有木马查不出来,我用听诊器查出来了,但杀不掉

文件:juk.exe
概率:93%
路径:windows/system32/juk.exe



怎么办?瑞星已经升到最新了

没人知道怎么办吗

建议你下载并使用HijackThis1.99.1 扫描一个日志贴上来
HijackThis下载地址请参考：
【必读】本版说明及常用小软件下载
http://forum.ikaka.com/topic.asp?board=67&artid=5188931

HijackThis的使用方法-----请参考--瑞星HijackThis专题
http://it.rising.com.cn/newSite/Channels/anti_virus/Antivirus_Faq/TopicExplorerPagePackage/hijackthis.htm

或参考图解说明：本版基本操作说明http://forum.ikaka.com/topic.asp?board=67&artid=6789825中的14，15楼图解

文件关联项
HKEY_CLASSES_ROOT .vbs ----> 超级解霸3000


自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Windows ASN Service = juk.exe
IST Service = C:\Program Files\ISTsvc\istsvc.exe
vRjESWFH = C:\WINDOWS\qlhoujog.exe
SurfAccuracy = C:\Program Files\SurfAccuracy\SAcc.exe
BullsEye Network = C:\Program Files\BullsEye Network\bin\bargains.exe
85s18skt = C:\WINDOWS\System32\85s18skt.exe

HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\RunServices
Windows ASN Service = juk.exe

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
shell32.dll =

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\System32\webcheck.dll
SysTray = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\System32\browseui.dll= Browseui 预加载程序
%SystemRoot%\System32\browseui.dll= 组件类别缓存程序


SYSTEM.INI BOOT SHELL Explorer.exe
SYSTEM.INI BOOT SCRNSAVE.EXE C:\WINDOWS\System32\logon.scr


其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> yao
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> yao
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> C:\WINDOWS\system32\userinit.exe,


Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


诊断信息


1 juk.exe 93% mIRCBot C:\WINDOWS\System32\juk.exe
2 85s18skt.exe 34% 未知木马 C:\WINDOWS\System32\85s18skt.exe

进程列表

[System Process]
System
C:\WINDOWS\System32\juk.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\TEMP\sais.exe (Made by 180solutions, Inc.)
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\TEMP\sahagent.exe
C:\WINDOWS\System32\85s18skt.exe
C:\WINDOWS\System32\exdl1.exe (Made by eXact Advertising)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rising\Rfw\rfwmain.exe
c:\program files\rising\rfw\rfwsrv.exe
D:\RAVDETECT.EXE

进程详细信息


C:\WINDOWS\System32\exdl1.exe

C:\WINDOWS\System32\exdl1.exe (made by eXact Advertising)

G$_^][YY
t%8^lt 9^x
F@uD9^Pt4
Sj j j
HtXHt@Ht4
8^!u'W
?t8Ht0j

8^Tu%j
4WhteA
9~Pu1j
9~8~OWQ
tjHtGHt$
QVVVVVVP
QVVVVVVP
QVVVVVVP
QVVVVVVP
HtVHt*H
PSSSSSSh
HtbHt0H
QSSSSSSP
D$,;|$,
D$,QRP
T$,SUVQPR
L$ QPSW
|$l;|$
\uo;|$
D$ RPQ
L$ PQR
T$d@Rj
VURPWQ
T$4PRW
T$(QPWR
D$(WPU
^T_^][
nd_^]3
nd_^]3
D$0RPQ
D$0RPQ
t.9wTu
V u"_^]3
L$`_^]
D$`PGQS
L$`PQRS

