_COPYDATA finish. Download Done (window :%x) (result :%d)
Download Path %s does not match requested path %s
[HIE] GetWindowText(0x%x)
[FindHookWindow] SearchForDownloadWindow(%d) = 0x%x
[FindHookWindow] SearchForDownloadWindow(%d)
?456789:;<=
!"#$%&'()* ,-./0123
PsApi.dll
[IE8?] GetModuleFileName failed to get browser name (%d)
%s at: %d
[HIE] read map: 0x%x
[U] Time-out before close hidden %d sec.
[HIE] Cannot find IE, opening temp IE window, count = %d.
[HIE] Searching for IE window, count = %d
[HIE] Temp IE window, count = %d.
[closeDownloader] Closing hidden Downloader window based on pid(%d) 0x%x
[closeDownloader] Closing hidden Downloader window based on HWND 0x%x
[closeDownloader] pid(%d) hwnd(0x%x)
[waitForStart]Found hwnd 0x%x.
[waitForStart]Searching for %s window.
[waitForStart] Found hwnd in map: 0x%x.
[cleanHIE] IE window cleanup delayed, count = %d
Closing downloader Exe window 0x%x!
[closeIE] Quit IE failed, trying WM_CLOSE... 0x%x
[closeIE] Quitted IE... 0x%x
[closeIE] Quitting IE... 0x%x
[openIE] Exception opening IWebBrowser2.
[openIE] IWebBrowser2 failed to provide a good HWND.
mozillauiwindowclass
SearchForTopHiddenIEWindow(%d)
URLUpdateInfo
URLInfoAbout
UninstallUpdateUrl
UninstallAboutUrl
UninstallHelpUrl
Software\Microsoft\Windows\CurrentVersion\Uninstall
[A] Removing uninstall key %s
Setting Uninstall Data (%s || %s)
Warning: NOT Releasing Mutex (we don't own it.) (0x%x) (%d)
Released Mutex (0x%x) = %d, %d
Timeout waiting for Mutex. (%dms)
Error waiting for mutex WAIT_FAILED (%d)
Unknown Mutex code (%d), error.
shell32.dll
shfolder.dll
[XmlSkinDataGC] Deleting Item. 0x%x count = (%d). Delete Count = %d
[XmlSkinDataGC] 0x%x count = (%d). Delete Count = %d
COM Error = %d
[SAHSKIN] Parse Status = %s
%s XmlSkinData decRef(%d) = 0x%x
%s XmlSkinData addRef(%d) = 0x%x
[CSahSkin::releaseData] decRef(%d) = 0x%x
[CSahSkin::ParseXmlFile] %s
[CSelectAlertSettings] OptOut Found: %s
SelectAlerts.dat
ShopAtHomeToolbar.dll
firefoxtoolbardir
install.rdf
basis.xml.temp
basis.xml
[email protected]
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
ToolBand.ShopAtHomeIEHelper
{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
ShopAtHome.IEToolbar
{462E4AEC-DB3B-4e69-AF61-4F300D76255C}
[F] Toolbar Uninstalled = %s
[F] Toolbar Installed = %s
internet explorer\iexplore.exe
Failed to copy toolbar files: %s
Toolbar to install (%s) is older than the existing toolbar (%s): %s
Error creating %s directory for toolbar (%d)
Registering Firefox Toolbar: %s
Removed Empty Directory: %s
Checking for Firefox Toolbar: %s
No Firefox Toolbar found at %s
Failed to unregister Firefox Toolbar: %s
Removing file: %s
Unregistered Firefox Toolbar: %s
Removing directory: %s
Mozilla\Firefox\
Profile%d
Mozilla\Firefox\Profiles.ini
Firefox is %sinstalled.
Mozilla\Firefox\Profiles
Firefox %s complete. #Success = %d #Fail = %d
%s FF Toolbar: profiles in %s
Failed to find Application Data directory. (%d)
[uninstallToolbarRegistrySettings] Deleting Toolbar reg keys for %s.
