ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 3 December 2011, 12:07:39
Processing time: 9 min 58 sec
Submitted sample:

File MD5: 0xBDE1312B225AD987B57B1DBEF0885817
File SHA-1: 0x8A16BC9B6D9805C97F3733D1B3B2E17172A8DF1D
Filesize: 3,159,896 bytes

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonPrograms%\DealRunner\DealRunner.lnk	718 bytes	MD5: 0xCCD30B29FC4E6B3E0B157BDFC9742A33 SHA-1: 0xF4626EEE5FD865144DF5DE30EEB702F946DD1C22
2	%CommonPrograms%\DealRunner\Uninstall DealRunner.lnk	708 bytes	MD5: 0xCDCA8A7F39EA8EFCD3FE700EAC10D1B4 SHA-1: 0x64BF9B07091A7C56154399C3737CC6BA7BCE3112
3	%AppData%\FCSB000063941\Toolbar\patch.bat %ProgramFiles%\Shop to Win 20\patch.bat	713 bytes	MD5: 0x06AA181584EAD4FAEFE0BE36C81FAB5D SHA-1: 0x3E1888641489021ED2CAB67F535DAF95B8F265E5
4	%AppData%\FCSB000063941\Toolbar\settings.xml %ProgramFiles%\Shop to Win 20\settings.xml	2,003 bytes	MD5: 0x5C89781D5C6579E96FE1E1F461C5048C SHA-1: 0x5C6A4ECBE1E58BF0CE36E3A418A5DE5C84C90A31
5	%AppData%\FCSB000063941\Toolbar\Shop to Win 20.dll %ProgramFiles%\Shop to Win 20\Shop to Win 20.dll	14,432 bytes	MD5: 0xF5697AFE07B8FC950BB3E31272B7B843 SHA-1: 0x54B1A9DBB4D85F57AB09F90981405E78BF3433BC
6	%AppData%\FCSB000063941\Toolbar\ShoppingBHO.dll %ProgramFiles%\Shop to Win 20\ShoppingBHO.dll	687,104 bytes	MD5: 0xDC98B8B4397CE0223AEEE4730C749885 SHA-1: 0xB84376E75551AF00FD79807D0FE261D7424C2970
7	%AppData%\FCSB000063941\Toolbar\ShopToWin.ico %ProgramFiles%\Shop to Win 20\ShopToWin.ico	6,862 bytes	MD5: 0xF76B634CAA9AE7166596998901CD8776 SHA-1: 0x31603543F1877EB7C390F19CDDBC92520418959F
8	%AppData%\FCSB000063941\Toolbar\Uninst.exe %ProgramFiles%\Shop to Win 20\Uninst.exe	59,118 bytes	MD5: 0x523CE213A42E09C6E6C0868FBDD1B08B SHA-1: 0xE7570EB5CF245BB6AB8369D5E547894CAA58849A
9	%AppData%\FCSB000063941\Toolbar\version.txt %ProgramFiles%\Shop to Win 20\version.txt	51 bytes	MD5: 0xE3E988B96019EAB26584B5B50E072C08 SHA-1: 0xAD82B5435ED3E396AC43D5F416A3FFEDDA30E1D6
10	%Temp%\Low\FCSB000063941\cache-%UserName%\03dc1e50b634438b2b3439535f16e4ef	331 bytes	MD5: 0x0A0B44BBB9B4EC6D3E57AB84EFC53202 SHA-1: 0x1B4FB1D173717C4047588C8D1C359DE3DD90FF62
11	%Temp%\Low\FCSB000063941\cache-%UserName%\04938c177ebb9cb453d87b2b2e61f6f5	394 bytes	MD5: 0x986AF834991A55A7BC40169F2B96DEE8 SHA-1: 0xC1581DEEAE73483A245AB8A48B2E720EAAEE805A
12	%Temp%\Low\FCSB000063941\cache-%UserName%\20133249a4819b59eedc890d3ecbea3b	1,760 bytes	MD5: 0xE4372927078148E289FED5D054D545C1 SHA-1: 0x726959A1997C1445E7EC979123CEF20711F6CF30
13	%Temp%\Low\FCSB000063941\cache-%UserName%\355c13830b2b10319e09666596b903c3	764 bytes	MD5: 0x46EB141709DF6F17F7126AE5E9239876 SHA-1: 0x0B61713F97E3514BF82C1B21261CC51A7FF1386B
14	%Temp%\Low\FCSB000063941\cache-%UserName%\3e600960289c2f26a133d4a880895d7b	1,255,448 bytes	MD5: 0x21733B2A4AEB790EFD11B3E80441FC8E SHA-1: 0xFC9D0AE6CB86610E2028B29A1BE71472C5B700FA