L$TPQj
D$\RPj
L$`PQRS
D$\RPj
T$`RUPS
L$`WQRS
L$`PQRS
L$\PQRS
T$TQRj
L$XPQj
CXQRPS
HtCHuW
Exdl - End():
exdl %s
Exdl - Main():
SOFTWARE\eXactUtil
UtilFolder
download_wnd_class
ATL:%p
Floating point (%%e, %%f, %%g, and %%G) is not sup
[%s]:%s
%Y-%m-%d:%H:%M:%S
%s\dltrace.txt
%s\ultrace.txt
%s\ahtrace%d.txt
%s.txt
%s\trackSys.txt
%s\ahrestore%d.txt
TraceEnable
open_connection - %s
UniqueKey
query cannot be accessed --
on_exception - Error
BuildNumber
OnStatusMsg - checkDownloadSoftware Completed
OnStatusMsg - DL_DOWNLOAD_SOFTWARE_COMPLETED
OnStatusMsg - DL_GET_UNIQUE_KEY_COMPLETED
OnStatusMsg - DL_UNINSTALL_COMPLETED
OnStatusMsg - DL_INSTALL_OCCUR_COMPLETED
OnStatusMsg - DL_ALREADY_INSTALL_COMPLETED
OnStatusMsg - parseResponse
FirstHit
OnStatusMsg - DL_FIRST_HIT_COMPLETED
OnStatusMsg - DL_FIRST_HIT_FOR_CB_NLS_COMPLETED
ConfigVersion
OnStatusMsg - DL_DOWNLOAD_CONFIG_COMPLETED
ADDataVersion
OnStatusMsg - DL_DOWNLOAD_AD_DATA_COMPLETED
SOFTWARE\Bargains
SOFTWARE\NaviSearch
SOFTWARE\CashBack
System
Binary
MainDir
UniqueKeyUrl
PartnerID
PartnerName
%s%s%d
preQuery - str_url:
AlreadyInstalledUrl
preQuery - DL_INSTALL_ALREADY
InstallOccurUrl
preQuery - DL_INSTALL_OCCUR
SoftwareUpdateQueryUrl
preQuery - DL_GET_NEW_SOFTWARE
&checkin=1
ADDataUpdateQueryUrl
preQuery - DL_GET_NEW_AD_DATA
ConfigUpdateQueryUrl
preQuery - DL_GET_NEW_CONFIG
preQuery - DL_FIRST_HIT_FOR_CB_NLS
FirstHitUrl
preQuery - DL_FIRST_HIT
preQuery - DL_GET_UNIQUE_KEY
NewPartnerName
&build=%d
parseResponse - DL_DOWNLOAD_CONFIG_COMPLETED
parseResponse - DL_DOWNLOAD_AD_DATA_COMPLETED
parseResponse - DL_DOWNLOAD_SOFTWARE_COMPLETED
TimeStamp
response is not complete
parseResponse - DL_DOWNLOAD_CONFIG_COMPLETED - Rec
parseResponse - DL_DOWNLOAD_AD_DATA_COMPLETED - Re
parseResponse - DL_DOWNLOAD_SOFTWARE_COMPLETED - R
url cannot be downloaded --
initDownload:%s, Size:%d, Version:%d
callWndResetTimer
version=%d&pid=%s&sys=%d&type=complete
LastQueryTime
processDownloadCompleted
MinMinutesBetweenTwoADs
MinCountOfUrlsBetweenTwoADs
MaxDailyCapPerUSer
UpdateQueryDuration
MaxDailyCapPerUser
MinCountOfUrlsBetweenTwoAds
MaxDomainCap
MinMinutesBetweenTwoAds
IdleMinutesThreshold
%d,%d,%s,%s,%s
PrevBBBuildNumber
UninstallUrl
Uninstall
setAppType -
PIDNoNLS
PIDNoCB
%s\zeta.exe %d
processAutoHeal
%s\vx%dx.nls
%s\vx%d.nls
instsrv.exe ZESOFT remove
%s\exclean.exe
%s\basexinfo.txt
%s\basexuk.txt
%s:%s:%s
exdl - normal exit.
exdl - error exit.
%s\%s\bargains.exe
%s\%s\nls.exe
%s\%s\cashback.exe
RAZORMEDIA2
WEBCLNT
VENTURAMK3
MARKETING20
MARKETING19
MARKETING18
MARKETING17
MARKETING16
MARKETING15
MARKETING13
MARKETING14
MARKETING7
MARKETING12
MARKETING11
MARKETING10
MARKETING9
MARKETING8
MARKETING6
MARKETING4
MARKETING5
MARKETING3
MARKETING2
MARKETING1
ADSLIMIT
KAZEMATE
MEDIAWHIZ4
MEDIAWHIZ3
MEDIAWHIZ2
MEDIAWHIZ1
EMARKETMKR
BUGTRK
VENTURAMK2
VENTURAMK
ARKADIUM_EZ
RAZORMEDIA
SKYHORN
MERESOFT
WHITEPAW2
ICMEDIAX
ICMEDIA
PAVEBLUE
EVENTURES2
ARKADIUM_REIN
ARKADIUM
NNSTP4
ISEARCHTECH6
SUNNYGAMES
CB_MICRO2
CB_MICRO1
ESB_CB
ISEARCHTECH5
NICTECH2