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
[T] Toolbar Upgrade Complete. Deleting old toolbar file: %s
[Basis] Failed to install new basis %s from to %s (%d)
[Basis] New basis %s copied to %s
[Basis] Basis restore failed: %s %d
[Basis] Basis restored. Deleting temp Basis: %s
[Basis] Restoring old Basis: %s
[Basis] Basis updated. Deleting old Basis: %s
[UpgradeToolbar] Failed to copy new toolbar %s over old toolbar %s. (%d)
[UpgradeToolbar] Successfully copied new toolbar %s over old toolbar %s.
[T] Failed to register toolbar: %s
[T] Failed to set toolbar registry keys: %s
[UpgradeToolbar] Toolbar upgrade Pending: %s : %s
Toolbar RegistrationA failed (%d);
[installToolbar] RegisterToolbar regsvr32 failed (%d) with error %d.
[installToolbar] Calling regsvr32 to install toolbar: runProcess(%s)
[installToolbar] all %d Registry Keys Set.
[installToolbar] Mini Toolbar Key Upgrade failed to Upgrade (%d %d) keys from %s to %s.
[installToolbar] Mini Toolbar Key Upgrade Upgraded %d keys from %s to %s.
TbReg no rights(%d). Set %d of (%d %d %d) keys.
[installToolbar] Insufficient rights (%d) to do toolbar registration. Currently have set %d of (%d %d) keys.
[installToolbar] Toolbar %s is registered, checking for rights to register %s
[installToolbar] Existing Toolbar Keys detected. Upgrading %s to %s. (%d,%d %d)(Rights=%d)
[installToolbar] RegisterToolbar(%s, %s)
Toolbar RegistrationB failed (%d);
[installToolbar] regsvr32 failed (%d) with error %d.
TbReg only set %d of (%d %d %d) keys.
[installToolbar] Toolbar keys for %s found.
[installToolbar] Toolbar registration only set %d of (%d %d) keys.
Windows Vista
Windows 2003
Windows XP (Whistler)
Windows 2000
Windows ME
Windows 98
Windows NT 4.0
Windows 95
Windows NT 3.51
Deleting %s %s.
WebFastConnect
0123456789
Terminate Process %d
CreateProcess pid = %d
CreateProcess Failed (%d)
IELaunchURL Failed (hr=%d;Error=%d)
IELaunchURL pid = %d
\FirefoxHTML\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
internet explorer\iexplore.exe" "%%1"
.html
[browseWithIWebBrowser2] Exception opening browser
[browseWithIWebBrowser2] Failed to open browser with HWND: res=%d
[browseWithIWebBrowser2] Closing HWND: 0x%x
[browseWithIWebBrowser2] Force browser to front: 0x%x
[browseWithIWebBrowser2] Opened browser with HWND: 0x%x pid(%d) ::IsWindow=%d
Content-Type: application/x-www-form-urlencoded
[browseWithIWebBrowser2] %s (hidden=%d,msWait=%d,forceToTop=%d)
[RunIe] (0x%x) Skipped: There can be only one.
[RunIe] (0x%x)
Process pid = %d
CreateProcess failed (%d)
CreateProcess(%s,%s)
CreateProcessAsUser failed (%d)
OpenProcessToken returned processToken(0x%x). CreateProcessAsUser(%s,%s)
OpenProcessToken failed (%d)
WaitForSingleObject() = %d
ShellExecute failed with error %d.
ShellExecute succeeded.
ShellExecute(0,open,%s,%s,0,Hide)
[CopyDirectory_CopyFile] %s: %s -> %s
[CopyDirectory_NewDirectory] Created Directory: %s
[CopyDirectory_NewDirectory] Error Creating Directory: %s (%d)
[ITB] Installing toolbar files from %s to %s.
[SVistaDll] Failed to load IEIsProtectedModeURL.
[SVistaDll] Congratulation! IEIsProtectedModeURL address is 0x%x
[SVistaDll] Congratulation! IEIsProtectedModeProcess address is 0x%x
[SVistaDll] Failed to load IELaunchURL.