15	%Temp%\Low\FCSB000063941\cache-%UserName%\4975fea9f6ac679b3b23754cd30d3159	4,159 bytes	MD5: 0x6E184DFC8465D984F664FE76CC2F2091 SHA-1: 0x6A5B0D451C4C4C6B45AD9B976C536D7AB530CB2F
16	%Temp%\Low\FCSB000063941\cache-%UserName%\4c535d174e60724e5459e1c8694467bc	10,580 bytes	MD5: 0x7822936BDDF87A6632DDCAED7F2B2558 SHA-1: 0xD261BA2B676E0C67C662D16D6F1315FCEBC341D5
17	%Temp%\Low\FCSB000063941\cache-%UserName%\56104db0c4deb1778d8ab81fa5c0ca93	32,898 bytes	MD5: 0x528F8C30ED9E61823BDFF26570371289 SHA-1: 0x2A866FFE6C4479E2B92875A9FA697B7A644B16E9
18	%Temp%\Low\FCSB000063941\cache-%UserName%\8546b02629f6906abe4dab3c43626548	332 bytes	MD5: 0x6A46FD4C088122BDFC21FD19CF26A222 SHA-1: 0x4B30DEF75C04E03F6AFCE018E5A1015A63F2EA5E
19	%Temp%\Low\FCSB000063941\cache-%UserName%\9d3c1dea253fc011ee75ec848618774f	1,189,626 bytes	MD5: 0xD3F77865F681EF1FB717AE155CE0880B SHA-1: 0xF62616583B4BF277F72EB4A214CE9991C827857F
20	%Temp%\Low\FCSB000063941\cache-%UserName%\c3a43239291502e5ee7043e339659ba5	359 bytes	MD5: 0x2A6E8409E5BC839D37AEAD9FBFAAF3C3 SHA-1: 0xA30C45D7BC2559C7DEB8F4677BD06049329D7E8C
21	%Temp%\Low\FCSB000063941\cache-%UserName%\cc94cdb252e9dd2338a096e332f4635b	1,587 bytes	MD5: 0x889178263BE6415D4E91AB2081FDF2D7 SHA-1: 0xE760633949FA36670A1848FCB9FF9F77F5950F7F
22	%Temp%\Low\FCSB000063941\cache-%UserName%\eac5556352c27a7245384e50c443f51e	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
23	%Temp%\Low\FCSB000063941\cache-%UserName%\ff9ebdf6892aaa556bf888ecc6a15bfa	23 bytes	MD5: 0x3AE2235DB0AF74416C089AD222156AEB SHA-1: 0x7FB4044E70BD2B5B3BD0848712F504E2159B6683
24	%Temp%\Low\FCSB000063941\cache-%UserName%\new_aff.xml	5,575 bytes	MD5: 0x35322FEE0CDDC67A128A7902541FB3A8 SHA-1: 0x1AC4476CB67D80FFAC64E9173FCD6007A33F903C
25	%Temp%\Low\FCSB000063941\cache-%UserName%\version.xml	6 bytes	MD5: 0xD23E5D85F3A841BCBFE87636B62DCDBD SHA-1: 0x45644C87564578C9E58DAAE16A5560A498508C62
26	%Temp%\nsa2.tmp\InetLoad.dll	18,944 bytes	MD5: 0x588D2A4E27DEE47F1D7A9C10E67CA948 SHA-1: 0x019AAD53A317892C3875761A5F6F2FB470376B7B
27	%Temp%\nsa2.tmp\textreplace.dll	5,120 bytes	MD5: 0x72D1177BAD86F4DF8EAEE2A8AFE50E6F SHA-1: 0xC36019DFA2FF5C90C9DA31C89DFCDA08F93DF68D
28	%Programs%\Shop to Win 20\Check out Previous Winners.lnk	1,136 bytes	MD5: 0x06D12DFED2882BB07E96932A3CBFCAB0 SHA-1: 0xFB8E817AD864DE92FE4960E4E952A2395E740AAE
29	%Programs%\Shop to Win 20\Frequently Asked Questions.lnk	1,130 bytes	MD5: 0x38C1AB9CEA1BFD85DB4EAAA07F410500 SHA-1: 0x5840F58F23DE5F043AC2197125905AE17DD5F190
30	%Programs%\Shop to Win 20\How can I win $100,000.lnk	1,130 bytes	MD5: 0x6A17E823525E879F6D0E84514611AAEC SHA-1: 0x8617A6779675E68005FE9BA9E1B47D6E12EEB157
31	%Programs%\Shop to Win 20\How can I win $500 Today.lnk	1,110 bytes	MD5: 0xDA0A5DE1D1F021660B62BF86D3FEBC5D SHA-1: 0x1035AFA8E3167E1F6CB6582602F4B20F1F451943
32	%Programs%\Shop to Win 20\Shop To Win Privacy Policy.lnk	1,146 bytes	MD5: 0x5D2D7DA1F2EF861BEABC3A7AEB42A4EE SHA-1: 0xAAB539E029B2B5F806203DA88B7E5C3CA8674A6B