VENDARE4
URBANBOMBS
CDT_UK
NNSTPREIN2
MINDSET5
FORTUNECITY
NNSTP3
INTERNAZ
FREECOMPWALL
ARCADECASH
NNSTP2
URLBLAZE
COMMONSEARCH2
TRAFFICVEN
DESKTOPIA
VENDARE3
VENDARE2
VENDARE
BIKDESK
SIMPLENET
MINDSET4
MEDIAMOTOR
BITWISE2
WMEDIAREIN
INTERNETOPT
NICTECH
CASHBACK_R
CASHBACK
DISUNS
OVERNET2
WALVENT
NNPEXCTREIN
NNPEXCT
COMSRCH
WHITEPAW
KAZAAMATE
PRECISEPOP
EVENTURES_REINSTALL
NPS_GLO
WMEDIA_GLO
IEPLUG_GLO
NNSTPREIN
FREEWREIN
WMEDIA2
ISEARCHTECH4
TARGETIQ
GLOBE_REINSTALL
TARGETPOINT
IEPLUGIN2
MINDSET3
ISEARCHTECH3
EVENTURES
PRECLICK20
PRECLICK19
PRECLICK18
PRECLICK17
PRECLICK16
PRECLICK15
PRECLICK14
PRECLICK13
PRECLICK12
PRECLICK11
CLICKADWORKS
AUDIOBLISS
PHOTOGIZMO
PRECLICK10
PRECLICK9
PRECLICK8
PRECLICK7
PRECLICK6
PRECLICK5
PRECLICK4
PRECLICK3
PRECLICK2
PRECLICK1
IEPLUGIN
MINDSET2
ISEARCHTECH2
EUNI10
OVERNETUK
BITWISE
ISEARCHTECH
THUNDERDL
OVERNET
ANGEL2
FREECUR
EXACTB
WMEDIA
ISOTOPE
ANGELL
UNINAV
PBHLLC
GROKSTER
UKSOFT
BLACKPLANET
ASIANAVENUE
MIGENTE
INDIAINFO
MAILPUPPY
YAHDEM
INTERN
adp_wnd_class
adp module
nls_wnd_class
nls module
cashback_wnd_class
cashback module
netut80ex.vxd
mac80ex.idf
javex80.vxd
psis80ex.ax
SendReport failed
SendReport sucessful
/scripts/adpopper/webservice.main?
service.bargain-buddy.net
Content-Type: application/x-www-form-urlencoded
Accept: */*
Mozilla/4.0 (compatible; %s)
%d:%09d
TempUniqueKey
000000000000000000000000
000000000000000000000001
000000000000000000000010
000000000000000000000100
000000000000000000001000
000000000000000000100000
000000000000000001000000
000000000000000010000000
000000000000000100000000
000000000000001000000000
000000000000010000000000
000000000000100000000000
000000000001000000000000
000000000010000000000000
000000000100000000000000
000000001000000000000000
000000010000000000000000
000000100000000000000000
000001000000000000000000
000010000000000000000000
000100000000000000000000
001000000000000000000000
010000000000000000000000
100000000000000000000000
version=%d&pid=%s&sys=%d&report_err=%d%d
.?AVtype_info@@
Unmatched ) or \)
Regular expression too big
Premature end of regular expression
Invalid preceding regular expression
Memory exhausted
Invalid range end
Invalid content of \{\}
Unmatched \{
Unmatched ( or \(
Unmatched [ or [^
Invalid back reference
Trailing backslash
Invalid character class name
Invalid collation character
Invalid regular expression
No match
xdigit


C:\WINDOWS\System32\q00kembj.dll

Pj@j6h72
Rj6h72
uRFGHt
"WWSh(
t.;t$$t(
VC20XC00U
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
PPPPPPPP
PPPPPPPP
jjjjjjh
afsrc=1
Software
AgentUserAgent
Agent_Exchange
AgentStatus
FileMapEditBox
WaitEventForRedirect
WaitEventForSkip
WaitEventForNewSend
WaitEventSendStop
SAH Select Agent
MESS_456FA901-5632-22d5-ABCD-BCA677645434
WEBInstaller.dll
ws2_32.dll
WSARecv
iexplore.exe
aol.exe
netscape.exe
netscp.exe
mozilla.exe
taskmgr.exe
syslistview32
Select CashBack
SahHtml.exe
combobox
_aol_edit
_aol_combobox
combobox
comboboxex32
rebarwindow32
http://
HTTP/1.
Host:
http://
User-Agent:
.class
smartupdater
Agent_Exchange
HTTP/1.0 301 Moved Permanently
Location:
HTTP/1.
LspHttp
LspHttp
InternetExplorerWindow
Internet Explorer Window
InternetExplorerWindow
SAH Agent
SAH Agent
smartupdater
HTTP/1.1
Expires:
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
If-Modified-Since:
Text for example
GR_check_site
Frameset checking
Agent tracking
HTTP/1.1
Expires:
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
If-Modified-Since:
Text for example
Text for example
Text for example
Text for example
C:\WINDOWS\System32\exdl1.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
((((((((((((((((((((((((((
((((( H


