WebToolbar.Win32.InstallCore_743e3d7d12

by malwarelabrobot on March 10th, 2016 in Malware Descriptions.

Trojan.Win32.Sasfis.FD, WebToolbar.Win32.InstallCore.FD, WebToolbarInstallCore.YR (Lavasoft MAS)
Behaviour: Trojan, WebToolbar


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 743e3d7d12a5de8ec557bf395edca22a
SHA1: 4c388cf593189aa35facaf2771b4b8b26a20e789
SHA256: 13ffc35309278015b7387376d324c7e8985e7c77cf7e382013d7de0e50688701
SSDeep: 12288:HDGo4udWRJD17zXIsqHBG37BDer2pzYdX4At66Hrm ykp216Tj:Hy6oJ7zXxqHBwBeefOlp216Tj
Size: 585096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

WebToolbar. A toolbar installed into a web browser.

Payload

No specific payload has been found.

Process activity

The WebToolbar creates the following process(es):
No processes have been created.
The WebToolbar injects its code into the following process(es):

%original file name%.exe:276

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:276 makes changes in the file system.
The WebToolbar creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\offer_html.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\icon.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\license.txt (18 bytes)
%Program Files%\is521343.log (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\loader.gif (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\progress-bg.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\US\offer_code.dat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\offer_code.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F4DD.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\skip-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\close_button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\blank.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\finish_button.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\finish-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\images\progress-bg.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\1535764653.cfg (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\locale\EN.locale (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\Bg.jpg (14 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\bootstrap_16799.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007ECFD.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\next-button-over.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\next-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\back-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (1866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\buttons.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F5D7.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\1395250404.cfg (220 bytes)
%Documents and Settings%\%current user%\Desktop\Continue FoxTab FLV Player Installation.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\browse.css (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\US\offer_html.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\Software.png (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\progress-bar.css (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\main.css (3 bytes)

The WebToolbar deletes the following file(s):

%Program Files%\is521343.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007ECFD.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish519437\bootstrap_16799.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F5D7.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F4DD.log (0 bytes)

Registry activity

The process %original file name%.exe:276 makes changes in the system registry.
The WebToolbar creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 BA 27 3B D2 DB 09 FD 70 C9 52 CB E1 23 3A 6E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The WebToolbar modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The WebToolbar modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The WebToolbar modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The WebToolbar deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 593920 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 598016 552960 552448 5.49822 07173f95418790daba109026541d494e
.rsrc 1150976 28672 27136 3.01661 7efc5763e11e009f576debc7958ea0c4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 126
d1a1098806ebda8842542840a5ca7635
b506872033c6eb3008fc9fea46721d4c
66cbd76685dc24cabce3551483476d70
f3b877b25d5ff7c44c09aaea9743688f
c0a26cb2bb164460d31db6108e361b06
729cb64428b536ac5a808a559615b2f6
5ff58525ced8b5c0cf815714158f6b00
d32a8f9f804e74e6faadd7447b66c4fa
2ef9bfcd4cb719aa4eeb40b2fcc2876e
5e2da5b612d8fbbda016aee30d828f86
f69a8829bb04e06cce036415ccf53f11
001b9fdce64654c299db59d7c99dd4f0
8ca57c348d4915ff177917f89d53e0a7
dfe97081567186b7544192b8b6d668e5
b921a409235dc07abcf6525bd2e9af4d
a8bf7a47a32cb9b011a83128d257a386
807ca2b37339dcbbf11a57cc83522662
430d5db48d784f119295b8a70a6471ed
91171dbcb85fac5824afdc4e28e2f11f
4c8da2ee74108896200648b898462270
efbcb081a163d8f972233322c93722ae
bbe0b1cd9250fc53b29c84db6c6293d9
06521c2b487e05f96ba9560b33a5b22f
e43871c58ed0568c1975a9da40e7cd03
48f276810e94cc87ff8cea2034d7c4a3

URLs

URL IP
hxxp://os.webfilescdn.com/fx/v1.0.1/?v=2.0&c=169150448
hxxp://cdneu.webfilescdn.com/Prod/FLVPlayer-v2.cis
hxxp://cdnus.webfilescdn.com/Prod/FLVPlayer-v2.cis


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Cnet App Download and Checkin

Traffic

The WebToolbar connects to the servers at the folowing location(s):

%original file name%.exe_276:

`.rsrc
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys
AutoHotkeysL D
Uh.aD
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState0"D
OnKeyDown
OnKeyPressh
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
2301654879
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
TScanAllWindowsCallBackData
i\*.*2XE
i.dwcnhE
nmhpjhc03.fcclJL
i.ulzn1E
1.2.3
THttpCallBackShell
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
hXXps://
hXXp://
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code
sqlite3.dll
ESqliteException
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
Could not prepare SQL statement
SQLite is Busy
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
cookies.sqlite
^FOFNW S,),-EQL@ S,nfyb S,TEFQF,-hfz0 T,Gfkbvoy S,Pflq`k,-Sql-0,jgf-4 S,JG*3=
^OIZM] UW,/J`ii-0,i-0,(]`nzmm/X-1,jyaj`-2,(GA( T ..pc
Opera
Software\Opera Software
Home URL
Amazon.com
eBay.com
Merriam-Webster
Opera Preferences version 2.0
; Do not edit this file while Opera is running
Suggest URL
Key=c
Suggest URL=
FaviconURL
]DKizHi-4,exc-1,Hc`hk-3.GI
005345000000
000000000000
000000000010
000000000030
cabinet.dll
Installation Platform Powered by InstallCore.com - Installer Development Tool - CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011 3
Installer Development Tool - CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011
CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011
TUninstallExecuter
TUninstallExecuter can be created only once.
_EXEXE_
GENERIC_WINDOWS
NO_JAR_SUPPORT
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizablet
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight\
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown<iI
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. %s (%s).
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyPress
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
MAPI32.DLL
LeftPopup
.html
THtmlUIExeShell
2.1.0.0
This exe was created with older version of HtmlAppMaker.
irsoMsgDialog
irsoGetCurExePath
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoExecuteAsNoneAdmin
irsoExecuteWithOutput
irsoExecuteInThread
irsoExecuteInThreadWithOutput
irsoIsMutexExists
irsoSetSQLiteDll
irsoGetSQLiteDll
H-4,njBdi-2,o-4,r.vY
iexplore.exe
firefox.exe
chrome.exe
safari.exe
opera.exe
irsoExecutePackage
irsoExecutePackageAsAdmin
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoGetPackageFilenameFromHttp
isrGetPackageExecExitCode
irsoSetPackageRelProgressShare
irsoIsFireFoxInstalled
irsoIsChromeInstalled
irsoIsOperaInstalled
irsoGetFireFoxHomePage
irsoGetChromeHomePage
irsoGetOperaHomePage
irsoSetFireFoxHomePage
irsoSetChromeHomePage
irsoSetOperaHomePage
irsoGetFireFoxDefaultSP
irsoGetChromeDefaultSP
irsoGetOperaDefaultSP
irsoAddFireFoxDefaultSPFromXML
irsoAddFireFoxDefaultSP
irsoSetFireFoxAddressBar
irsoAddOperaDefaultSP
irsoAddChromeDefaultSP
irsoAddChromeDefaultSPEx
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoGetFireFoxCookie
irsoIsFireFoxExtensionInstalled
irsoInstallFireFoxAddon
irsoInstallChromeAddon
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoGetEXEStamp
irsoReportStart
Professional Installation Platform by InstallCore.com
- Installer Development Tool - CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WaitNamedPipeA
PeekNamedPipe
GetWindowsDirectoryA
GetCPInfo
DisconnectNamedPipe
CreatePipe
CreateNamedPipeA
ConnectNamedPipe
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
shell32.dll
wininet.dll
FindFirstUrlCacheEntryA
comdlg32.dll
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
/UnExeFile:
UnExeFile
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
1.2.1
inflate 1.2.1 Copyright 1995-2003 Mark Adler
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
w?0\jy<J{.ki
KWindows
{!n%U
>.us=
(@%xw
^1<U%u
[[.mm
Fn%C_0W
)-n}I
}m%D'
.jhuvU
3%X% 
.RXeI
.tWxL
.LH;h
.Qb-t
.YE/`uC
[.mMH8?
_Z.xjn
SetViewportExtEx
SetKeyboardState
.idata
.rdata
P.reloc
P.rsrc
nKey
T.nsl
@@@%@@@'@@@)@@@)@@@'@@@%@@@
@@@{@@@5@@@
@@@}@@@5@@@
@@@^@@@(@@@
@@@_@@@3@@@!@@@
@@@#@@@#@@@!@@@
@@@[@@@!@@@
@@@_@@@%@@@
@@@]@@@#@@@
@@@|@@@3@@@
@@@\@@@,@@@
<assemblyIdentity version="0.0.0.0" processorArchitecture="X86" name="Setup.exe" type="win32"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- 7 -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Vista -->
KERNEL32.DLL
winspool.drv
Opera\
\operaprefs.ini
\profile\operaprefs.ini
\profile\opera6.ini
\opera6.ini
locale\en\en.lng
\profile\search.ini
\search.ini
search.ini
\defaults\search.ini
Uninstall\Uninstall.exe
Uninstall\uninst.dat
errorUrl
.Uninstall\
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Cannot create file %s
Cannot open file %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid variant operation"Variant method calls not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid GUID value
I/O error %d