33	%Programs%\Shop to Win 20\Shop to Win Terms and Conditions.lnk	1,138 bytes	MD5: 0xD2614332A7D890A158DBF85BC3ECDD3E SHA-1: 0xADF7A08458E31C474145727ED603E7604BCB61FA
34	%Programs%\Shop to Win 20\Sweepstakes Official Rules.lnk	1,142 bytes	MD5: 0x45D65CA83A31880AAA8214704D2DB43A SHA-1: 0x1027BD4D619A6E4FC6049B495B0C7B3DAC84F4AE
35	%Programs%\Shop to Win 20\Uninstall.lnk	735 bytes	MD5: 0xD5DEC25B0FDFC4834C21F45D9E317D84 SHA-1: 0x961EE9BF2ABB5E48BA637C448006022746E0EEDE
36	%Programs%\Shop to Win 20\View My Shop to Win Account.lnk	1,130 bytes	MD5: 0x139712672853549738D44FFA7BEB3938 SHA-1: 0x5AC7A616EC5420287A3656DEEA6952D223EB59B1
37	%Programs%\Shop to Win 20\Visit the Shop to Win Mall.lnk	1,138 bytes	MD5: 0xA73055ED9EDB0A4B7A332048178A8D7D SHA-1: 0xF57825C27F0A4444B52CB57656A05AD47111BA5A
38	%ProgramFiles%\DealRunner\DealRunner.exe	790,624 bytes	MD5: 0x4FD9B0B6D5A19A8D7209B1E06CB00AC9 SHA-1: 0xAD05F2DD8D540AB627281DC1E727C1461C668BC8
39	%ProgramFiles%\DealRunner\gdiplus.dll	1,712,128 bytes	MD5: 0x78BDC89C5D9E206209BEC5A5A73F91F7 SHA-1: 0x5F6EB616B854CC698451F96BBE9CF5049F25245E
40	%ProgramFiles%\DealRunner\unins000.dat	4,989 bytes	MD5: 0x396D7DCD141F04A2E4104EC790D84C27 SHA-1: 0xAF02218D198101B378131055C3E752D4C43ED796
41	%ProgramFiles%\DealRunner\unins000.exe	1,174,083 bytes	MD5: 0x2080125D72314E22F1F2144B1FFF8C6F SHA-1: 0x8D3AE65537AE9744E80AF7AFA15433A562EE05E3
42	%ProgramFiles%\Shop To Win\InstallNotifier.exe	363,008 bytes	MD5: 0xF68FCF3FC45AE9FB85A13580F71A18E2 SHA-1: 0xBEBEC531205977003F02BAB26577DC557D2FBB72
43	%ProgramFiles%\Shop To Win\ShopToWin.exe	2,177,536 bytes	MD5: 0x45EC457957DB0425472853D7AE3532F4 SHA-1: 0x7BCB52C73ED49EB391FEAC3E308F8712498C1A44
44	%ProgramFiles%\Shop To Win\TestFeeds\DisableStatus.xml	1,204 bytes	MD5: 0x0D9F90AE394142BD2E228D587DF978A4 SHA-1: 0xF5449C1044D20F77005D6AD0AC0B1FCC0FB1C9BC
45	%ProgramFiles%\Shop To Win\TestFeeds\DisableStatusDirection.xml	1,119 bytes	MD5: 0xA7E0671BBDE9F2D8CD9198A7F5895DF9 SHA-1: 0x08D92EA808D24474F2F008DA9EBA3358E0EF5764
46	%ProgramFiles%\Shop To Win\TestFeeds\GenericPopup.xml	1,182 bytes	MD5: 0x8C2CBF339D08C99B1D4F0D36AB3CCD5C SHA-1: 0x0623A8E2BC64ABD08F3C78B7F7592FD36143A56E
47	%ProgramFiles%\Shop To Win\TestFeeds\MainStatus.xml	770 bytes	MD5: 0x17E6A2F7588BE887CA982AB666B69FBF SHA-1: 0xADB56121037AC191F8E16767056232754CA9F7B1
48	%ProgramFiles%\Shop To Win\TestFeeds\ShoppingConfirmation.xml	1,483 bytes	MD5: 0xB29969B400CBC78D736B50127A42E865 SHA-1: 0x937C59502D7C5EA443ECC95350C082431BE1CEF2
49	%ProgramFiles%\Shop To Win\unins000.dat	6,559 bytes	MD5: 0x84A2F9D415E11DCDC45D520F074F9262 SHA-1: 0xC6B38ED2E261C98F924AABC4BBECCB74CD39155B
50	%ProgramFiles%\Shop To Win\unins000.exe	1,174,083 bytes	MD5: 0x2E8E461AD8DDCD9FBF2017817B0D90F1 SHA-1: 0x62C4FD12D8380814662B2BEF195E591AB1CEFBC3
51	[file and pathname of the sample #1]	3,159,896 bytes	MD5: 0xBDE1312B225AD987B57B1DBEF0885817 SHA-1: 0x8A16BC9B6D9805C97F3733D1B3B2E17172A8DF1D