C:\WINDOWS\System32\85s18skt.exe

C:\WINDOWS\System32\85s18skt.exe

jHh fB
PSSSSSSS
F8t|SSSj
YYSVh(0C
(SVWQ3
TVWjD3
QVVVVVVP
VWh(0C
VWh(0C
tP9{$t
VPVVVVVVh
s(h(0C
;p4}*h
;pH}*h
;s })h
;wD})h
;w0})h$
W9^Xuj9
YYhd3C
G,SPhd
t(h(0C
u8h4 C
7Vh(0C
8^YufQ
FZ8^iu
Fh8^bu&W
)8^cu$W
FaG;~(
SPSWSSS
SWhD(C
tWhd*C
QQSVWQ
VWhx+C
YYh$-C
SPSWSSS
QSSSSSSP
VWhx+C
.?AVexception@@
Incorrect key length
Incorrect buffer length
DownloadDoneEvent
DownloadStartEvent
StartPopupEvent
AgentUserAgent
AgentStatus
WaitEventForInstall
WaitEventForNewSend
WaitEventForSkip
WaitEventForRedirect
AgentRead
Agentprefs
version is
Module
\StringFileInfo\%04X%04X\FileVersion
\VarFileInfo\Translation
SAHPopup
SAHAgent
owner=none
owner=nonbundle
refer=000000000
ProxyServer
Software\Microsoft\Windows\CurrentVersion\Internet
ProxyEnable
iniWriteTest
Images
PrefsServer
FullImages
c:\SahAgent.log
WriteToLog
&global=click.linksynergy.com&afsrc=1
&email=
&UserAgent=
Wed, 30 May 1990 12:11:27 GMT
LastPrefs
&LastPrefs=
UniqueBundleID
UniqueBundleKey
&version=
&doPopup=
&redirectTrack=
ValidateXMLversion
&validate=
&popupID=
&ruleID=
?CustomerID=
&Position=
&Bidprice=
&SearchTerm=
&Partner=none
&Partner=findwhat
&Partner=search123
&CustomerID=
&requested=
RedirectTo
'
"
%a, %d %b %Y %H:%M:%S GMT
SahImages
Check image: %s
GR_check_site.html
Agent tracking %s
/agent/agenttracking.asp
agenttracking.asp
PrefsXML
Search tracking %s
/agent/searchtracking.asp
searchtracking.asp
404 - File not found
400 - Can not connect to server.
304 - File is not modified
GlobalPath
ValidatePath
Sending alternate request
LastGlobal
global
LastValid
validate
Exception thrown by CodeBuffer, %s
Error overwritting %s with decrypted buffer.
HTTP result: %d
Get binary message sent: %s
Cannot find Internet Explorer Window
Internet Explorer Window
application/octet-stream
image/*
Text for example
Get XML message sent
text/xml
%s%s%s%sTracker message sent: r(%d) http(%d): %s
Image
Search