[SVistaDll] Congratulation! IELaunchURL address is 0x%x
IEIsProtectedModeURL
IELaunchURL
ieframe.dll
[SVistaDll] Congratulation! ChangeWindowMessageFilter address is 0x%x
user32.dll
[SVistaDll] Congratulation! ConvertStringSidToSid address is 0x%x
[SVistaDll] Congratulation! ConvertStringSecurityDescriptorToSecurityDescriptor address is 0x%x
Advapi32.dll
[SVistaDll] %s %s%d %s
[SVistaDll] IEIsProtectedModeURL uninitialized
%s %s
BN %d %s
DC %d %s
Firefox
Firefox DC %s
%d_%s
Error Creating Directory: %s (%d)
Created Directory: %s
support for \P, \p, and \X has not been compiled
PCRE does not support \L, \l, \N, \U, or \u
this version of PCRE is not compiled with PCRE_UTF8 support
POSIX collating elements are not supported
erroffset passed as NULL
POSIX named classes are supported only within a class
operand of unlimited repeat could match the empty string
[TB] %s
[TB] Seconds last asked %d sec. min_interval: %d sec. (last received: %d sec)
[TB] Last received for favorites: d-d-d d:d:d
[TB] Activate favorite trigger. open_interval: %d seconds (157)
[TB] Last asked for favorites: d-d-d d:d:d
[TB] Activate request. favorite_alert_delay: %d ms
[TB] Add request type="Favorites", Last(Received)Favorites="%s"
[TB] Item %s. Type: %s, String: %s, MID: %d
[TB] Item %s. Type: %s, String: %s, LastFavorites: %s
[TB] Item %s. Id: %s, Type: %s, String: %s
[TB] Delay alert request. Timeout: %dms
[TB] Requests size %d. Limit: %d
[TB] AddSearchRequest. Result %s. Id: %s, Type: %s, String: %s
[TB] Requests count %d exceeds the limit %d
[TB] Removing SahSearchRequest. Id: %s, Type: %s, String: %s
[TB] Dedup seconds expire, %s
[TB] ToolBar response: %s.
ToolbarUninstallReport
{0B5DAF6D-4671-49dd-B7E3-69A4293F80B6}
%d|%d|
[D] Timer expired. HWND: %s
[M] detectionResult = %s
[M] Upgrade Status Delay: %dms
[M] Registration Delay %d seconds.
[A] Added FF Toolbar extension to %d Firefox Profiles.
[M] CException in theApp.fileManager.checkNextUpdate()
[M] Start timer %s min
UnInstallExecute
[M] Close Hidden in %dms
[P] Error launching uninstaller: %d
[P] Error starting hook update (%d)
[M] Starting full update: %s
You have successfully logged into ShopAtHome.com. Enjoy your Cash Back shopping!
Incorrect password for this email address. Please try again.
Already have a messagebox open with same email/password.
Thank you for registering with ShopAtHome.com.
MessageBox: "%s"
forgotpassword
[M] Duplicate registration event: %s
PopUnderURL
[M] Shell Execute returned %d.
[M] Opening page %s
[M] Error Creating CheckServer Thread. (%d)
[R] Cancelling Popup for %d.
[R] Hook CheckSite(%d)%d - Site is NOT available.
[R] Queueing Popup for %d.
[R] Hook CheckSite(%d)%d - Site is available.
[M] WM_USER   112 message. Command: %d
[M] WM_COPYDATA message. Command: %d.
[M] Obsolete Metaupdate 555 signal from pre 4.2.5.0 hook.
Handling class:%s HWND:[0x%.8x] Main window %s: HWND:[0x%.8x]
--------- List of handling windows
Main window %s: HWND:[0x%.8x] Handler pointer:[0x%.8x] Edit HWND:[0x%.8x]
--------- List of IEFrame windows
[M] Check for alerts on redirect: URL:%s
[M] Optout List Selected: %s
[ToolbarAlert] #%d
[M] FirefoxToolbar Fso Signal
[Luke's Debug] Adding new IE8 tab [0xx] found by browser signal toolbartab
[Luke's Debug] Adding new tab [0xx] found by browser signal toolbartab
[M] New Browser Signal: WM_USER 500 message. wParam: 0x%x (type=%d)
[M] %s
Removed HTTP loader thread
WARNING: HTTP loader thread is terminated
WARNING: Failed to post WM_QUIT to redirectThread (%d)
[M] WebFastConnect Uninstall request
WebXb
?cmd=status
[M] Unininstall request reported...
[M] Uninstall request report failed.