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directories were created:

%CommonPrograms%\DealRunner
%AppData%\FCSB000063941
%AppData%\FCSB000063941\Toolbar
%Temp%\FCSB000063941
%Temp%\FCSB000063941\cache-%UserName%
%Temp%\Low
%Temp%\Low\FCSB000063941
%Temp%\Low\FCSB000063941\cache
%Temp%\Low\FCSB000063941\cache-%UserName%
%Temp%\nsa2.tmp
%MyDocuments%\DealRunner
%MyDocuments%\ShopToWin
%Programs%\Shop to Win 20
%ProgramFiles%\DealRunner
%ProgramFiles%\Shop To Win
%ProgramFiles%\Shop To Win\TestFeeds
%ProgramFiles%\Shop to Win 20

Notes:

%MyDocuments% is a variable that refers to the file system directory used to physically store a user's common repository of documents. A typical path is C:\Documents and Settings\[UserName]\My Documents.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1 without extension].tmp	%Temp%\is-E9QVI.tmp\[filename of the sample #1 without extension].tmp	1,269,760 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
ShopToWin.exe	%ProgramFiles%\shop to win\shoptowin.exe	20,480 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ShoppingBHO.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EB583FE1-9458-4EDA-AC68-24D24F17C70F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E44926-2497-46F3-8A25-928136AC079E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6EFDBA50-4ABE-4194-86F7-F3BD0A011F5B}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE502938-5BF1-4CEA-961D-0081B992C878}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F9E44926-2497-46F3-8A25-928136AC079E}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\0\win32
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\AppDataLow\Software
HKEY_CURRENT_USER\Software\AppDataLow\Software\Freecause
HKEY_CURRENT_USER\Software\AppDataLow\Software\Freecause\Toolbars
HKEY_CURRENT_USER\Software\DealRunner
HKEY_CURRENT_USER\Software\FCSB000063941
HKEY_CURRENT_USER\Software\FCSB000063941\Toolbar
HKEY_CURRENT_USER\Software\FCSB000063941\Toolbar\NetworkAffiliateCookies
HKEY_CURRENT_USER\Software\FCSB000063941\Toolbar\SessionVariables
HKEY_CURRENT_USER\Software\ShopToWin
HKEY_CURRENT_USER\Software\ShopToWin\FF
HKEY_CURRENT_USER\Software\ShopToWin\IE

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ShoppingBHO.DLL]

AppID = "{EB583FE1-9458-4EDA-AC68-24D24F17C70F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EB583FE1-9458-4EDA-AC68-24D24F17C70F}]