%original file name%.exe_276_rwx_00401000_00117000:

kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys
AutoHotkeysL D
Uh.aD
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState0"D
OnKeyDown
OnKeyPressh
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
2301654879
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
TScanAllWindowsCallBackData
i\*.*2XE
i.dwcnhE
nmhpjhc03.fcclJL
i.ulzn1E
1.2.3
THttpCallBackShell
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
hXXps://
hXXp://
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code
sqlite3.dll
ESqliteException
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
Could not prepare SQL statement
SQLite is Busy
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
cookies.sqlite
^FOFNW S,),-EQL@ S,nfyb S,TEFQF,-hfz0 T,Gfkbvoy S,Pflq`k,-Sql-0,jgf-4 S,JG*3=
^OIZM] UW,/J`ii-0,i-0,(]`nzmm/X-1,jyaj`-2,(GA( T ..pc
Opera
Software\Opera Software
Home URL
Amazon.com
eBay.com
Merriam-Webster
Opera Preferences version 2.0
; Do not edit this file while Opera is running
Suggest URL
Key=c
Suggest URL=
FaviconURL
]DKizHi-4,exc-1,Hc`hk-3.GI
005345000000
000000000000
000000000010
000000000030
cabinet.dll
Installation Platform Powered by InstallCore.com - Installer Development Tool - CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011 3
Installer Development Tool - CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011
CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011
TUninstallExecuter
TUninstallExecuter can be created only once.
_EXEXE_
GENERIC_WINDOWS
NO_JAR_SUPPORT
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizablet
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight\
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown<iI
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. %s (%s).
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyPress
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
MAPI32.DLL
LeftPopup
.html
THtmlUIExeShell
2.1.0.0
This exe was created with older version of HtmlAppMaker.
irsoMsgDialog
irsoGetCurExePath
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoExecuteAsNoneAdmin
irsoExecuteWithOutput
irsoExecuteInThread
irsoExecuteInThreadWithOutput
irsoIsMutexExists
irsoSetSQLiteDll
irsoGetSQLiteDll
H-4,njBdi-2,o-4,r.vY
iexplore.exe
firefox.exe
chrome.exe
safari.exe
opera.exe
irsoExecutePackage
irsoExecutePackageAsAdmin
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoGetPackageFilenameFromHttp
isrGetPackageExecExitCode
irsoSetPackageRelProgressShare
irsoIsFireFoxInstalled
irsoIsChromeInstalled
irsoIsOperaInstalled
irsoGetFireFoxHomePage
irsoGetChromeHomePage
irsoGetOperaHomePage
irsoSetFireFoxHomePage
irsoSetChromeHomePage
irsoSetOperaHomePage
irsoGetFireFoxDefaultSP
irsoGetChromeDefaultSP
irsoGetOperaDefaultSP
irsoAddFireFoxDefaultSPFromXML
irsoAddFireFoxDefaultSP
irsoSetFireFoxAddressBar
irsoAddOperaDefaultSP
irsoAddChromeDefaultSP
irsoAddChromeDefaultSPEx
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoGetFireFoxCookie
irsoIsFireFoxExtensionInstalled
irsoInstallFireFoxAddon
irsoInstallChromeAddon
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoGetEXEStamp
irsoReportStart
Professional Installation Platform by InstallCore.com
- Installer Development Tool - CUSTOMER LICENSE DESC:FoxTab.com, Exp.05-Jan-2011
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WaitNamedPipeA
PeekNamedPipe
GetWindowsDirectoryA
GetCPInfo
DisconnectNamedPipe
CreatePipe
CreateNamedPipeA
ConnectNamedPipe
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
shell32.dll
wininet.dll
FindFirstUrlCacheEntryA
comdlg32.dll
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
/UnExeFile:
UnExeFile
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
1.2.1
inflate 1.2.1 Copyright 1995-2003 Mark Adler
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
w?0\jy<J{.ki
KWindows
{!n%U
>.us=
(@%xw
^1<U%u
[[.mm
Fn%C_0W
)-n}I
}m%D'
.jhuvU
3%X% 
.RXeI
.tWxL
.LH;h
.Qb-t
.YE/`uC
[.mMH8?
_Z.xjn
SetViewportExtEx
SetKeyboardState
.idata
.rdata
P.reloc
P.rsrc
Opera\
\operaprefs.ini
\profile\operaprefs.ini
\profile\opera6.ini
\opera6.ini
locale\en\en.lng
\profile\search.ini
\search.ini
search.ini
\defaults\search.ini
Uninstall\Uninstall.exe
Uninstall\uninst.dat
errorUrl
.Uninstall\
/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Cannot create file %s
Cannot open file %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid variant operation"Variant method calls not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid GUID value
I/O error %d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original WebToolbar file.
  3. Delete or disinfect the following files created/modified by the WebToolbar:

    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\offer_html.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\icon.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\license.txt (18 bytes)
    %Program Files%\is521343.log (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\loader.gif (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\progress-bg.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\US\offer_code.dat (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\checkbox.css (190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\offer_code.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F4DD.log (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\skip-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\close_button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\blank.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\finish_button.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\finish-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\images\progress-bg.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\1535764653.cfg (220 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\locale\EN.locale (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\Bg.jpg (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\button.css (417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\bootstrap_16799.html (156 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007ECFD.log (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\next-button-over.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\next-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\back-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (1866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\buttons.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F5D7.log (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\ie6_main.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\1395250404.cfg (220 bytes)
    %Documents and Settings%\%current user%\Desktop\Continue FoxTab FLV Player Installation.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\browse.css (318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\defaultOffer\US\offer_html.dat (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\images\Software.png (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\images\button-bg.png (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\sdk-ui\progress-bar.css (501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish519437\css\main.css (3 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now