[M] Uninstall request report failed... retry in 2 minutes.
ASUninstallReport
UninstallReport
[M] Registration request reported...
[M] Registration request report failed... retry in 2 minutes.
Install Registration(%d) - %s - %s
[M] WM_SETTEXT message. Type: %d
[LoadCharFileIntoCString] CreateFile Failed %d
[LoadCharFileIntoCString] %s
[CSahEvent] data (0x%x) refCount=%d
[CSahEvent::=] data (0x%x) refCount=%d
[~CSahEvent] data (0x%x) refCount=%d
[CSahEventManager] Error creating event %s.
UniqueBundleKey
Failed to register %s class! (%d)
Downloader %s does not exist?? COpenHiddenIEIfNone will use IE.
Activating COpenHiddenIEIfNone with %s.
[A] Windows 95/98/ME
[A] Windows NT based system
aswfctemp.ini
[A] New bceXMLTmp filename: %s
vincfile.dat
[A] New bceXML filename: %s
SelectRebatesB.dat
vbcefile.dat
SelectRebatesU.dat
SelectRebatesH.dat
SelectRebatesA.dat
[A] SelectRebatesSelfUpgrade completed! Exiting this instance. (%s)
SRebates.dll
[No Hook Found] Dead Dog! KillSelf(%s)
SelectRebates.exe
Uninstaller found at %s. Chameleon Dog!
Uninstaller found at %s. Program Files Dog!
SelectRebatesUninstall.exe
USE_IWEBBROWSER2
_WINDOWS
[A] Using exe substitution ini file: %s
[A] Using SelectRebates ini file: %s
[A] Started SelectRebates: %s (built %s %s).
14:29:29
SRebates.log
Software\Microsoft\Windows\CurrentVersion\Run
[M] CheckD=%s
SRFF3.dll
127.0.0.1
Setting CheckMeta: %s
[A]Hook copy failed, using new file for now: %s
[A]Old Hook deletion (c): %s
[A] Switch to new dll: %s
[A]Hook install time: %s. Last Reboot time: %s
[A]Deleting new DLL: %s
[A]New DLL Name = %s
[A]Old DLL Name = %s
[A]Loading library: %s
[installThreadHook] LoadLibrary(%s) has failed (%d): %s.
[installThreadHook] Thread Hook (%s) has been installed.
[A] AdServe disabled by pref: AdServing=%s.
[A] AdServe disabled. On only for countries %s
[A] AdServe disabled by rule: %s
[A]Shell Execute returned %d.
[A] ShellExecuting page %s
[A] Browser %s FOUND (0x%x)
chrome_widgetwin_0
[CWindowImplBaseT::SubclassWindow] (0x%x) m_hWnd(0x%x) new(0x%x) old(0x%x)
[CWindowImplBaseT::UnsubclassWindow] this(0x%x) ERROR!!!! UnsubclassWindow, m_pfnSuperWindowProc == 0!
[CWindowImplBaseT::UnsubclassWindow] (0x%x) m_hWnd(0x%x) our(0x%x) active(0x%x) original(0x%x)
[F] Temporary File Name = %s
%Program Files%\
%Program Files%\SelectRebates\Toolbar\
%Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
%Program Files%\SelectRebates\SelectAlerts.dat
%Program Files%\SelectRebates\Toolbar\ImageCache
%Program Files%\SelectRebates\FFToolbar\
%Program Files%\SelectRebates\FFToolbar\install.rdf
version="4.4.0.3"
name="SelectRebates.exe"
ShopAtHome.com
Password
Server : port
5, 2, 0, 0

iexplore.exe_592:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    regsvr32.exe:756
    %original file name%.exe:1500
    SelectRebates.exe:2028
    SelectRebatesDownload.exe:2024
    SelectRebatesDownload.exe:1272
    ShopAtHome_Toolbar_Installer.exe:1740
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\SelectRebates_.exe (17138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-wishlist.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_HotSpots.bmp (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\basis.xml (1347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome\sahtoolbar.jar (3689 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\toolbar.ini (115 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\icons.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-go.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SRebates_.dll (3624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo_24.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUpdater.exe (2128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\GroceryCoupon.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\chrome.manifest (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AHX6B4M9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ShopAtHome_Toolbar_Installer.exe (189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\ReviewSite.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\FFToolbar\install.rdf (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesUninstall_.exe (7104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Blank.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2FFAH1MS.tmp (291 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-icons.bmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\ShopAtHomeToolbar_.dll (13304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\CashBack.