(Default) = "ShoppingBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\VersionIndependentProgID]

(Default) = "FCSB000063941.JSOptionsImpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\TypeLib]

(Default) = "{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\ProgID]

(Default) = "FCSB000063941.JSOptionsImpl.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}\InprocServer32]

(Default) = "%ProgramFiles%\Shop to Win 20\ShoppingBHO.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}]

(Default) = "JSOptionsImpl Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\VersionIndependentProgID]

(Default) = "FCSB000063941.Shopping"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\TypeLib]

(Default) = "{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\ProgID]

(Default) = "FCSB000063941.Shopping.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}\InprocServer32]

(Default) = "%ProgramFiles%\Shop to Win 20\Shop to Win 20.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E44926-2497-46F3-8A25-928136AC079E}]

(Default) = "Shop to Win"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}\TypeLib]

(Default) = "{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41D42E90-86D2-4521-9847-625D114F7D30}]

(Default) = "IJSOptionsImpl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}\TypeLib]

(Default) = "{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{622382CB-942C-4580-A2B3-7B06A58D8538}]

(Default) = "IFcShoppingBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\0\win32]

(Default) = "%ProgramFiles%\Shop to Win 20\ShoppingBHO.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\Shop to Win 20"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0]

(Default) = "ShoppingBHO 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl\CurVer]

(Default) = "FCSB000063941.JSOptionsImpl.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl\CLSID]

(Default) = "{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl]

(Default) = "JSOptionsImpl Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl.1\CLSID]

(Default) = "{B1BCB34F-5DC6-43B4-94B5-DFF4F02E2AF7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.JSOptionsImpl.1]

(Default) = "JSOptionsImpl Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping\CurVer]

(Default) = "FCSB000063941.Shopping.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping\CLSID]

(Default) = "{F9E44926-2497-46F3-8A25-928136AC079E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping]

(Default) = "FCSB000063941 Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping.1\CLSID]

(Default) = "{F9E44926-2497-46F3-8A25-928136AC079E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FCSB000063941.Shopping.1]

(Default) = "FCSB000063941 Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E44926-2497-46F3-8A25-928136AC079E}]

(Default) = "Freecause Shopping BHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6EFDBA50-4ABE-4194-86F7-F3BD0A011F5B}_is1]

Inno Setup: Setup Version = "5.4.0 (u)"
Inno Setup: App Path = "%ProgramFiles%\DealRunner"
InstallLocation = "%ProgramFiles%\DealRunner\"
Inno Setup: Icon Group = "DealRunner"
Inno Setup: User = "%UserName%"
Inno Setup: Language = "english"
DisplayName = "DealRunner 1.27"
UninstallString = ""%ProgramFiles%\DealRunner\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\DealRunner\unins000.exe" /SILENT"
DisplayVersion = "1.26"
Publisher = "Jackpot Rewards"
URLInfoAbout = "http://www.dealrunner.net/"
HelpLink = "http://www.dealrunner.net/"
URLUpdateInfo = "http://www.dealrunner.net/"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20111203"
MajorVersion = 0x00000001
MinorVersion = 0x0000001A

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE502938-5BF1-4CEA-961D-0081B992C878}_is1]

Inno Setup: Setup Version = "5.4.0 (u)"
Inno Setup: App Path = "%ProgramFiles%\Shop To Win"
InstallLocation = "%ProgramFiles%\Shop To Win\"
Inno Setup: Icon Group = "Shop To Win"
Inno Setup: User = "%UserName%"
Inno Setup: Language = "english"
DisplayName = "Shop To Win"
UninstallString = ""%ProgramFiles%\Shop To Win\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Shop To Win\unins000.exe" /SILENT"
DisplayVersion = "1.1.0.0"
Publisher = "Shop To Win, LLC"
URLInfoAbout = "http://www.shoptowin.net/"
HelpLink = "http://www.shoptowin.net/"
URLUpdateInfo = "http://www.shoptowin.net/"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20111203"
MajorVersion = 0x00000001
MinorVersion = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Shop To Win = "%ProgramFiles%\Shop To Win\ShopToWin.exe"
DealRunner = "%ProgramFiles%\DealRunner\DealRunner.exe"

so that ShopToWin.exe runs every time Windows starts

so that DealRunner.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings]