Popup
Redirect
DoTracking: Cannot find Internet Explorer Window
text/html
Set cookie message sent
Cannot find IE Window for setting cookie: %s
setCookieValue
http://
; domain=
; expires = Mon, 01-Jan-2100 00:00:00 GMT
; expires = Mon, 01-Jan-1900 00:00:00 GMT
CID set: %s
customerid=
Stealth
stealth=
) returned "
Get cookie message (
Cannot find IE Window for getting cookie: %s
getCookieValue
Clear cookie message sent
Cannot find IE Window for clearing cookie: %s
clearCookieValue
CHTTPLoaderThread
HTTP Loader thread OK
SAHAgent Loader Window
SAHAgentLoaderWindow
OLE Failed
ResponseTime
?MfcISAPICommand=update¶m=
?MfcISAPICommand=searchengine¶m=
?MfcISAPICommand=registration¶m=
?MfcISAPICommand=agreement¶m=
?MfcISAPICommand=heartbeat¶m=
ServicePath
ServiceDomain
Parameters: %s
email=
Can not generate new GUID
IncUpdateEnabled
incUpdateEnabled=
agentVersion=
uniqueBundleKey=nonbundle
owner=
uniqueBundleKey=
refer=
uniqueBundleID=
updateURL
updateURL=
update
updateEnable=
validateURL
validateURL=
validateEnable=
NumberOfDaysNextUpdate
numberofdaysnextupdate=
NumberOfDaysNextValidate
numberofdaysnextvalidate=
NumberOfDaysNextHearbeart
numberofdaysnexthearbeart=
browser=
description=
xmlversion=
{update}
ValidateXMLVersion
xmldatestamp=
CookieUserAgent
iexplorer
Generating new GUID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
popupID=
ruleID=
PopupPassword
regpass=
PopupAddress
regaddr=
PopupRegType
regtype=
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
UID: %s
IP: %s
Country: %s
Country
;country=
Email notification: %s
AgreeNotification
complete
;email=
Registry query: %s
;registry=
Setup filename: %s
LspSetupName
lsp_setup.exe
;setup=
Update Path: %s
Update Domain: %s
PackageName
PackageLocation<br>;updateURL=
Update enabled: %s
;update=
ValidateURL: %s
;validateURL=
Validate enabled: %s
;validate=
NumberOfDaysNextUpdate: %s
;daystoupdate=
NumberOfDaysNextValidate: %s
;daystovalidate=
NumberOfDaysNextHearbeart: %s
;daystoheartbeat=
;GUID=
Retry mode finished
Retry mode will be continued on next check update
Attempt counter:
min.
Retry mode timeout
10 times. Retry mode finished at: %s
%Y-%m-%d %H:%M:%S
RetryDays
RetryModeFinish
Site down count:
SiteNotAvailableCounter
Hearbeat date expired
heartbeat
Update enabled: %s
Update date expired
Update
DateToCheckForNewUpdate
Cookie updatenow = yes
updatenow=
validatenow=no
Service location was changed. Requesting new serv
Validate enabled: %s
Validate date expired
DateOfCheckForNewValidate
Cookie validatenow = yes
validatenow=
DateToSendNextHeartbeat
Registry query response: %s
registryQuery
updatenow=no
update result:
UpdateSucceeded
Checking for next update
Number
Version
%0x%08x
module
runkey
process
>`info
specialEffects
popType
showCloseButton
dimensionY
dimensionX
locationY
locationX
comments
createDate
lastUpdateDate
popupID
Global Suppress "%s" found.
Global
Domain
GlobalXMLversion
XMLversion
RenameFiles
FileVH
FileVU
FileVG
FileVP
FileLsp
FileSahUnInstall
FileSahHtml
FileSahAgent
SearchPopunderCount
SearchEngineEnabled
Suppress2
Suppress1
PongTimeout
SuppressTimeout
Seconds
CheckSite
Minuts
LSPVersion
AgentVersion
current
Enabled
PopupDefaultImage
PopupCloseButton
GlobalList
ValidateFile
AgentPrefs
1000001
Function
SuppressID
Delete
Validate
Functions
Module32Next
Module32First
Process32Next
Process32First
CreateToolhelp32Snapshot
KERNEL32.DLL
\InprocServer32
CLSID\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Fagent/agentprefs.sah
www.shopathomeselect.com
Getting update file
Bundle Tracking: %s
.PAVCException@@
CException loading binary file.
Decrypted buffer: %s
Decode update error
Starting downloader
Temporary file create error.
Temporary file is empty.
dev.vgroup.ru
test/update.html
Can not allocate memory for parser
Temporary file copy error.
Temporary file write error.
Unpacking file error.
XML test OK.
XML check done
XML is empty or is damaged.
!!! ERROR !!! Can not parse "function" XML file !
function
!!! ERROR !!! Can not parse "validate" XML file !
!!! ERROR !!! Cannot parse "global list" XML file
!!! ERROR !!! Cannot parse "popup list" XML file
!!! ERROR !!! Cannot parse "detection list" XML f
detection
!!! ERROR !!! Cannot parse "AgentPrefs" XML file
AgentVersion=
LastPrefs=
smartupdater/smartupdater.dll
InitRegDelayTime
PrefsXMLversion
SiteNotAvailablePeriod
Categories
TemplatePath
Updating registry preferences...
AttemptDownloadPrefs
Parsing XML preferences...
OK. preferences loaded.
OK. Preferences. Last update %s
Validate Path: %s
Validate Domain: %s
enable
UnInstallRequest
OK. Main database. Last update %s
ERROR! Merchants list loading failed.
OK. Main database has not been modified.
OK. Main database was loaded
agent/validate.sah
OK. Suppression list. Last update %s
ERROR! Suppression list loading failed.
OK. Suppression list has not been modified.
OK. Suppression list was loaded
agent/global.sah
Setting up scheduler on 24 hours...
SOFTWARE\WinSock2\Layered Provider Sample
Waiting time %s min(s)...
Repeat counter %s
New cab needed, prefs have updated since last cab
CabLastPrefsVersion
New cab needed, cab dog (%s) version does not mat
CabDogVersion
New update cab downloaded: %s
CabDate
getUpdateFile failed.
getUpdateFile returned 304. Aborting update.
Starting updater: %s
-waiting
Path: %s
Server: %s
setup.cab
\SahUpdate
LSPUpdateNeed
AgentUpdateNeed
Automatic update is being started
UpgradeStatus
downloading
Checking current file versions
We apologize for the inconvenience. Please try aga
ShopAtHomeSelect is temporarily unavailable for Ca
Thanks for your patience!
ShopAtHomeSelect is again available for Cash Back
NOTICE:
CPopupThread
Popup thread OK
OLE Failed
Start popup: %s
-PopUnder
Start popunder: %s
MID = %s, PopupID = %s
popunder
LastLogin
Image is not set for popunderID=%s
Image is not found for popunderID=%s
PopUnderpopupID
PopUnderImageDomain
PopUnderImagePath
PopUnder
%Y-%m-%d
LastPopUnder
Rule set: %s
DoRedirect = %s, DoPopup = %s
Rule: %s
CreateDate
Rule ID: %s
) = %s
Stealth user: (
Unable to write PopupHtmlFile: %s
src="
checkpassword
Registration popup already displayed today.
Start Search PopUnder #%s
Unable to update SearchPopunderNumber. Skipping
SearchPopunderNumber
Repopulating Search PopUnder
popUndersearch
Search Ignored: Search Quota Exceeded.
LastSearchPopUnder
InitRegDelayTime disabled.
Secondary Registration Delay %d seconds.
QuickUpdate
Start session for: %s. 1 minute timeout then chec
Search: FindWhat
Search: Search123 : %s
Search Disabled, no SearchEngineQueryText found.
Search Disabled: %s
Search pop-under is restricted by Rule: %s
Search pop-under is disabled. Country code is not
Search pop-under is disabled. Countries are not d
Search pop-under is disabled. Search domain is no
Search engine is disabled by Agentprefs
ProcessSearchEngine: %s
loadXMLReq failed:
FindWhat: %s
193.168.0.12
&mt=%s&ip_addr=%s