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\24P26NA4\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\SelectAlerts.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup5200.ini (4935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XMNUZUYC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\i_magnifying.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LV5MCTUC.exe (173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJTGL44G\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SelectRebatesApi_.exe (2804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-alert.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\sahtb-restaurant.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\logo.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SRFF3_.dll (3553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Coupons.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\Scissors.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SahToolbar\Toolbar\AddtoList.bmp (1 bytes)
    %Program Files%\SelectRebates\srtmpprf1cbo1bfc.tmp (2 bytes)
    %Program Files%\SelectRebates\srtmpsqus6ksvjjd.tmp (6 bytes)
    %Program Files%\SelectRebates\SelectAlerts.dat (7 bytes)
    %Program Files%\SelectRebates\SelectRebates.ini (168486 bytes)
    %Program Files%\SelectRebates\SelectRebatesB.dat (11518 bytes)
    %Program Files%\SelectRebates\srtmpgfiv51ljon0.tmp (9607 bytes)
    %Program Files%\SelectRebates\SelectRebatesBT.dat (16 bytes)
    %Program Files%\SelectRebates\srtmpprfu7r3kl5g.tmp (2 bytes)
    %Program Files%\SelectRebates\srtmpsqu2jmret6p.tmp (4 bytes)
    %Program Files%\SelectRebates\SelectRebatesA.dat (6 bytes)
    %Program Files%\SelectRebates\srtmpprft1g072d3.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\installstatus.tmp (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\U9E0PNFU.tmp (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\toolbar5200_ff.cab (172089 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup5200.cab (235057 bytes)
    %Program Files%\SelectRebates\FFToolbar\chrome\sahtoolbar.jar (601 bytes)
    %Program Files%\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (1 bytes)
    %Program Files%\SelectRebates\Toolbar\CashBack.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\GroceryCoupon.bmp (1 bytes)
    %Program Files%\SelectRebates\SelectRebates.exe (6841 bytes)
    %Program Files%\SelectRebates\Toolbar\ReviewSite.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\Scissors.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\logo_24.bmp (6 bytes)
    %Program Files%\SelectRebates\FFToolbar\install.rdf (1 bytes)
    %Program Files%\SelectRebates\Toolbar\logo_HotSpots.bmp (6 bytes)
    %Program Files%\SelectRebates\Toolbar\sahtb-icons.bmp (8 bytes)
    %System%\config\SOFTWARE.LOG (5347 bytes)
    %Program Files%\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (5441 bytes)
    %Program Files%\SelectRebates\Toolbar\logo.bmp (6 bytes)
    %Program Files%\SelectRebates\Toolbar\sahtb-alert.bmp (1 bytes)
    %Program Files%\SelectRebates\SelectRebatesApi.exe (673 bytes)
    %Program Files%\SelectRebates\Toolbar\AddtoList.bmp (1 bytes)
    %Program Files%\SelectRebates\FFToolbar\chrome.manifest (271 bytes)
    %Program Files%\SelectRebates\Toolbar\i_magnifying.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\icons.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\sahtb-wishlist.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\sahtb-restaurant.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp (1 bytes)
    %Program Files%\SelectRebates\SRFF3.dll (673 bytes)
    %Program Files%\SelectRebates\Toolbar\basis.xml (20 bytes)
    %Program Files%\SelectRebates\Toolbar\sahtb-go.bmp (1 bytes)
    %System%\config\software (3756 bytes)
    %Program Files%\SelectRebates\SelectRebatesUninstall.exe (1425 bytes)
    %Program Files%\SelectRebates\SelectRebatesDownload.exe (673 bytes)
    %Program Files%\SelectRebates\Toolbar\Blank.bmp (1 bytes)
    %Program Files%\SelectRebates\Toolbar\Coupons.bmp (1 bytes)
    %Program Files%\SelectRebates\SRebates.dll (673 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SelectRebates" = "%Program Files%\SelectRebates\SelectRebates.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now