JITDebug = 0x00000000

[HKEY_CURRENT_USER\Software\Classes\TypeLib\{C4E09482-2C6A-44B2-8D40-ABC01B36BB9D}\1.0\0\win32]

(Default) = "%AppData%\FCSB000063941\Toolbar\ShoppingBHO.dll"

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Freecause\Toolbars]

ActiveBHO = "63941"
ActiveToolbar = "-1"
UUID = "4f071392-ef8e-485b-879d-87e4f51e0ba7"

[HKEY_CURRENT_USER\Software\DealRunner]

UniqueAppID = "31f7d32f-46bb-45e8-a464-4687a96ba3f3"
EnableSounds = "0"
AutoShowDeals = "1"
PartnerID = "ai20111103"
FirstRunDate = "20111203"

[HKEY_CURRENT_USER\Software\FCSB000063941\Toolbar\SessionVariables]

SessionUser = ""
SessionKey = ""
SessionID = ""
SessionDomain = ""

[HKEY_CURRENT_USER\Software\FCSB000063941\Toolbar\NetworkAffiliateCookies]

linksynergy.com = "
anrdoezrs.net = "

[clickserver.com]

HKEY_CURRENT_USER\Software\FCSB000063941\Toolbar\NetworkAffiliateCookies = cc-dt.com
= "

[jdoqocy.com]

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Netherlands

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
174.143.171.113	80
174.37.58.230	80
207.171.163.195	80
208.86.84.42	80

The data identified by the following URLs was then requested from the remote web server:

http://stejpn.com/ibo/global_ibo_install.php?uuid=4f071392-ef8e-485b-879d-87e4f51e0ba7&toolid=63941
http://xml.freecause.com/?action=bho_newuser&client=IE&m=4f071392-ef8e-485b-879d-87e4f51e0ba7&toolid=63941&v=1%2E031
http://xml.freecause.com/?action=bho_version_xml&toolid=63941
http://s31.freecause.com/frtb_bho_files.cab
http://s3pr.freecause.com/shoptowin20_affiliate.xml
http://s3pr.shoptowin.net/global/js/cuid.js
http://s3pr.shoptowin.net/global/js/em.js
http://s3pr.shoptowin.net/global/js/global_ebo_scripthost.js
http://s3pr.shoptowin.net/global/js/lm.js
http://s3pr.shoptowin.net/global/js/rewards_marker.js
http://s3pr.shoptowin.net/global/js/utils.js
http://s3pr.shoptowin.net/global/js/winner_notification.js
http://s3pr.freecause.com/jackpot-rewardsmarker3_stores.js
http://s3pr.shoptowin.net/global/xml/ibo_jackpotnation_basic_green_button.xml
http://s3pr.shoptowin.net/global/xml/ibo_jackpotnation_basic_grey_button.xml
http://s3pr.shoptowin.net/global/xml/ibo_jackpotnation_basic_red_button.xml
http://s3pr.shoptowin.net/global/xml/ibo_jackpotnation_basic_yellow_button.xml
http://s3snapcms.freecause.com/toolbar-xml/toolbar-mall-1120.xml
http://www.dealrunner.net/img/dod/BG2.png
http://www.dealrunner.net/img/dod/BG3.png
http://www.dealrunner.net/img/dod/BG-PPa.png
http://www.dealrunner.net/img/dod/BG-PP.png
http://install.shoptowin.com/installreport?ptid=STW20&appid=1fd92942-dc33-4827-81aa-dbe51d4e4e22&installer=20&browser=ie
http://xml.shoptowin.net/?uniqueid=1fd92942-dc33-4827-81aa-dbe51d4e4e22&partner=STW20&ver=1.0.32.584&os=5.1.2600(Service%20Pack%202)&net=NA&default=ie&iever=6.0000&iestatus=1&ffver=NA&ffstatus=0&chver=NA&chstatus=0&install=y
http://xml.dealrunner.net/DailyDealXML?ptid=ai20111103&ver=1.27&install
http://xml.dealrunner.net/DailyDealXML?id=31f7d32f-46bb-45e8-a464-4687a96ba3f3&ptid=ai20111103&ver=1.27&first-request
http://www.dealrunner.net/img/dod/BG1a-survey.png
http://www.dealrunner.net/img/dod/BG2a.png
http://www.dealrunner.net/img/dod/BG3a.png
http://www.dealrunner.net/img/dod/BG1-survey.png

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.