Search123: %s
PopUnderPostLink
Search cancelled, missing IP or UID.
No link$ found in search XML.
XSL Transform seems to have failed. Search cance
No links found in search XML.
_searchTerm_
Error transforming xml.
Error loading/parsing XSL String.
src="http://
Error loading/parsing SearchXML.
1000000
PopUndersearch
Afx:400000
AOL Frame25
MozillaWindowClass
IEFrame
mozilla
netscape
america online
america online
microsoft internet explorer
CRedirectThread
Redirect thread OK
, URL (%s)
. Redirect OFF
MID=%s is not SAH client, AutoRedirect is turned
AutoRedirect: %s
MID=%s SAH client, AutoRedirect ON
Dialog answer is "NO I don't want to receive Cash
Redirect: %s
Answer "YES I want to receive Cash Back"
MID=%s SAH client, AutoRedirect OFF
SPECIFIC domain. Redirect OFF. (MID=%s)
Current LSP version is: %s
Rule for MID=%s is not defined
OptInRedirect option is: %s
LSP(%d): %%s
MID=%s. Redirect ON
LSP: * %s
SiteNotAvailable
ReadyToInstall
Suppress is turned ON for MID:%d for another %d s
GLOBAL domain. Redirect is turned OFF for MID=%s
MID=%s. Redirect OFF, Suppress%sTimeout for anoth
and GLOBAL
MID=%s. Redirect is turned ON
Removing previous GLOBAL domain for PID:%d
GLOBAL domain. Suppress ON. Set timer on %s sec
MID=%s. Redirect OFF
localhost
topmoxie.com
sysupdates.com
Ignore URL: %s
ebates.com
MID=%s. Redirect OFF
MID=%s. Redirect ON
Up to 20.0%
ShopAtHomeSelect
No reg pop options are set.
Do Secondary reg pop option is: %s
Do initial reg pop option is: %s
SecRegRule
InitRegRule
Reg Pop has already been done since starting.
then
else
stealth
notstealth
createdate
adserve
redirect
lsp.dll
SYSTEM\CurrentControlSet\Services\WinSock2\Paramet
\lsp.dll
PackedCatalogItem
SOFTWARE\VGroup
SOFTWARE\VGroup\SAHPopup
SOFTWARE\VGroup\SAHAgent
bn.com
Select CashBack
MESS_456FA901-5632-22d5-ABCD-BCA677645434
Secondary reg option off: No rule
Initial reg option off: No rule
Detection failed.
detectionResult = %s
Registration Delay %d seconds.
Software
Unable to find Search XML. Search Disabled.
10000000
Main thread OK
useragent=
Popup request
Popup request
Agreement request
Agreement request
Suppression time expired
Exception checking for Next Update().
CException checking for Next Update().
CException in theApp.service.checkNextUpdate()
Site becomes available for redirect
Start timer %s min
ShopAtHomeSelect site is not available
Timer time expired. Checking site for available
Mystery Code: Repeat downloading XML/
UnInstallExecute
SahRenamer
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
-RenameFiles
SahUnInstall
reboot
uninstall
-rebooting
&action=yes
PopUnderlink
WrongEmail
isWrong
checkaddress
Shop At Home Select Registration
forgotpassword
Check email request
Check email request
PopUndersearchString
PopUnderURL
Blank IE opened?
Shell Execute returned %d.
Opening page %s
RegPop
RegType
stealth=false
SAHSelect=CustomerID=
DISABLE redirect. Site is not available
ENABLE redirect. Site is available now
MadAdam
NamedBy
ieframe
normal
Uninstall request
Unininstall request reported...
Uninstall request report failed.
Uninstall request report failed... retry in 2 min
failed
PrefsPath
bundletracking.asp?A=Uninstall
UninstallReport
Opening temp IE window
Closing temp IE window
ThreadSyncronization
disable
Could not create events
Windows 95/98/ME
Windows NT based system
HtmlName
SAH Select Agent
BundleProgress
SAHUninstall
WEBInstaller
sporder
SahHtml
tmpmpt1.tmp
RenameUninstall
UninstallString
DisplayName
Software\Microsoft\Windows\CurrentVersion\Uninstal
Handler has been installed.
installhook
Loading library:
Handler has been removed
removehook
program files\internet explorer\iexplore.exe" "
about:blank
ShellExecuting page %s
Window found.
Searching window.
.?AVtype_info@@
.?AV_com_error@@
* and createdate < today-1 and createdate >

ah"/>
s%c8%01%01%00urG2qQ8BEw16YD3RpxUrKBp9pDq1gJtQ1fv7s


C:\WINDOWS\TEMP\sahagent.exe

C:\WINDOWS\TEMP\sahagent.exe

G@VPhx
GDVPhl
GXVPhP
G\VPhD
Yu WhT
SPSWSSS
VVVVVVh
QSSSSSSP
X_][^Y
TVWjD3
.?AVexception@@
Incorrect key length
Incorrect buffer length
binsttmp.tmp
reinstall
originstall
doinstall
LastIS
LastInstall
BundleProgress
SOFTWARE\VGroup\SAHAgent

SAHBundleLite4004
KeyExistNai
PrefsXML
PackageName
PackageLocation<br>iniName
PrefsPath
PrefsServer
BundlePackage
BundleKey
InstPath
InstallLocation<br>terms.htm
agent/
smithers.shopathome.com
agent4/agentprefs4.sah
agent4/
www.shopathomeselect.com
agent/setup4030.cab
setup4030.cab
isearchtech1007.sah
isearchtech/
downloads.shopathomeselect.com
SAH Select Agent
SAHAgent
CountFinish
?A=Finish&
E2U(%d)
ADP failed
SOFTWARE\WinSock2\Layered Provider Sample
UKB_RP
" -BUNDLE:
SAHUninstall
BundleInstall
ReadyToInstall
complete
UniqueBundleID
FileSahAgent
LSPInstallNeed
Software
DateToCheckForNewUpdate
DateOfCheckForNewValidate
1900-01-01 12:00:00
AttemptDownloadPrefs
?A=US_
bundletracking.asp
&A=Paused
&A=Already%20Installed
?bundle
UniqueBundleKey
TempOwnerKey
bundle.txt
BrowserType
Bundle
CookieUserAgent
iexplorer
InstallerLocation=1
InstallationStatus=1
UserAgent=1
ErrorLevel=1
GUID=1
BuiltInCommandLine
Built in command line output. Aborted...
Displayed4002b
%Y-%m-%d %H:%M:%S
displayed4002t
displayed4002b
displayed4002
EulaDate
EulaStatus
HtmlName
DllName
CountCab
CountKey
CountStart
owner=none
?A=Start
SOFTWARE\VGroup\SAHPopup
%Y-%m-%d
shopathome
shopathomeselect
DLX%s,%d,
UKB%s,%d,
SOFTWARE\VGroup
lsp_setup
_%d_%d_%d
ErrorLevel=
AgentVersion
AgentVersion=
UserAgent=Bundle
InstallerLocation=
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
killkillkill
refer=
owner=
tmp_.tmp
BFCF(%d):
_FishmanCleared
UpdateSucceeded
http://
WEBDownloader Window
WEBDownloaderWindow
LOADER
hWaitEventRetryInstall
WaitEventForCreateThread
hWaitEventForInstallContinue
hWaitEventForInstallSuccess
WaitEventForInstall
WEBDownloaderDoneEvent
WEBDownloaderStartEvent
installhook
removehook
Internet Explorer Hidden Window
Internet Explorer Window
program files\internet explorer\iexplore.exe" "
about:blank
IEFrame
text/*
image/*
application/octet-stream
Text for example
setCookieValue
; domain=
; expires = Mon, 01-Jan-2100 00:00:00 GMT
; expires = Mon, 01-Jan-1900 00:00:00 GMT
ProxyServer
Software\Microsoft\Windows\CurrentVersion\Internet
SAHBundle
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[rename]
[RENAME]
\wininit.ini
.?AVtype_info@@
.?AV_com_error@@
id=2507

C:\WINDOWS\TEMP\
VirtualAlloc
VirtualFree
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located
The ordinal %u could not be located in the dynamic
(08@P`p
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
setupapi.dll
user32.dll
advapi32.dll
ole32.dll
oleaut32.dll
msvcrt.dll
mfc42.dll
SetupIterateCabinetA
GetClassNameA
RegDeleteValueA
CoCreateGuid
_controlfp
gWvtha
{(gg(l
-sgggg((^
xy-V(glV((?l
V(cd-G
0V(gST-
0g?gg(gggDE---
0V((gg(7-
%&g((*
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
FileDescription
FileVersion
4, 0, 0, 4
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
4, 0, 0, 4
SpecialBuild
VarFileInfo
Translation


C:\Program Files\BullsEye Network\bin\bargains.exe

C:\Program Files\BullsEye Network\bin\bargains.exe

D$0_^]d
\$ v\UV
C _^][
L$ _^][d
T$$QRP
L$$GB;
t+8_lt&
D$(WPQ
D$HPQR
KPj j j
C@_^][
L$ PQS
T$ QRS
L$ GB;
D$0^[d
}ah\uD
D$HRPjJV
L$x_^2
T$PQUR
T$PQPR
T$PQPR
L$ _^][d
L$8QVR
tnh8~D
L$p_^]d
\$4HPQ
D$(QRP
T$0RSP
L$p_^]d
L$ PQh
L$@_^]d
T$PhPAD
T$PhPAD
L$l_^][d
L$ RPQ
L$p_^[d
L$(PQW
T$PQRUW
L$@_^]d
T$PQRUW
L$@_^]d
L$$_^][d
L$d_^[d
L$@_^]d
L$(_^]d
L$ _^d
L$$^]d
D$@SUV
L$@_^]d
L$X[tR
L$D_^2
L$8_^][d
t$Lj V
t5;:u$UW
t4;1u#SV
T$$hPAD
t4;1u#SV
t4;1u#SV
t4;1u#SV
t4;1u#SV
j9x(uN
j9x$uN
P(RhH4D
T$$RWP
VLRhH4D
VW8]qtL9
D$(Php
QLf9\$@u
D$HQhx4D
R@9\$$
NLQhH4D
T$09>u
D$0_^][
T$ QVRP
D$ QRP
uUh@~D
L$ PhH
T$8QRj
L$|_^[d
L$,PQh
D$,RPh
|$0t>Ht
t$$RPj
L$ PWVh
L$(PQh
L$$_^]d
tAHt$H
T$dQPh
L$@j#Q
L$T_^][d
L$(RPQh
D$0_^][
T$HGE;
L$(_^][d
L$ _^]d
D$PQRh@
t5;:u$UW
D$(SVW
D$DRPQ
L$4PQh
L$$_^]d
T$ QRj
L$`_^3
|$LVVVVhT
L$@VVj
RVVQVP
L$ QPVU
L$,_^][d
tZ|Xh\
L$$_^]2
D$@QRP
L$(_^][d
T$4PQRh
L$ _^][d
Pd+QTR
Pd+QTR
Jd+HTQ
Jd+Hhf
Jd+HTQ
Ad+BTP
Pp;Qxsv
Pd+QTR
Jd+HTQ
Ad+BTP
P0;Q(t7
A0;B(t7
P0;Q4t[
P0;Q(t7
A0;B(t7
J0;H(t7
P0;Q(t7
J0;H4t[
J4;H,u
D$,;|$,
D$,QRP
T$,SUVQPR
L$ QPSW
|$l;|$
\uo;|$
D$ RPQ
L$ PQR
T$d@Rj
VURPWQ
T$4PRW
T$(QPWR
D$(WPU
^T_^][
nd_^]3
nd_^]3
D$0RPQ
D$0RPQ
t.9wTu
V u"_^]3
L$`_^]
D$`PGQS
L$`PQRS
L$TPQj
D$\RPj
L$`PQRS
D$\RPj
T$`RUPS
L$`WQRS
L$`PQRS
L$\PQRS
T$TQRj
L$XPQj
CXQRPS
HtCHuW
jjjjjj
jjjjjj
jjjjjj
jjjjjj
hotbot.com
aolsearch.aol.com
froogle.com
searchfeed.com
search.netscape.com
cnet.search.com
enhance.com
about.com
pricegrabber.com
nextag.com
shopping.com
excite.com
overture.com
northernlight.com
mysimon.com
search.msn.com
search.lycos.com
kanoodle.com
ixquick.com
half.com
goto.com
google.com
go2net.com
search.ebay.com
search.dmoz.org
search.aol.com
altavista.com
alltheweb.com
wisenut.com
teoma.com
searchhippo.com
mamma.com
looksmart.com
infospace.com
goclick.com
findwhat.com
dogpile.com/index.gsp
ask.com
ah-ha.com
vivisimo.com
myhome.prodigy.net
hotbot.lycos.com/?query=
search.iwon.com
shopping.yahoo.com
search.yahoo.com
+,%d,%s,%d,%d,%d,%d,%d,%d,%d,%d,%d::%d,%d,%d,%d,%s
%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d
Bullseye Network Offer
Floating point (%%e, %%f, %%g, and %%G) is not sup
+,%d,%d
adp %d
SOFTWARE\Bargains
BuildNumber
adp_wnd_class
ATL:%p
+,%d,%s,%d
+,%d,%s
PartnerName
SOFTWARE\eXactUtil
PartnerID
RAZORMEDIA2
WEBCLNT
VENTURAMK3
MARKETING20
MARKETING19
MARKETING18
MARKETING17
MARKETING16
MARKETING15
MARKETING13
MARKETING14
MARKETING7
MARKETING12
MARKETING11
MARKETING10
MARKETING9
MARKETING8
MARKETING6
MARKETING4
MARKETING5
MARKETING3
MARKETING2
MARKETING1
ADSLIMIT
KAZEMATE
MEDIAWHIZ4
MEDIAWHIZ3
MEDIAWHIZ2
MEDIAWHIZ1
EMARKETMKR
BUGTRK
VENTURAMK2
VENTURAMK
ARKADIUM_EZ
RAZORMEDIA
SKYHORN
MERESOFT
WHITEPAW2
ICMEDIAX
ICMEDIA
PAVEBLUE
EVENTURES2
ARKADIUM_REIN
ARKADIUM
NNSTP4
ISEARCHTECH6
SUNNYGAMES
CB_MICRO2
CB_MICRO1
ESB_CB
ISEARCHTECH5
NICTECH2
VENDARE4
URBANBOMBS
CDT_UK
NNSTPREIN2
MINDSET5
FORTUNECITY
NNSTP3
INTERNAZ
FREECOMPWALL
ARCADECASH
NNSTP2
URLBLAZE
COMMONSEARCH2
TRAFFICVEN
DESKTOPIA
VENDARE3
VENDARE2
VENDARE
BIKDESK
SIMPLENET
MINDSET4
MEDIAMOTOR
BITWISE2
WMEDIAREIN
INTERNETOPT
NICTECH
CASHBACK_R
CASHBACK
DISUNS
OVERNET2
WALVENT
NNPEXCTREIN
NNPEXCT
COMSRCH
WHITEPAW
KAZAAMATE
PRECISEPOP
EVENTURES_REINSTALL
NPS_GLO
WMEDIA_GLO
IEPLUG_GLO
NNSTPREIN
FREEWREIN
WMEDIA2
ISEARCHTECH4
TARGETIQ
GLOBE_REINSTALL
TARGETPOINT
IEPLUGIN2